Rh-pdfFile (4) Identity Managemet

  • Upload
    amoseva

  • View
    229

  • Download
    0

Embed Size (px)

Citation preview

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    1/6

    EXECUTIVE SUMMARY

    .e.

    In td IT enirnment eerthin i rwin, epecill the number f uer, tem,

    erice, pplictin, nd irtul mchine. Mnull mnin uer ccunt, pwrd, nd

    cce permiin n mchine per- mchine bi i n lner feible in the er f irtuliz-

    tin nd increed reultin. Mt cmpnie re till delin with iled identit tre tht

    frce uer t remember multiple pwrd nd dminitrtr t duplicte uer priinin

    cr numeru tem nd pplictin, ll f which i time cnumin, prne t errr, nd

    cn led t breche in ecurit nd l f prductiit. IT rniztin upprtin Linux nd

    UNIX environments are struggling to nd a simple, secure, scalable, and affordable solution

    t centrll mne nd uthenticte identitie nd cntrl nd enure uthrized cce t

    reurce, pplictin, nd dt.

    Unfrtuntel, mt identit nd cce mnement lutin re cmplex, expenie t

    implement, nd deined fr hmenu enirnment. Nne f thee lutin i deined

    t ue ntie Linux tl t upprt mixed Linux nd UNIX enirnment. In dditin, the exper-

    tie necer t uccefull implement nd mintin een the implet lutin i enerll

    lckin.

    Identity Management in Red Hat Enterprise Linux provides a centralized and efcient way to

    mne identitie fr uer, mchine, nd erice within Linux nd UNIX enterprie enirn-

    ments and provides a way to dene system and Linux service access control policies to govern

    the identitie.

    Becue Identit Mnement i interted with Red Ht Enterprie Linux, it i e nd ct-

    effectie t intrduce identit nd plic mnement int Linux nd UNIX enirnment

    whereer u need it.

    WhITEpApER

    identity management in Linux

    and unix environments

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    2/6

    2.e.

    IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER

    Existing solutions and thEir drawbacks

    IT rniztin preiul hd three ptin t mne identitie nd cce: build lutin

    in-hue, depl prprietr third-prt lutin, r ttempt t interte with n exitin

    Micrft actie Directr lutin. all f thee ptin he drwbck tht mke them lethn idel.

    Build In-house

    In-hue identit mnement prject re expenie, ln term prject tht require lre

    munt f intertin between prtcl nd nd pplictin t ecurel mne uer uthen-

    tictin nd uthriztin t pplictin nd dt. Thee enirnment frequentl cnit f

    n NIs dmin t trck mchine, n LDaP directr fr trin uer identitie, Kerber fr

    uthentictin, nd ud t mne cce. sme rniztin he depled Kerber t

    pride enterprie inle in-n cpbilitie. smetime thi i cmbined with centrl LDaP-

    bed identit tre, but the reultin lutin i hihl cmplex nd require cntnt effrt

    t mintin cnitenc between the eprte identit urce.

    While thee lutin cn be pwerful, the re cmplex t implement nd mintin, nt tihtl

    interted, nd lck cmprehenie tl r Web gUI. a reult, thi ptin require er

    high degree of expertise in LDAP and signicant conguration and customization, which makes

    the solution costly and inexible. In addition, while this option is adequate for managing identi-

    ties, it is difcult to enact and manage policies for ne-grained access control.

    prorietary Solutions

    a riet f ftwre cmpnie ffer lutin t mne nd enfrce identit nd cce

    plicie. Thee pplictin he been ilble fr mn er but l intrduce number f

    iue. Firt, while full-fetured nd pwerful, thee lutin re l cmplex nd expenie.

    Smaller, proprietary point solutions do not ll every need and can be difcult to integrate with

    ther pint prduct nd enterprie pplictin. a reult, mn rniztin limit depl-

    ment to specic high-risk machines, or only deploy pieces of the overall solution. Second, these

    solutions are large, proprietary applications that are difcult to enhance, customize, and inte-

    grate, which limits exibility. Finally, identity data is often stored in a proprietary format that

    makes it difcult for other applications to reuse or analyze policy and audit data.

