October 12, 2010

Authentication in a Changing Heterogeneous Environment


Tools, it should be noted, change. If they did not, as a rule, then very likely we would still be using stone knives and bearskins instead of working with these fancy computational devices made of metal, plastic, and sand. Or worse, doing all our authentication against NIS in enterprise environments.

Centrify is a strong example of a company with a tool that has changed over time. Its original Centrify product line was originally built to do one thing and do it well: use the framework of Active Directory to connect the various authorization systems of non-Windows platforms so they could be managed by a single system.

When Centrify first began to spread the word about its products in the mid-2000s, the message it had to get across to Linux, Unix, and Mac system administrators was pretty simple: using Active Directory (AD) will not ruin your systems and take the souls of your first-born children.

That latter is certainly hyperbole, but in the true hearts of those system admins, it was just barely an exaggeration. Beyond the obvious political hurdles, sysadmins were less than sanguine about trusting AD for anything other than their Windows systems.

Very soon, however, the environments for those sysadmins would be radically changed: as their IT needs evolved, more and more heterogeneity started showing up in the workplace. "Pure" Linux, Unix, or even Windows networks would become more rare as time went on. As applications started moving away from the workstations and back down the stack into application servers, heterogeneous networks were practically guaranteed.

Suddenly, authentication became much more important, as all of these different systems brought with them their own authentication and security tools. Complicating this was the rise of regulatory rules like Sarbannes-Oxley, HIPPA, and the Payment Card Industry Data Security Standard (PCI DSS), where unified security policies and user ID and provisioning tools were no longer just suggestions.

It was this business environment that Centrify found itself talking to in the latter part of the last decade, where the need for unified authentication was very high, and no one system could be implemented to take care of these heterogeneous environments. Meta-directory and synchronization solutions were proposed, but the complexity and lack of trust in such products made them a poor fit. OpenSSH was another solution, but key-pair management was a less-than-optimal solution.

AD solutions, such as those put forth by Centrify, Likewise Software, and Quest Software, made a lot of sense for even the strongest Linux proponents, for one simple reason: no matter the mix of the platforms in the server room and data center, most of the users in the system were still coming in from Windows machines and Windows-based authentication rules in the form of AD. This inescapable fact, coupled with the advantages of a directory-based authentication system, eventually started to bring even the most hardened system admin around to an AD solution.

Today, the messages Centrify and the other companies in this sector bring to customers is no longer the sales pitch on the virtues of AD, but rather variants on the theme of what else you can do with AD solutions.

"We don't fight that battle as much anymore," Corey Williams, Centrify's Director of Product Management said. Most system administrators already have AD as part of their network strategy now, he explained, as part of their sunk costs for their heterogeneous network configuration.

Now, Williams added, the message has shifted away from the pure integration and plumbing advantages into extolling the virtues of best practices, regulatory requirements, and security policies. For Centrify, the benefits of a single authentication/security scheme are what it's selling to its customers, with apparently good results.

This approach may have arrived in the knick of time, because the very definition of heterogeneity is morphing into something new for system administrators. No longer will the term apply to different operating systems, Williams said, but will now encompass virtual and cloud computing architectures as well. Multiple application servers, operating systems, cloud systems... all of these will now fall under the definition of "heterogeneous."

Williams is confident that this expansion, which is happening now, can still be met by his company's solutions.

"The directory approach is a valid way of managing all that," Williams emphasized.

It is a mark of the maturity of Linux to see solutions such as Centrify's succeeding in today's complex IT environments. No longer are tools religiously used to exclusion of anything else. Today's sysadmin will gladly use the best solutions for the task at hand, be they from Linux or from a technology derived from Microsoft.

People, it seems, can change, too.