Tags

,

It is not impossible to have a single user directory tree for internal users / staff, partners and customers. All that is required is unique identifiers and different levels of permission normally managed through group membership. However pretty much every organisation quite rightly separates these groups as independent trees. These independent trees are normally realised as independent directory implementations thus providing security through isolation and security zones of control. This though has not stopped me being recently asked within a large organisation if it is not possible to have a single identity management solution.

This was an evident confusion between identity management solutions and directory structures. For which I drew two examples: the first was an example directory structure (below), for ACME_Corp and my test user Chester Drawers, showing how quickly a single directory structure would become very complicated.

Single Tree Model

An Extreme Example of Single Identity Tree for Employees, Partners & External Users

The other example I used was the  (ISC)² Common Body of Knowledge usage of Security Zones and how this intellectual capital does not deprecate an organisationally unified identity management solution. The cost benefit of a single directory structure is so minimal because separate directory services are not an expensive resource; it is only the management of the resource that becomes expensive. As always the challenge is to apply the appropriate amount of security control without greatly affecting access to information. Applying the appropriate or proportionate level of security is important because employees, partners and online users will always different authentication requirements.

The (ISC)² Common Body of Knowledge recommends security zones as a proportionate mechanism for applying the appropriate level of authentication required to access the information asset. A security zone of control is an area or grouping within which a defined set of security policies and measures are applied to achieve a specific level of security. Zones are used to group together those entities with similar security requirements and levels of risk and ensure each zone is adequately segregated from another zone.