    Integrating wit Microsoft Active Directory

    Mn rniztin lred mintin Micrft actie Directr infrtructure t upprt the

    Windw enirnment nd ttempt t extend it t Linux r UNIX tem b mkin them mem-

    ber f the actie Directr dmin. There re number f pen urce nd third-prt lu-

    tin t ccmplih thi, but thee re either limited r require dditinl inetment.

    This approach is generally adequate for user authentication but not sufcient for policy, as it

    frce Windw plic cncept n t Linux nd UNIX tem. In dditin, the Linux nd UNIX

    enirnment becme cmpletel dependent n the actie Directr dminitrtr fr updte

    and changes, which introduces delay, limits exibility, and increases security risk.

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    3/6

    3.e.

    IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER

    idEntity managEmEnt in rEd hat EntErprisE linux

    Identity Management in Red Hat Enterprise Linux provides the tools to quickly install, cong-

    ure, nd centrll mne identit mnement erer in lre nd mll Linux nd UNIX

    enterprie enirnment, uin Linux tl n Linux tem. It l pridin the ptin tinterperte with Micrft actie Directr. Interted int Red Ht Enterprie Linux, Identit

    Mnement llw u t expnd ur ue f Linux, t the me time reducin ct, dmin-

    itrtie ld, nd riin cmplince leel b implementin centrl uthentictin, identit

    lookup service, and ne-grained access control.

    Identity Management integrates capabilities from Kerberos, LDAP, DNS, and x.509 certicates

    t pride relible, clble, imple-t-ue, nd ecure identit mnement lutin. While

    centrlized identit/plic/uthriztin ftwre i hrdl new, Identit Mnement i ne

    f the nl ptin tht upprt Linux nd UNIX dmin uin Linux tl.

    Enanced Security

    Identit Mnement enhnce ecurit b helpin t enure tht peple he cce nl t

    the tem, erice, nd dt tht the need t perfrm their jb. It pride the plicie

    nd mechnim t uthenticte uer nd mchine nd t uthrize uer t cce crprte

    tem nd dt, thu preentin ccidentl r frudulent ue tht culd netiel impct the

    buine. Fr exmple, bckup dminitrtr cn be ien rt cce t mll et f cm-

    mnd n limited number f tem.

    Becue ll dt i centrlized, number f ctiitie cn be utmted t incree ecurit.

    Fr exmple:

    User rovisioning/derovisioning: User accounts can be quickly provisioned, modied, or

    dectited cr ll tem nd erice when uer jin, me within, r lee the rn-

    iztin. If interted with actie Directr, uer ccunt tht re dibled in ne dmin re

    dibled in the ther.

    password olicies: Pwrd plicie minimize rik b enfrcin dequte cmplexit tn-

    drd t thwrt brute frce ttck nd t enure pwrd re chned frequentl enuh

    t mitite the rik f mene reelin r dicerin pwrd. In dditin, if l uin

    actie Directr, pwrd cn be nchrnized bth w.

    Comliance: Identit Mnement help rniztin cmpl with crprte nd ern-

    mentl reultin b limitin cce t pplictin nd dt nd pridin ne trceble

    identit fr ll uer.

    Recertifcation: Sarbanes-Oxley (SOX) requires nancial services rms, as well as other pub-

    licl-trded cmpnie, t reiew eer emplee t let nce er t re-certif tht the

    till need cce t tem. Identit Mnement cn pride Web-bed iew f indiidu-

    l nd their cce t mke it eier fr mner t erif emplment ttu int HR

    recrd.

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    4/6

    4.e.

    Enterrise Single Sign-On

    Identit Mnement pride the centrlized uer uthentictin required t implement enter-

    prie inle in-n (esso). esso enble uer t cce mn different enterprie reurce

    fter their initil l-in withut hin t l in t ech reurce. Thi tremlined cceincree prductiit nd reduce pwrd ftiue nd help dek cll fr frtten p-

    wrd. If interperbilit with actie Directr i enbled, uer re uthenticted when the

    l in t their dektp.

    Identit Mnement dd Kerber esso nd LDaP t Linux, UNIX, nd Mc tem in

    the w thee tem expect. It l pride Kerber-bed ut-f-the-bx esso fr n

    enterprie pplictin tht upprt Kerber r LDaP, includin smb, apche, ssH, NFs,

    Websphere, JB, Tmct, saP, orcle, nd MsQL.

    Centralized Administration and Control

    a mjr l f Identit Mnement i t retl reduce dminitrtie erhed. Thi i

    ccmplihed b intertin ll f the different pplictin tether emlel, uin inle

    and simplied tool set. Users, machines, services, and polices are all congured and managed in

    one place. A Web user interface and CLI provide a layer that unies all of the services and sim-

    plies administration tasks for managing users, systems, and security.

    Thee interfce llw mnement tk t be utmted nd perfrmed repetedl in cn-

    sistent manner for greater efciency and security. For example, identities are maintained on a

    centrl identit erice repreented b rup f replictin erer nd uer nd plicie re

    unifrml pplied t enrlled mchine. and, becue Identit Mnement crete dmin,

    multiple machines can all use the same conguration and the same resources simply by joining

    the dmin. a reult, dminitrtr re le dependent n cmplex cript nd enir dmin-

    itrtr t mne uer identitie nd cce.

    The centrlized identit tre f Identit Mnement l enble better cntrl er wh h

    cce t which tem nd reurce. Uer ccunt re cnlidted, which mke it e-ier t enfrce ecurit plicie. Interted uthriztin enble u t cntrl hw nd when

    uer cn cce Linux nd UNIX tem, nd exctl which cmmnd the cn execute n

    the tem. Thi llw u t ppl rnulr prtectin t enterprie reurce. Fr exm-

    ple, you can congure end-user self service to allow end users to update their own personal

    prole information and change passwords. You can set different access levels for laptops and

    remte uer, r u cn retrict the hur f cce fr certin rup f uer.

    Finll, the Web uer interfce hw intnt, iul reltinhip between entitie. Fr exmple,

    ll f the rup, cce rule, nd plicie cited with uer. With thi infrmtin, mn-

    er cn ee lit f tff nd the cce riht ined t them the cn better undertnd

    if there i cmprmie, r determine if peple he cce t the tl nd prcee the

    need t perfrm their jb.

    IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    5/6

    5.e.

    Standards-Based Integrated Comonents

    Identity Management provides an integrated, unied interface for the standards-based cap-

    abilities of Kerberos, LDAP, DNS and x.509 certicates to deliver a reliable, scalable, simple-

    t-ue identit mnement lutin. althuh ll f thee cmpnent cn be ued indiid-ually to implement a solution, Identity Management in Red Hat Enterprise Linux is more exible

    nd eier t dminiter becue it i deined nd ptimized fr inle purpe: t mne

    identitie.

    Identit Mnement fcue n centrll mnin identitie (uer nd mchine) nd the pli-

    cie tht relte t the identitie nd their interctin. While it ue LDaP t tre it dt,

    Identity Management provides a purpose-built structure that denes a particular set of identity-

    relted entr tpe nd their reltinhip in detil.

    The Identit Mnement erer i depled lel t mne identitie, which prduce

    ret del f dminitrtie implicit. It pride imple, ne-cmmnd intlltin tht

    also installs a Web server and Web application to manage the solution an easy conguration

    process, and a unied set of commands. It also has a clearly dened role in the overall IT infra -

    structure. An Identity Management domain is easy to congure, join, and manage, and the func-

    tin tht it ere prticulrl identit nd uthentictin tk like enterprie sso re l

    eier t perfrm with Identit Mnement thn with mre enerl-purpe directr erer.

