Application Security, Part 2

  • Article

The most important idea that has ever emerged from attempts to grapple with application security is this one. In an enterprise, there are going to be a lot of computers, a lot of applications and a lot of users, and administering the security of the enterprise would be greatly facilitated by using a global directory service. A global directory service would provide a central repository for every asset and user in the enterprise, a language for querying the directory, and an application programming interface by which applications can query the directory. So, in simple terms, managing the computer security of an enterprise is a huge undertaking that can be simplified by having all of the information pertinent to the problem in one place, in the global directory service.

 

Okay, so let’s say we accept that notion, and want to keep all of our security-related information in one place. Then what say we use a relational database as the global directory service for our enterprise? After all, relational databases are intended to serve as repositories for all sorts of data, there is standard language for querying them, namely SQL, and various application programming interfaces by which applications can access them. Well, actually, that would not be the optimal solution, because global directories are searched with much greater frequency than they are modified, in the same way that a telephone directory is consulted often, but usually only updated once a year. And, furthermore, there are features that a global directory service ought to have that relational database management systems do not provide, such as referrals, whereby, if a global directory service is unable to locate an entry sought by a client, it might automatically query a different global directory for the information.

 

An important step in the development of global directory services was taken in 1988, when the organization that is now known as the International Telecommunication Union and the International Organization for Standardization released a standard for directory services called X.500. Then, in the mid-‘90’s, the Internet Engineering Task force began to publish a slimmer version of X.500 exclusively designed for TCP/IP environments. That standard is the Lightweight Directory Access Protocol, or LDAP. Netscape and Novell both offered LDAP-compliant directories. Microsoft followed suit with Microsoft Active Directory, which was incorporated in Windows 2000 Server: Microsoft Active Directory was Microsoft’s first LDAP-compliant directory offering. In accordance with our corporate strategy at the time, Microsoft made Active Directory not only LDAP-compliant, but COM-compliant as well. The COM interface to Active Directory is the Active Directory Services Interface, also known as ADSI.

 

[This posting is provided "AS IS" with no warranties, and confers no rights.]