Government Directory Solutions
Isode's M-Vault directory products are a popular choice for Government directory deployments. This page shows why Isode's products are ideal for this environment, where typical uses include:
- Support of white pages services for email and general purpose use.
- Support of account information and control of user access, including authentication and authorization.
- Support for digital signature and PKI (Public Key Infrastructure).
Whilst Government departments typically have a fair degree of autonomy in selecting the IT systems they use, there is often a centrally imposed requirement for systems to work together. This way of operating is less common in commercial organisations where independent business units will either be given complete freedom in system selection or common systems at all levels will be imposed from the top.
This government requirement to operate independently and to work together has a key influence on the requirements governing their directory system selection.
This page sets out the key factors influencing directory system selection for government and introduces Isode's solutions for government, used by government orgnizations worldwide.
Isode's M-Vault family of products support both LDAP and X.500, and are used by government organizations all round the world, due to functionality that is ideal for this type of deployment. M-Vault has excellent capabilities to address all of the key government directory requirements identified on this page. The following gives an example departmental directory.
This diagram shows:
- LDAP Access from email clients to support address lookup.
- LDAP Access from an application, to provide user authentication.
- Directory management using Isode's M-Vault Console management tool.
- Data management using Isode's Isode's Sodium (Secure Open Data, Identity and User Manager) data management tool.
- A Certification Authority, such as Entrust, accessing and managing data in M-Vault.
- X.500 chaining using X.500 Directory System Protocol (DSP) to access data in a peer departmental X.500 capable directory.
- LDAP chaining to access data in a peer departmental LDAP directory.
- Data replication using X.500 Directory Information Shadowing Protocol (DISP) to share data with other departments to increase performance and resilience.
The conflicting influences of centralisation and independence inevitably leads to governments building complex, heterogenous, distributed systems where directories are connected to provide an overall service.
In many government departments sharing information, such as white pages and email routing data, is critical to IT operations. They also wish to operate in a resilient and independent manner. These two factors combined necessitate the replication of directory data between departments so that operation is not dependent on remote directory servers.
Digital Signatures and PKI
Digital signature initiatives are important cross-departmental functions that rely on a directory infrastructure in order to support PKI.
Security and Audit
Government IT systems have complex legal requirements to handle, and often have to deal with balancing and supporting "data protection" and "freedom of information" requirements. When these high level requirements are translated onto underlying components such as directory, this leads to high security requirements (to protect and control data) and high audit requirements (for accountability).
LDAP and X.500
LDAP is the most popular directory access mechanism, and is the access mechanism of choice for government directories. Because of the specialized nature of government requirements, X.500 is also particularly important because:
- The requirements for distributed working and open replication are solved well by X.500, which has standardized directory server to directory server communication and standardized replication.
- PKI makes use of binary (ASN.1) attributes, defined in X.509. LDAP is designed for string encoded attributes, and the extensions for handling binary attributes are not well supported in many LDAP servers. X.509 was designed in parallel with X.500, so it makes sense to use an X.500 based directory to support X.509.
Connecting a Department to a central X.500 System
Governments and organizations often choose to deploy X.500 because it enables departments to operate independent directories, and connect using the standard X.500 directory system protocol (DSP) and replication (DISP). This will typically be achieved by deployment of a central X.500 service, with departments independently selecting their directory server products.
M-Vault Connector is useful in situations where a department wishes to deploy an LDAP only directory, which cannot connect to the central X.500 system. M-Vault Connector enables the departmental directory to be integrated with the central directory. More details on this scenario are covered in the M-Vault Connector product description.