Why Directory Services are after all strategically relevant

A really strategical decision, however, is the following: How would we picture the future Security (and Identity) Infrastructure for applications? Not much attention has been paid to the issue of Application Security Infrastructures so far. This is unfortunate if only because tremendous cost savings can be achieved in this area by considerably reducing the expenditure for application development as well as application administration.

Application Security Infrastructures provide a framework for infrastructural components and interfaces used by the applications for implementing security features. Some of the most important components are standardized directories, cryptographic mechanisms, authentication standards and concepts for authorization. Such an infrastructure, however, must also clearly define how developers will have to work in future – for instance by providing special components to them which simplify the handling of security issues.

Especially in conjunction with SOA´s (Service Oriented Architectures) it makes sense to give some thought to which Security and Identity Services should be used – and provided by this infrastructure.

But reality looks a bit different today: In most cases, in application development the programmer decides ad hoc where user dates are stored and what kind of authentication is implemented, and in most cases authorizations are hard-coded and require much effort to be changed. These applications sometimes use a directory, sometimes data are stored in a database or even an ordinary file, in the worst but rather common case even with unencrypted keywords. On the other hand, we are discussing X.509 or Kerberos as a central authentication mechanism, which in most cases fails if only because these discussions are largely ignored. X.509 and Kerberos have only the chance to become a standard if their usage is strictly dictated from within the Application Security environment.

As a primary step it is advisable to make a strategic decision regarding the infrastructure. This is not easy since naturally it pins us down to certain standards and at least in parts to vendors. The latter, however, can easily be exchanged if we stay focused on standards.

Building such an infrastructure also makes considerations necessary about where and how application-related directory data will be stored in future. And this is the point which brings the strategic relevance of Application Directories to light. In addition to a small number of central directories as the Corporate Directory and for example an Active Directory or eDirectory, a Directory Service for Application data is needed, these data for instance being attributes only required by this specific application and not being stored in the Active Directory – where they should not be stored if only because of scheme amendments.

This infrastructure must be highly scalable, as far as the number of instances is concerned. Typically, it comprises a larger number of small directories rather than only a few larger directories as in Active Directory or Corporate Directory. Therefore it must be possible to run many instances simultaneously on a small number of physical machines. The manufacturers increasingly react to this requirement. Examples are ADAM, a small version of Active Directory, or Novell´s eDirectory 8.8 which at least under Linux allows many entities to be run on the system at the same time. The same is possible with other solutions from Sun or Red Hat/Fedora as well as OpenLDAP.

So the aim is to choose a central platform capable of taking up many instances and being integrated in such a concept. As this decision must be a central decision, it is at least to a certain degree a strategic one. Later on, it is of course possible to use further Application Directories based on other platforms. And if for designing the Application Security infrastructure the strategy of a consistent use of standards has been pursued, it should not be a problem to change from one vendor to the other.

In any case, to be concerned with Application Security infrastructures today is a must, and to make them as flexible as possible in order to avoid being nailed down to a manufacturer, is a good recommendation. Otherwise, much money is wasted on applications which are difficult to maintain, insecure and thus not up-to-date. Application Security Infrastructures are – or at least should be – one of the core issues for CIO´s.