Make IT one: Southern Company puts its energy behind a more efficient, productive authentication process across disparate network platforms.The process of unifying or bringing systems together is not a process of abandoning existing systems in favor of a common platform company-wide, says Becky Blalock, Southern Company senior vice president and chief information officer. Rather, at Southern Company, "Make IT One" (the focus of Southern Company's authentication strategy in 2004) means bringing all authentication systems together under a common management umbrella. "Our goal was to find one way to authenticate user IDs regardless of the platforms involved," Blalock says. "The results have made ID and password management less complicated for our users and more manageable and cost effective for IT." Atlanta-based Southern Company is a super-regional energy company with an electric generating capacity in excess of 39,000 megawatts. As one of the largest energy producers in the United States, Southern Company provides electricity to 4.1 million customers across a 120,000-square-mile territory in Alabama, Georgia, Mississippi and Florida. The company employs approximately 26,000 and has a complex heterogeneous computing environment. The advent of Sarbanes-Oxley and a number of other government regulations (such as HIPAA and the Gramm-Leach-Bliley Act) have put pressure on corporate IT departments to evaluate the way they secure data, authenticate user identity and control access to systems. For Southern Company, that challenge is amplified by the fact that the company's enterprise includes a wide range of disparate operating systems. "We are primarily a Windows shop," says Robert Morgan, information services lead at Southern Company, "with around 20,000 Windows desktops and 800 Windows servers company-wide. But we also have a significant investment in Unix, with 350 Unix servers. Approximately 95% of our Unix servers run Solaris-everything from version 2.6 up to version 9.0-with the remaining 5% running various versions of HP-UX. We even have a test bed running Linux." At Southern Company, the true cost of IT lies in much more than simply the money spent on software and hardware. Support, integration, security, interoperability and maintenance require resources that far exceed the hard costs of infrastructure and applications. The real cost of IT is the time, money and effort expended to keep end-users up and running. "Historically, a fundamental problem in our IT operations has been the authentication and identity management of our users on Unix resources," says Morgan. "Our Unix user IDs (UID) and group IDs (GID) didn't match the UID and GID in Microsoft Active Directory for our Windows systems." AN INEFFICIENT SYSTEM The absence of a centralized process or technology to manage access and identify on Unix systems, according to Cliff McManus, IT project manager at Southern Company, led to inefficient use of personnel at times. "Consequently, basic password management tasks were falling to our tier three support people rather than the help desk," McManus says. "It certainly wasn't the most efficient use of the time and talents of these valuable personnel assets." "An internal audit revealed some real shortcomings in the way we managed these Unix users," says Jay Cribb, project lead in IT security at Southern Company. "We found that the same person could have several different IDs across the whole range of Unix systems. And these IDs were most likely different from their UID in Active Directory. To muddy the waters even further, we had a number of cases where the same ID number actually represented two different employees on two different systems. Those are some issues that we simply couldn't afford to let continue." The audit suggested three main areas of improvement for authentication and identity management on Unix systems at Southern Company. First, with the lack of a centralized infrastructure spanning all Unix systems, password expirations simply were not being enforced. Second, all password change and maintenance were taking place physically at each Unix box by tier 3 support personnel. This caused a major backlog for &provisioning, creating a long delay between an employee's termination and complete Unix deprovisioning. Third, the existing infrastructure provided no way to standardize UID and GID, resulting in redundant and conflicting identities across the range of Unix systems. "In the Windows world, Active Directory is a single domain and all Windows users are members of that domain. It offers the ultimate centralization," says Cribb. "Several years ago, we went through a huge project to centralize everything in our Windows environment around Active Directory. Prior to that, our Windows systems were disconnected islands, as well. Bringing them all together in a common infrastructure made a big difference both operationally and financially." MILLIONS SAVED ANNUALLY By standardizing and centralizing the Windows environment and its support processes, and creating a single sign-on for all Windows systems in a secure directory structure, Southern Company saved several million dollars annually in help desk expenses, problem resolution and other management tasks. "We realized that the savings achieved by centralizing our Windows environment around Active Directory would be amplified if we could do the same thing for our Unix systems," Cribb continues. "But while Windows offered the homogeneity to make the migration possible, our Unix systems are so diverse and, with no native integration between the environments, our goal seemed out of reach." In an effort to "Make IT One," Morgan, Cribb and others began looking for ways to bring the same kind of capabilities offered by Active Directory to the wide range of Solaris and HP-UX systems. These systems run the company's mission-critical Oracle financial applications, trouble call management system (TCMS), call center scheduling application and others. Their initial efforts centered on open-source solutions. Properly securing those solutions, however, only worked on a small scale. Next, Cribb and Morgan turned to vendor solutions that implemented a separate directory for Unix and provided password synchronization across platforms. They discovered that available password synchronization solutions were too complex and required the company to build another layer of infrastructure just to support the synchronization. "We already had a large, distributed infrastructure built with Active Directory," says Cribb. "We did not want to duplicate that and introduce another layer of complexity." "It quickly became apparent that we should abandon looking for a third-party synchronization solution, they were just too complex and couldn't deliver the level of integration with Active Directory we demanded," says Morgan. "We determined that the best option was to go right