    In dditin, the Identit Mnement erer cn eil be replicted t pride ld blncin

    nd hih ilbilit.

    Identit Mnement crete n lterntie t actie Directr fr Linux nd UNIX tem

    nd pride dminitrtr mre cntrl er identitie in their Linux nd UNIX enirnment.

    Identit Mnement tke er the rle f actie Directr nd pride uthentictin,

    uthriztin, nd dminitrtin infrtructure t the ret f the enterprie, Includin Linux,

    UNIX, nd Mc tem. Identit Mnement brin ntie cntrl t Linux nd UNIX er-

    er, uin ntie tl nd pplictin methin tht i nt pible in actie Directr.

    additinll, becue Identit Mnement i Windw-wre, criticl uer dt, includin

    pwrd, cn be nchrnized between actie Directr nd Identit Mnement, preer-

    in centrlized uer tre.

    IDENTITy MaNagEMENT IN LINUX aND UNIX ENvIRoNMENTsWhITEpApER

  • 7/28/2019 Rh-pdfFile (4) Identity Managemet

    6/6

    SALES AND INQUIRIES LATIN AMERICA

    +54 11 4329 7300

    www.ltm.redht.cm

    [email protected]

    NORTh AMERICA

    1888REDHaT1

    www.redht.cm

    EUROpE, MIDDLE EAST

    AND AFRICA

    00800 7334 2835

    www.eurpe.redht.cm

    [email protected]

    ASIA pACIFIC

    +65 6490 4200

    www.pc.redht.cm

    [email protected]

    Red Ht w funded in 1993 nd i hedqurtered in Rleih, NC. Td, with mre thn 60

    ofces around the world, Red Hat is the largest publicly traded technology company fully com-

    mitted t pen urce. Tht cmmitment h pid ff er time, fr u nd ur cutmer, pr-

    in the lue f pen urce ftwre nd etblihin ible buine mdel built rund thepen urce w.

    ABOUT RED hAT

    Cpriht 2011 Red Ht, Inc. Red Ht, Red Ht Enterprie Linux, the shdwmn l, JB, MetMtrix, nd RHCE re trdemrk fRed Ht, Inc., reitered in the U.s. nd ther cuntrie. Linux i the reitered trdemrk f Linu Trld in the U.s. nd ther cuntrie.

    .e.#8529617_1211

    Reduce Costs

    Identit Mnement i interted int Red Ht Enterprie Linux nd de nt require n dd-

    itinl ubcriptin. When u ue Identit Mnement, u eliminte the need t purche

    third-prt lutin t interte Linux nd UNIX uer int actie Directr.

    other in include:

    Eliminates te cost of integration: prtcl, dt, nd cce pplictin re lred

    interted nd mned with inle tl.

    Reduces el desk calls: a imple pwrd reet tl help reduce ct lre percent-

    e f help dek cll re relted t pwrd reet. self-erice help lleite the trin

    n the help dek nd the inetment in humn cpitl required t pride thi kind f bic

    upprt.

    Allows for faster deloyment: New pplictin cn be depled fter nd uer cn be

    priined fter. New emplee need cce t pplictin nd reurce quickl

    pible. Identit Mnement cn be ued t utmte uer priinin nd depriin-

    in tht cn help enure tht ll tk re cmpleted quickl pible. Ht nd irtul

    mchine cn be priined fter b utmticll enrllin nd cnnectin them t the

    Identit Mnement erer.

    Reduces administrator costs: Free IT dminitrtr frm mnull mnin ecurit

    prcee. al incree prductiit b enblin enterprie inle in-n.

    Reduces training costs: Enables you to harness the power of LDAP, Kerberos, and Certicate

    authrit withut extenie trinin nd expertie.

    For morE inFormation

    T lern mre but Red Ht Enterprie Linux, cntct ur lcl le pern r iit

    redat.com.