This content has been marked as final. Show 2 replies
which option would you prefer? Syncing the pwd from AD means the "gods" of your security are your windows administrators, keeping it separate means your teenage/contract sysadmins are not necessarily also the gods of security...
separation of infrastructure and security roles etc...
I'd like to add my 2 cents.
When reviewing security products, I looked at ones that were completely integrated with Active Directory (managed through GPO, reports status back through Events, etc), I looked at ones that were managed completely on their own (No integration with AD at all, no SSO, etc) and I looked at the "middle tier", of ones that were somewhat integrated with AD, but also did their own thing (which includes SafeBoot).
Ones that didn't integrate with AD generally didn't make the cut. The problem here is that in a medium to large enterprise, this becomes hard to manage. Your users now have two passwords to remember, accounts are managed independently, you have two systems to do your adds/changes/deletes through. Ugly (in my opinion, of course). These are probably much easier to manage in smaller shops and are usually much more affordable (often free).
The products that were integrated to the degree that there was no other place to manage them except AD and GPO just didn't work out. Maybe there are places that have a much stronger and tighter Active Directory setup than I, but just because I setup my AD to organize "Marketing" users together and "Sales" in another place doesn't mean that's how I want to setup my encryption. Completely on the side I also found that reporting through this class of products was weak.
And finally, we have Safeboot and the products in that class. It's exactly what I wanted in management on a product. It pulls all the user information from Active Directory by Security Group or OU, can map them to SafeBoot groups, and then I manage using policies in the SB console (or soon ePO). Getting back to the original point, I can now let my AD guys do what they do (organize), my sys admins do what they do (create/modify/disable), and the security folks do what they do (policies, enforcement, auditing, etc).
With all that said, I do think it would be great if password management was handled (at least optionally) through the Active Directory and synced with the Safeboot product --- if it could be done in a secure way. To take it a step further, I think it'd be great if the Safeboot OS authenticated against Active Directory instead of the internal secured database. I remember asking a Safeboot rep about this one and he said that AD is locked down to the point that you cannot extract the password from the database, but thinking about this I'm not sure that it's accurate. Products like ILM, for example, take the password from Active Directory to synch it with eDirectory - so at some level it must be open, or at least accessible.
I'll take a stab at it and say I suppose they don't have the client authenticate against AD directly because they would then need to open up a network connection, which then I'm sure opens up other holes. But, if it could be done securely, it would probably be the end all to the problems with client login which normally are focused around users logging into systems after they've changed their password on another system.
I'm not sure that because the AD folks own the password means that they are the Gods of my security system. I guess depending on how you're setup, they could find their way in a number of ways using the current system - for example adding dummy user accounts to groups they might know synch into SafeBoot groups.