for the source. Since Kerberos works so well in Active Directory for Windows systems, we began investigating what it would take to duplicate that security and single sign-on capability for our Unix systems." "Kerberos is vital to creating a centralized directory for all our environments," offers Cribb. "Properly securing LDAP communications would have required a manually managed certificate for every Unix server, which is why the open source solutions wouldn't scale for us. Securing the user's credentials is key, and Kerberos is the best way to do it on a very large-scale deployment like we have." INTERNET PROVIDES SOLUTION "It became obvious that internal development wasn't cost-effective, password synchronization solutions were too complex and required too much additional infrastructure, and secured open source LDAP solutions couldn't scale to the level we required," adds Morgan. "So we fell back on an old standard-an Internet search for 'Unix AD integration.' The search brought us to a presentation that mentioned something called Vintela Authentication Services. It turned out to be just what we needed." Vintela Authentication Services (VAS) integrates the authentication interfaces that are native to Unix and Linux with Microsoft Active Directory. Fundamentally, VAS allows Unix and Linux systems to act as full citizens in Active Directory. Consequently, this solution gave Southern Company the ability to create a single "trusted zone" for all resources--Windows, Unix and Linux--in the Active Directory tool they have already proven and with the enterprise infrastructure they have already invested in. Unix systems have conformed to the pluggable authentication model (PAM) standard for authentication services and on name server switch (NSS) for authorization and identity services. The trick with cross-platform integration is to bring those native Unix standards into Active Directory in such a way that the Unix machine appears in AD just like a Windows machine. VAS accomplishes this through Unix/Linux-based client software that standardizes each unique Unix/Linux OS with a Kerberos interface on top of PAM and NSS, drawing the non-Windows system into Active Directory. "VAS does exactly what we were trying to accomplish, and required neither the resources nor the support that the other alternatives we explored would have demanded," says Cribb. "Basically, with VAS all of our Unix systems (the entire range of Solaris and HP) became full participants in our Active Directory environment. The result is a single point of management for all user IDs, passwords, groups and group membership, regardless of platform. Suddenly, all the problems revealed by our audit became entirely fixable." Southern Company faced a few challenges in bringing the Unix systems to a point where VAS could extend the reach of Active Directory. For example, the security team recommended that a unique numeric identifier governed by Active Directory (the RID) be used as the numeric identifier (UID, GID) in the Unix environment. This guaranteed a unique identifier was assigned to every user and group across both platforms and also allowed for an audit trail to be preserved. To achieve this objective, Cribb, Morgan and the rest of the team would have to re-assign consistent UIDs and GIDs company-wide. "Our purpose in reassigning the UID and GID for each user and object was to create a clean and organized structure easily sustainable now that everything was in Active Directory," says Morgan. "To do it this way took more work on our part, but it really was the right way to do it. We wrote an internal program that creates a source file and automatically assigns unique IDs to each user and object across all of the platforms. Another challenge faced by Southern Company was providing all of the Unix tools and applications with the necessary PAM functionality to interface with VAS--and ultimately Active Directory. "PAM-enabling the handful of Unix applications that weren't already using PAM took a little time, but, in reality, standardizing on UID enterprise-wide was really our biggest hurdle," continues Morgan. "We pulled off both tasks flawlessly and simply packaged the VAS installation with some other projects." AUTOMATIC DEPROVISIONING Southern Company started with its Unix financial servers and continued the rollout from there. Now, the company can manage authentication and identity on all systems--Windows, Solaris Unix, HP Unix and even Linux--through Active Directory using existing infrastructure. "Since we had previously integrated Active Directory with our HR system, when someone's status changes in the HR system, that change now automatically flows out across our Windows and Unix systems within the enterprise," says Cribb. "This is possible because the principles that make Active Directory so powerful in creating a single sign-on zone for Windows resources are now extended to our non-Windows systems, as well, through VAS. "Basically, we expanded the reach of Active Directory (and its capabilities) to the rest of our enterprise," he adds. "We no longer have to physically go from machine to machine to deprovision resources. When an ID is disabled in AD, it is disabled across our Windows and Unix platforms instantly." "With Active Directory extended out to include all of our systems, tier three support personnel can now work on tier three issues," notes Morgan. "The task of managing passwords can Fall to the help desk, which frees our Unix support team to focus on their core responsibilities. The same capabilities that saved us so much money when we consolidated Windows into Active Directory are now being realized in the Unix world, as well." About Vintela Vintela is a technology vendor providing integration between Windows management tools and Unix, Linux, Mac and Java systems. Led by President Dave Wilson, Vintela has developed a non-Windows platform-integration solution that integrates natively and naturally within Microsoft products and technologies. Vintela allows IT organizations and system integrators to administer and manage all network resources (Windows and non-Windows alike) from the Microsoft technologies already in place. Vintela is located in Lindon, Utah, with development and sales offices in Brisbane, Australia; Oxford, England; and Denver, Colo. Wilson has more than 23 years experience in Unix-for-business computing. Drawing upon this experience and with technology that has been in development since 2000, he founded Vintela to create a standards-based integration architecture for all computing platforms. Wilson has held a wide range of roles, including president, managing director, chairman of developer council and general manager of engineering, as well as positions running strategic alliances and sales. For more information from Vintela: www.rsleads.com/501cn-252 |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion