M-Vault provides a unique set of security features, including Flexible Authentication, Strong Authentication, Signed Operations, Kerberos Authentication, SASL Authentication, SCRAM, Password Policy, Identity Based Access Control, Security Label Based Access Control, Audit Logging & Data Confidentiality.
M-Vault provides a range of authentication mechanisms for different types of deployment:
- Strong Authentication using digitals signatures provides highest security.
- Password based authentication, which can use SASL and a variety of underlying mechanisms.
- Kerberos and Single Sign On (SSO).Strong Authentication
Strong authentication based on X.509 PKI using Isode's strong authentication infrastructure is provided for all X.500 protocols (DAP, DSP, and DISP). and for LDAP using SASL-EXTERNAL.
Strong authentication is desirable for secure directory deployments, and should be used in preference to password based authentication.
M-Vault incorporates an OAuth service, enabling applications to authenticate and authorize using OAuth 2.0, particularly to support Isode applcations using OAuth. M-Vault provides two means of authentication
- Password based authentication, using M-Vault password checking mechanisms.
- Windows Single Sign On (SSO) using Kerberos based authentication with Active Directory.
Authorisation is managed in M-Vault using Cobalt
Further information provided in the [Isode OAuth] whitepaper
M-Vault provides Kerberos authentication using an external Kerberos KDC, such as the one provided by Microsoft Active Directory. This enables Single Sign On (SSO). Information is given in the whitepaper [Isode Support for Kerberos, Active Directory & Single Sign On].
M-Vault supports the SASL (Simple Authentication and Security Layer) Internet standards for LDAP client authentication, enabling a wide range of password based authentication mechanisms. The Isode SASL implementation supports a number of authentication mechanisms, given authentication flexibility. SASL also enables authentication using simple string names (as opposed to directory names), which is convenient for applications using directory based authentication. A full description of SASL and its use in M-Vault can be found here.
Salted Challenge Response Authentication Mechanism (SCRAM) is a new SASL based password mechanism that Isode recommends, as it provides both good protocol security and avoids the need to store plain passwords in the directory. SCRAM is described in [SCRAM: A New Protocol for Password Authentication].
M-Vault supports an LDAP passthrough mechanism where it holds data for an entry but performs authentication against another LDAP directory. This is particularly useful for authenticating against Microsoft Active Directory and using M-Vault to hold additional information relating to the entry.
Cobalt provides flexible management of LDAP passthrough entries.
When passwords based authentication is used, management is important. M-Vault provides comprehensive capabilities for managing password based authentication. This includes:
- Control of hashing choice, and auto-migration on authentication
- Ability to lock accounts
- Password quality control
- Password ageing
- Password history (controlled by age)
- Force password reset
- Grace login
- Require old password
- DSA generated password
- Prevention of password guessing attacks
- Ability to exclude
- Protocol support for password policy aware clients
- GUI management of password policy using Sodium (see here for screenshots)
- Password policy support in Isode Directory Client APIs
- Password policy aware changing in Isode Web Applications – PIA (Personal Information Administration)
- Password idling (disable if not used after a period)
- Password start/end time
Further details are given in the Isode whitepaper [Password Policy for Directories].
Identity Based Access Control
M-Vault provides flexible access control of data held in the directory, based on the identity of the user accessing the directory, following the X.500 standards.
Support is provided for the full range of X.500 Access Control, covering both Basic Access Control (BAC) and Simplified Access Control (SAC). Features include access control applied to a specific directory entry, all entries within an administrative area, and a group of entries. In addition, access control can be defined per attribute (e.g., deny access to the password attribute for all entries). This identity based access control support includes support for roles, sometimes referred to as Role Based Access Control.
Security Label Based Access Control
M-Vault supports access control based on Security Labels and Security Clearances, using mechanisms of the type specified in X.500 as Rule Based Access Control. M-Vault allows Security Labels to be associated with directory entries, which then controls access based on the Security Clearance of the user. Detailed capabilities:
- All functionality is Security Policy controlled. Isode provides capabilities for Security Policy Management.
- Replication controlled by Security Policy can be achieved by use of Sodium Sync, and a login account with appropriate Security Clearance.
- M-Vault can restrict access based on user’s Security Clearance, using a Security Label associated with the M-Vault server.
- M-Vault can constrain the Security Labels on data held, by use of a Security Clearance associated with the M-Vault server.
Further information is provided in the product page covering Isode's Security Policy Infrastructure as well as the following whitepaper-
- Security Labels: [Access Control using Security Labels & Security Clearance]
M-Vault provides audit logging of directory activity, in a structured parse-able format. Details can be found on the Isode product page covering Audit Logging & Event Handling.
LDAP confidentiality is supported in M-Vault using TLS/SSL protocols. The server supports the Start TLS extended operation of LDAP and LDAPS. The set of cipher suites available is configurable, as is the effective authentication level for a user depending upon whether a suitably confidential cipher suite was negotiated. TLS support is described here.
M-Vault also provides TLS support for the X.500 DAP, DSP and DISP protocols, enabling data confidentiality between servers.
M-Vault uses digital signatures based on X.509 PKI to support signed operations in the DAP and DSP protocols. This provides additional integrity and audit security for individual operations and allows chained updates to be authenticated using a digital signature from the originating directory client.
M-Vault can be configured to require signed operations for all updates, which is recommended for directory deployments with stringent security requirements.
Signed operations are also used for the X.500 DISP replication protocol, providing the same per operation security as for DAP and DSP.