1 30 September 1999 Concepts A directory is a hierarchical, searchable database for relatively stable data - Information about users and other global entities for access by users and applications - Information specific to an application for access enterprise-wide by the application Actually more extensively used today than user-searching Examples: locations, URLs, time-out periods A directory service is a directory information store plus the tools and services used to resolve names to objects A schema formally defines the universe of object types that may be stored in a given directory service A Directory Information Tree (DIT) is the hierarchically organized collection of objects stored in a directory

2 30 September 1999 Concepts (Concluded) A namespace is a bounded area within which the name of an object can be resolved to the object or information represented by the name Replication synchronizes the physical databases that comprise the logical Directory A meta-directory is a collection of pointers to data and/or copies of data from various authoritative information stores - With join engine, presents a consistent view of the data - Recognizes standard directory access protocols, usually LDAP LDAP User Common Name SMTP address Phone number Salary

3 30 September 1999 Security Services to Other Components Holds data that supports security services provided by other infrastructure components - Credentials - Credential revocation information - Role membership - Keys - Application configuration information Certificate Revocation List Role Joe Jenny Jenny

4 30 September 1999 Responsibilities for Internal Security Protect confidentiality and integrity of data stored in the directory service - Uses internal access control based on identification, authentication, and authorization Protect data transmitted between the directory service and users, applications, or other directory service implementations - Can use SSL/TLS - Can rely on service provided by host or network Provide adequate availability for expected accesses Keep audit log of significant events, including: - Logins to the directory service - Directory resource accesses - Administrative actions - Synchronization activities - Data changes

5 30 September 1999 State of the Practice Directories are not widely in use today As the use of technologies that are reliant on directories increases (e.g., PKI), directory use will increase

6 30 September 1999 State of the Art Protocol Choices Today X.500 client is infeasible - Too complex, not supported by many COTS products - Difficult-to-find proxy applications that would allow X.500 Directory Access Protocol (DAP) through firewalls LDAP by itself is not adequate across many directory services - LDAP v.3 is still in draft form, important for replication - Replication of access control settings is not well supported Other options are non-standard X.500 server + LDAP client may be the best choice today - Provides both a widely available, stable client and good replication - BUT: difficult to manage because configuration requires manually specifying directory relationships

7 30 September 1999 State of the Art Near Future: Meta-Directory LDAP client + meta-directory capability across many different server types may become the best choice in the future - Allows the DIT to vary from place to place - Allows single view into many different data stores - Allows different protections for different data stores BUT: Market is immature - Only one vendor, Zoomit, offers join engine today - Zoomit product is reasonably stable but hard to use LDAP/SSL C=US,O=MITRE SSL FW Taxpayer Data O=MITRE, C=US Phone numbers, certificates

8 30 September 1999 State of Products Today Zoomit, Microsoft, ISOCOR, Netscape, NetVision, DCL, Novell and Lotus all have offerings - Zoomit is in transition, bought by Microsoft in August Microsoft will offer Zoomit to customers through Microsoft’s consulting services ISOCOR is currently scheduled to release their Meta-Join product 4th QTR ‘99 Netscape has purchased the ISOCOR source code on a one-time-basis to develop its own meta-directory capabilities Novell has established a partnership with NetVision NetVision functions have an extension to the NDS Schema DCL X.500 directory supports a synchronization tool called DCL Link Lotus does not currently compete in this market and references other 3rd party vendors to solve this integration problem

9 30 September 1999 Management Responsibilities for Security The directory holds information that controls essential security functions, such as certificates used for authentication - Therefore, management of the directory is management of security Operational management responsibilities: - Maintain data - Schedule and monitoring replication - Assure availability and performance - Configure servers with respect to other servers Configure replication Configure search redirection functions Oversight management responsibilities: - Select the overall enterprise-wide directory architecture - Define the schema and DIT across the enterprise - Set policies for directory service configuration and operational management

September 1999 Risk Factor: Selecting the Directory Architecture Determine directory services to be used throughout the enterprise and the relationships among them Option 1: one large directory with all data in it Option 2: many small directories with selected data in each and a global search capability Option 3: same as Option 2, except include meta-directory - Meta-directory provides central consistent access point - Subordinate authoritative data sources can be of different kinds, including directories, databases, and address books Risk: many independent directories may be fielded before management can develop a comprehensive IRS-wide view - Risk mitigation: if Option 3 is selected then the independent directories can be folded into the enterprise directory with minimal disruption

1 30 September 1999 Risk Factor: Password Protection Especially important if directory holds data used to implement security, such as access control support information or security software configuration information Passwords must never be sent in clear-text mode Risk: network encryption may not be implemented on every link - Risk mitigation: use SSL or equivalent protection for all login dialogs

September 1999 Risk Factor: Control of Data Aggregation The best solution to a security business need, such as S/MIME to encrypt messages, may require some data, such as employee S/MIME certificates, to be made available outside the enterprise Policy may limit searches to discover names of IRS employees Implies need to limit searches for aggregated data while allowing searches for specific data Risk: Failure to allow specific searches in the directory may limit design options for application security services Please send me Joe’s certificate OK Please send me all certificates Sorry

September 1999 Risk Factor: Proper Access Control Some directory services don’t allow access controls to be set on individual attributes, only on objects Where access controls can be set for individual attributes, maintaining correct protections may be difficult Risk: relying on directory access control settings may make it difficult to maintain good access control - Risk mitigation: use directory services architecture to isolate sensitive data FW Less Sensitive Data More Sensitive Data

September 1999 Risk Factor: Additional Applications Testing Applications can interfere with each other - Applications may write to the same attribute with different formats For example, the same phone number may be stored as (703) , , or Workaround: some directory services support normalizing name formats - Different applications may have different expectations for the meaning of the same attribute For example, name could hold first name, full name, or common name Workaround: use multivalued attributes where conflicts may occur - Different applications may use different names for the same attribute For example, name, namen, or nom A workaround is to provide name translation using aliases Risk: installing one application may break other applications - Risk mitigation: applications acceptance testing will need to test for directory use conflicts with other applications

September 1999 Risk Factor: Interaction with PKI Applications Certificate authorities are often linked to the directory service - On certificate requests the CA can look up the authoritative entry for the authenticated user and automatically fill in all the information it needs - On certificate granting, the CA can store the certificate in the directory Risk: directory naming structures and attributes may not meet the needs of the CA - Risk mitigation: when the directory service and CA are defined, management should ensure that the directory project and CA projects work together to define compatible structures Employee Name Certificate Employee Nom Cert

September 1999 Recommendations Plan to use meta-directory Use SSL or equivalent protection for all login dialogs and other transfers of sensitive information between the client and the directory Integrate policy and implementation to allow limited access to data from the outside Use directory services architecture to isolate sensitive data Include directory use conflicts with other applications in applications acceptance testing When the directory services and CA are defined, management should ensure that the directory project and CA projects work together to define compatible structures Define normalized attributes (e.g., phone number format) and standard use of object classes and attributes within the IRS

September 1999 Acronyms CACertification Authority DITDirectory Information Tree ETAElectronic Tax Administration FWfirewall IPTIntegrated Product Team IRSInternal Revenue Service LDAPLightweight Directory Access Protocol PKIPublic Key Infrastructure S/MIMESecure Multipurpose Internet Mail Extension SMTPSimple Mail Transfer Protocol SRSub-release SSLSecure Sockets Layer TLSTransport Layer Security URLUniform Resource Locator USUnited States VPNvirtual private network