The demands of new technology such as the Cloud, mobile devices and the Internet of things have found the identity and access management infrastructure in most companies to be inadequate. As Cloud technology has developed the monolithic enterprise directory with an LDAP interface is no longer the appropriate source of identity information.
Many companies have large enterprise directories that are used to manage their staff and contractor details as well as their access to corporate systems. Most rely on Active Directory (AD) or an LDAP directory to control access. The only problem is: many relying applications being deployed today don’t use LDAP.
Indeed, if an LDAP directory is exposed externally, anyone with an LDAP filter would be able to query the directory contents, this represents a significant security risk to be avoided in Cloud environments. For the Microsoft Cloud directory, Azure AD, a graph API using the OData standard was adopted as the interface; it provides a higher-order, identity-parsing interface that is more aligned with today’s program development environments than the Active Directory LDAP interface.
We now have multiple applications in the Cloud that need identity information and a typical model is to synchronize identity information from an on-premise directory to each application. This results in a proliferation of identity stores in the cloud and represents a significant risk for companies. A better model is to provide a single source-of-authority for identity information that all cloud applications can access. It must also support the web-based interfaces that these applications typically use. This is the environment UNIFY’s Identity Broker solution supports. It can connect to a wide variety of data sources, be they directories or databases, and it can transform identity and entity data into whatever format and protocol the relying application requires.
There are several industry trends that are mandating a change in the way we manage our identity assets and expose an identity provider service[^1].
When all users were authenticated to a corporate network and any application accessing the directory could be trusted, an enterprise directory with a standard LDAP interface worked well. Any correctly formatted LDAP call would be serviced by a common infrastructure. But nowadays, when an authentication request can come from anyone, anywhere, LDAP is found wanting. Should a hacker gain access to the network it is a simple task for them to download personally identifiable information and other sensitive information on any entity in the directory. In most jurisdictions, a failure to protect against such data loss is a serious offense. Even in on-premise environments, SLDAP should be used whereby relying applications have issued a certificate, and all directory lookups are digitally signed. While this won’t thwart the hardened hacker, who can compromise key storage facilities, it will hinder someone on the network with the access password from download directory entries.
Exposing a corporate directory to the Cloud is not recommended from a performance viewpoint. It is not realistic to expect a Cloud-based application to send a user lookup request to the Corporate Network, wait while the request punches through the firewall, transits the load balancer, and waits to get serviced. Applications expect millisecond responses which require a planned configuration that mitigates network latency to the degree possible[^2].
Another complicating factor is the application development environment. Software developers no longer want to build LDAP calls into their program logic. They prefer to work with object-oriented languages and internet protocols. Developers prefer JSON arrays and HTTP methods over LDAP queries. As more developers adopt standards, they want identity providers to support them. This means that support for JSON arrays or REST APIs is required to satisfy modern application development initiatives. (Note: while most development environments provide a library module to do an LDAP bind and query to populate a JSON array, this should be considered a temporary measure prior to deploying a more modern Cloud-based identity provider service).
Founded in 2004, UNIFY Solutions focuses on identity and secure access solutions targeted at small and medium-sized businesses. UNIFY is a privately held company headquartered in Australia with over 65 people and growing. Their list of partners, certifications and membership include Microsoft, Ping Identity, SailPoint, Meeco, One Identity, Axenic, Aurion, and Frontier Software.