Research in Motion (RIM) systems architect Ian Brown wanted to give his administrators the same central identity...
management authentication functionality for their Linux and Unix machines that they enjoyed with Microsoft Windows Server and Active Directory -- but it just wasn't happening.
While the Windows boxes enjoyed the central authentication management hub in Microsoft Active Directory (AD), the Red Hat Linux, Sun Solaris and HP UX boxes in his data center needed to be administered on a server-by-server basis.
"Essentially, we wanted to be able to use a central authentication source for all of our servers for our half dozen administrators," Brown said. "We could get that through Unix, but that would have required us to have a central login server and we basically can get that for free already with Active Directory." The login server would have been redundant; Brown wanted to leverage what AD had to offer.
Central authentication would reduce the "unnecessary overhead" of server-by-server password upkeep, Brown said. In some cases, administrators find scrubbing Linux and Unix servers of employee login credentials so time consuming that it is not done at all, leading to security threats. That wasn't the case at RIM, where turnover was relatively light and a series of checks and balances assured every server was scrubbed when employees left the company, Brown said. The bigger threat, Brown said, was actually a looming Sarbanes-Oxley (SOX) compliance audit.
Rather than having a redundant setup with a Unix login server and AD, Brown looked into building a homegrown authentication. Talking to other developers, Brown found many who were using Sun's Network Information Service (NIS) as a password management system for their Unix and Linux boxes.
Darin Pendergraft, director of product management for Quest Software Inc., said Sun's NIS fails Sarbanes-Oxley audits and is an unnecessary risk when Active Directory already does such a great job with Group Policies. Quest Software's Vintela Authentication Services provides AD policies for both Unix and Linux boxes.
Brown said RIM looked into Quest Software, but he decided to pass because Vintela required schema changes to AD. "That's not really the best approach because if you have to go to Microsoft with a problem, they're going to tell you 'sorry, you installed extensions to LDAP,'" he said.
And when RIM calculated ROI for an internally developed application, Brown said it became evident that it would be too challenging and expensive. What RIM needed, he decided, was a third-party application that worked out of the box. He said they found it in Mountain View, Calif.-based Centrify Corp.'s DirectControl.
"Obviously RIM is a publicly traded company, so when the SOX auditors were looking at the access control to our systems, [we] were already covered with Centrify," Brown said. "Essentially, we could just print off a DirectControl report and say these people had access to this Linux system and when."
With DirectControl, Brown could instantaneously produce this login documentation. He could then correlate that information to any maintenance ticket ever generated at RIM. Before DirectControl, Brown estimated his staff of six spent dozens of hours each week on local server administration -- work they now complete in seconds.
Centrify's DirectControl shares many of the same features as its competition. That includes, for example, Centeris Likewise Identity 3.0, with centralized password management and user privileges for Linux servers. DirectControl, like Identity, also features Windows-based GUIs and tool sets for Windows administrators managing Linux servers. Linux systems administrators will still have root user control to go in and boot systems, but mundane tasks can now be handled by existing AD tools and technologies, said Tom Kemp, CEO of Centrify. Brown said he had not heard of Centeris.
Auditing and training
The successful relationship between RIM and Centrify led to a beta test earlier this year for a new auditing product set to launch later in 2007. The product, called DirectAudit, addresses another shortcoming in Unix -- that I/O captures are stored in a flat file on the server.
"If you are trying to audit an [administrator or user], you want that information to be transparent as well," Brown said.
The first beta release in November 2006 had a "Big Brother" feel to it for the administrators being audited, he said, because it logs everything they do on a server. "People don't really want that, and when the first beta came out, it was an all-or-nothing approach."
But with its second beta release earlier this year, Centrify allowed selective audits for specific administrator commands. The latest beta also allows administrators to audit logs offline in the event of a system failure.
Brown is testing the DirectAudit beta on an external Microsoft SQL 2005 database, and testing has revealed that there are a few other areas that need work before the official release in May.
DirectAudit can monitor root users, but only after the fact, Brown said. In the future, he said he'd like to see a more reactive product that audits passwords instantaneously. He would also like DirectAudit to apply timestamps for each command an administrator makes. Brown added that RIM has made no decision on whether it will purchase the full version of DirectAudit when it launches in May.