"The idea is to have a directory that's a model of your operation, with an entry for all the computers, network links, printers and services, and the security relationships," says Terrill Smith, director of information security for Ingenix, a Salt Lake City-based business unit of UnitedHealth Group. Today, keeping the directory in sync with the network means, for instance, that a technician has to register a new printer with the directory, Smith says. "It would be nice if, when you install a printer, the network would tell the directory automatically."
The so-called DEN (directory-enabled network) concept is still a ways off. Meantime, Ingenix is populating its new distributed X.500 directory first with security policies--User A being allowed to access Server No. 2 and Ingenix's patient-data application, for instance. "The directory is becoming the main means of coordinating the distributed IT infrastructure, and security operations is one of the key aspects of it," Smith says.
But for now, Ingenix's directory is user-centric--it includes information about users and which applications and servers they can access. It initially won't include information about actual network devices, like routers, switches and firewalls, because that's too labor-intensive to manage, Smith says. "It's hard to keep the directory up to date with all of the changes we make in our infrastructure," he says. "Hiring the staff it takes to be always updating it would be overly expensive--directory manufacturers need to make directories more intelligent and automated."
So the directory will store information about Joe in Accounting's privileges with financial applications, for instance. Ingenix plans first to secure applications that allow access to sensitive patient information using the directory, as well as applications that provide access to key network devices.
Ingenix's IT team in Minnesota administers the directory structure and security, determining which portions of the directory reside in New Haven, Conn., for instance. Then network technicians in New Haven and the other sites will be able to update their own portions of the directory. "They will be able to manage their own operation by adding access, names, rights and users to the directory in their area," Smith says. The company is running Entegrity Solutions Corp.'s LDAP, PKI (public key infrastructure) and security policy software.
A key element in the directory and security infrastructure is the PKI, which gives users their credentials to access specific applications. Ingenix will serve as its own certificate authority, issuing and revoking keys for users. The policy server software ties together the directory and digital certificates, storing the privileges of each user.
Over the next year, Ingenix's X.500 directory also will be used to automate secure e-mail. The company is running other Entegrity software with the directory that simplifies managing the keys used to encrypt e-mail messages. "The sender's e-mail system will access the X.500 directory, get the correct encryption key, and then encrypt and send the mail," Smith says.
REPORTS
ANALYTICS
Follow 
