AllH2FY20 The 12 Critical Questions You Need to Ask When Choosing an AD Bridge Solution
H2FY20 The 12 Critical Questions You Need to Ask When Choosing an AD Bridge Solution
These “commodity”
[AD-bridge]
solutions lack
enterprise-level
functionality—such
as extending AD
Group Policy, audit,
and management
capabilities—
nor can they
consistently deploy
the solution across
multiple operating
systems.
“….most of the large enterprises
Burton Group surveyed in
its authentication contextual
research project had implemented
(or were planning to implement)
an Active Directory (AD) bridge
product to improve compliance
and reduce costs and user signons. AD bridge products enable
organizations to manage UNIX
users (i.e., “traditional” UNIX
flavors such as Sun Solaris, but
also Linux and Mac OS) from
AD, extend Windows Kerberos
authentication and single sign-on
(SSO) to UNIX users, and enable
centralized policy management
of UNIX systems via standard
AD tools.”
More specifically, the Burton
Group’s report stated:
“AD bridge products unify the
Microsoft and UNIX environments
by leveraging an organization’s
Active Directory infrastructure
and existing Microsoft toolsets.
The result is lower total cost of
ownership for UNIX platforms.
Some AD bridge products extend
Windows Kerberos SSO to
applications (e.g., SAP enterprise
resource planning [ERP], Tomcat,
and WebSphere) hosted on UNIX
servers. AD bridge products
also provide a single identity
(including password) for UNIX
and Windows platforms, and
provide Kerberos SSO to Microsoft
applications (e.g., network
fileshares, Internet Information
Services [IIS], SharePoint).”
A number of non-AD bridge
options provide the basic
functionality of integrating a Unix,
Linux, or Mac OS X operating
system with AD, including
offerings from Sun, Apple, IBM
and several Linux distributions.
These vendors include basic
Kerberos/LDAP agents that
execute the “join” of nonWindows systems to AD. However
these “commodity” solutions lack
enterprise-level functionality—
such as extending AD Group
Policy, audit, and management
capabilities—nor can they
consistently deploy the solution
across multiple operating systems.
These capabilities separate the
true AD bridge solutions from
the rest.
The range of management
features offered by the various
AD bridge vendors varies widely.
The major business benefits AD
bridge users should expect from
their solution include:
• Efficiency – When the
net number of identities
in an enterprise shrinks, a
single AD-based identity
administration task can
be extended to the entire
population of Unix, Linux, and
Mac OS X systems and users.
• Security – Extending the
Kerberos authentication,
strong password policy, and
access control principles of
AD to Unix, Linux, and Mac
OS X strengthens security.
• Compliance – Because NIS
can be eliminated in favor of
a more secure directory and
authentication mechanism,
security can be improved
and managed centrally for
Windows, Unix, Linux, and
Mac OS X, making compliance
with internal policies and
external regulations easier.
Source: “Active Directory Bridge Products: Getting More Value from the Windows
Infrastructure,” Identity and Privacy Strategies In-Depth Research Report; Jan 07,
2009 #126536
3
The 12 critical questions
you need to ask when
chosing an AD bridge
solution
Our Authentication
Services solution
provides immediate
relief for password
and NIS issues as
well as improves
your organization’s
long-term
compliance posture.
This solution uses
open architecture,
standards, and
proven execution
to achieve both
immediate
and long-term
compliance goals.
Organizations evaluating AD
bridge technologies have an
extremely important decision
ahead of them. To ensure
maximum benefit from the
solution, you must carefully
evaluate your requirements,
as well as your present and
future IT environment. You also
must identify your strategies,
possible obstacles, and goals for
the technology.
With that in mind, and using the
experience of hundreds of realworld AD bridge deployments,
here are some questions you
should ask to help choose the
right AD bridge solution for you
and your organization.
Compliance
How will the AD bridge
solution help me address
my specific compliance
concerns?
Compliance is the main driver
behind many AD bridge
evaluations. But the ability of
solutions to adequately address
compliance concerns out of the
box varies widely. It is vital to
consider the tool’s ability to help
you solve a short-term problem,
such as passing an upcoming
audit. You must also evaluate its
ability to help you maintain and
improve compliance by making
your organization “audit-proof.”
Key compliance
considerations include:
Password policy
• Does the AD bridge solution
address your short-term Unix,
4
Linux, Mac OS X password
challenges?
• Does the solution provide a
path to long-term password
compliance?
NIS
• Does the solution address
your immediate need to
authenticate from AD
instead of NIS?
• Does it provide a safe and
controlled path to eliminating
NIS entirely?
Strong authentication
• Does the AD bridge solution
integrate with the two-factor
authentication solutions you
need to satisfy regulations
(such as PCI DSS)?
• Does the two-factor solution
complement or undermine
the simplicity provided by
the AD bridge solution for
administration and standard
authentication?
Privileged account
management
• Does the AD bridge solution
integrate seamlessly with
a solution for Unix root
delegation and auditing?
Auditing, alerting, and change
tracking
• Does the AD bridge solution
provide the depth and
breadth of information that
auditors demand of Unix
information housed in AD
• Is that information easy
to access?
The right AD bridge solution
will deliver each of these
needs without cumbersome
third-party integration or
custom workarounds.
Please complete the form to gain access to this content
