Business & Marketing
Ask the Expert: How can IT directories improve your security operations?
By Jimmy Palatsoukas
Security and IT departments working together has become part of the corporate landscape in this day and age. Whereas both were completely independent entities working within their respective silos years ago, today they work hand in hand to ensure the security of a corporation’s assets and employees. With the overlap between security and IT has come a fresh wave of functionalities that have and will continue to improve an organization’s operational efficiency. It is not uncommon today for security integrators or system manufacturers to be asked about how well a security solution meshes with the IT infrastructure.
By Jimmy Palatsoukas
Frequent questions that pop up include how well the security solution integrates with an organization’s IT directory service and what the benefits of a said integration are for security.
Many organizations have long used a centralized directory, such as Microsoft’s Active Directory services, which allows their IT department to manage their system, computer users, security policies, and applications among other things. System administrators will typically create a new computer user when an employee is hired, assign them to one or more security groups to establish their overall access to the network and resources, as well as add additional information in the forms of custom fields. In the case of a dismissal, the employee’s account is disabled or deactivated. A more recent trend that is quickly becoming the norm is for other business systems, including security systems, to connect to a centralized directory service and either upload or download useful information from the directory service.
From a security system’s perspective, a computer user’s account contains relevant and useful information such as the user’s name, membership in one or more security groups that is often mapped to a department, and additional custom employee information. An example of a use for this information can include mapping a video system’s operator account to his or her IT directory account. If directory security groups are mapped to the security system’s user groups with pre-assigned privileges, new operators can automatically inherit their access rights to the video system as well as their privileges automatically. Another use case is synchronizing an employee’s directory record to his or her access control system’s cardholder account. The clear benefit in both examples is a reduction of data entry points since the information needs only to be entered once in the directory. A second clear benefit is that mistakes can be greatly reduced or avoided altogether. If the normal workflow following an employee’s dismissal is to manually disable their IT account in the directory and to then manually disable their physical access rights, mistakes can happen; there could be long delays between these two steps or worse, removal from the access control system database is forgotten altogether. A security system that not only synchronizes with a directory, but also does it in an automated fashion can improve the level of security in a facility and eliminate typical mistakes.
End users and integrators should be asking security software manufacturers about whether their solution is integrated with an IT directory service, the level of integration, whether the synchronization is automated or manual, what information is synchronized to and from the directory service, and how well the solution scales. Many directory services, such as Microsoft’s Active Directory, have an API or application programming interface that a security team can use to connect and synchronize data with their security solution. In this form, the integration is direct. There is also middleware on the market that boasts the ability to connect multiple systems to a directory service, but here the integration between the security system and the IT directory is not direct and the added cost for the middleware itself can drive up the cost of the overall solution. Additionally, the type of information that is synchronized is important as well. If the directory service contains custom information about an employee, you may want to push that information to the security system in the form of cardholder custom fields. This can limit any data that needs to be entered manually after a directory synch.
One last thing to look out for is the scalability of a security solution’s directory integration, especially for systems deployed in larger organizations and institutions. If the intent is for computer user accounts to be mapped to a cardholder database, an access control system may have to synchronize with tens of thousands of user accounts. Think of a university environment where tens of thousands of students have access to IT resources as well as to access-controlled doors. In this case, your chosen solution should be able to schedule the synchronization with the directory service. Scheduling affords you the flexibility to move synchronization to off-peak hours and not burden your directory service.
Jimmy Palatsoukas is a senior product manager with Genetec. He can be reached at: email@example.com