In the mid to late 1990's the Judicial Branch established a personal computer network based on Microsoft's Windows NT Domain architecture, which was the standard at the time.
Since that time, Microsoft has replaced their Windows NT Domain concept with a security and authentication concept called Active Directory. Active Directory is a method of storing and maintaining network security information in such a fashion that allows it to be used for purposes beyond Windows network authentication. For example, Peoplesoft (ConnectND) and the Criminal Justice Information System (CJIS) have been implemented using an Active Directory for their authentication, rather than having user ID's that are unique to each application.
Approximately 2 years ago, the Executive Branch Information Technology Department (ITD) implemented an Active Directory and migrated from their Windows NT Domain to the new Active Directory. Their Active Directory was implemented in such a manner that other state government entities can join their Active Directory as a subordinate network, referred to as an Organizational Unit (OU). ITD will then maintain the security authentication for other government entities that have become part of their Active Directory.
We are at a point in our migration towards Active Directory that we need to decide whether we should join ITD's Active Directory or whether we should establish our own Active Directory. There are positive and negative factors for each alternative. I will address these factors in the following paragraphs.
Theoretical Control
First and most importantly, the entity controlling the Active Directory has the ability to control any device within the network. To ensure the security of our systems, if we were to join ITD's Active Directory, ITD has reassured us that the credentials necessary to access court resources would be "escrowed". Anytime those credentials were used, the usage would be logged, the logs would be monitored and we would be notified.
ITD would have the ability to access any computer within the Judicial Branch. Only by ITD policies and operational guidelines would they be required to notify us of the use of the security credentials. This ability cannot be removed. In short, he who controls the Active Directory can control any device receiving security authentication from the Active Directory.
Another feature of an Active Directory is the ability to create and enforce policies for all resources within the active directory. For example, one can specify a password policy to dictate how long passwords must be, what they must contain etc. One can also set a policy to dictate what programs can or cannot be run on a server. Once these policies are enacted within the active directory, any computer or server within the Active Directory must adhere to the appropriate policies. This means that our computers and servers would have management policies dictated to them by the Executive Branch Active Directory.
Joining ITD's Active Directory will provide ITD with the ability to control any judicial computer resource attached to their Active Directory.
Duplication of User ID's
Since the deployment of ITD's Active Directory several years ago, they have been installing and building applications to use the Active Directory for authentication. Some of the systems currently using it include: Peoplesoft (ConnectND); Criminal Justice Information System (CJIS); the Work Management System; various web-based applications.
It is the vision of the OMB to use Peoplesoft as the mechanism for employees to receive their pay notifications, ultimately replacing the paper "paycheck". To accommodate this, every state employee will need an ITD Active Directory user ID to access Peoplesoft and retrieve their pay and benefit information.
If we set up our own Active Directory, every employee will have one user ID for our Active Directory and one user ID for ITD's Active Directory. Our ID would be used to access network resources and email. ITD's ID would be used to access Peoplesoft, ERMS and other applications. This complicates things for the average user because they need to remember multiple user IDs and passwords.
The most common call to the help desk is for password problems. Maintaining duplicate user ID's will likely increase the calls to the help desk, thereby increasing support costs.
Each Active Directory requires its own client license and each client license costs approximately $19 to purchase and 20% per year for maintenance. Based on 335 Full Time Equivalent positions (FTE's), the costs to join ITD's Active Directory would be approximately $6365 for initial licenses and $1273 for annual maintenance. Establishing a separate Active Directory and not joining ITD's Active Directory will roughly double the licensing costs.
Establishing our own Active Directory will result in duplication of user IDs; duplication of licensing costs and additional confusion for the users.
User ID's and Security Policies
ITD has established various security policies related to user id's and passwords. As discussed above, any computer in the Active Directory is required to follow those policies.
There are several differences in the user ID practices we currently use and ITD's policies. For example, ITD's user IDs is comprised of the first character of one's first name plus their last name (kschmidt). Our ID's are first name plus first letter of one's last name (kurts). Joining ITD's Active Directory requires that all personnel receive new user ID's based on ITD's policies.
There are also differences in password requirements. The most significant difference is that ITD's passwords must include upper and lower case letters and numbers. While this is more secure, it will likely lead to confusion among personnel and an increase in calls to the help desk.
The use of a password policy requiring upper case, lower case and numbers is more secure. However, it is more and will lead to confusion among personnel.
Joining ITD's Active Directory will reduce the number of IDs and passwords needed; new IDs will be assigned to everyone; and passwords will be more complex.
Altiris Desktop Management Software
Microsoft is continually updating its software, fixing bugs and patching security flaws. We are beginning to use a tool called Altiris to monitor and implement theses fixes and patches. Altiris will also provide a centralized mechanism for maintaining an inventory of the computers attached to the Active Directory.
Altiris makes all of this possible through close interaction between the Active Directory servers and the Altiris server. Because of the interaction needed between servers, ITD views this as a potential security threat and will not allow the interaction. This will prohibit us from implementation of Altris and limit our ability to proactively manage and control our network resources.
Joining ITD's Active Directory will limit our ability to proactively manage, control and inventory our network resources.
Email and Calendar Sharing
Currently, we maintain our own, separate email server. Joining ITD's Active Directory would not change that as we would still maintain our own email server. However, as the email server would reside within ITD's Active directory, they would have the ability to control the email server.
Joining ITD's Active Directory would allow for MS Outlook calendar sharing between our email system and ITD's. Our current, email system and any new email system implemented under our own Active Directory are not able to communicate Outlook calendar information because of security policies. Joining ITD's domain would easily accommodate sharing of this information.
Joining ITD's Active Directory will provide ITD with the ability to control our email server and would enable sharing of calendar information.
Political Considerations
Over the past several biennia, there has been an attitude within the Legislature that information should be shared as much as possible and that duplication of services should be eliminated. That attitude has led to significant efforts to consolidate servers. Many FTE's were moved to ITD; some were eliminated. These policies impacted only the Executive Branch. The Judicial Branch was excluded from the consolidation legislation.
Joining ITD's Active Directory will have several possible consequences related to the political climate. First, given the Legislative Branch's current sentiment towards consolidation, this would be a clear indicator that we were willing to place our computer resources under ITD's control. Using ITD's Active Directory makes it significantly easier to consolidate servers and IT resources within the Executive Branch Information Technology Deparment. Maintaining our own Active Directory places several barriers between the Judicial Branch Technology Department and consolidation with ITD.
Second, maintaining our own Active Directory could be seen as contradictory to the current attitude towards consolidation and elimination of duplicate services. We could ultimately end up in a Legislative hearing explaining the decision to duplicate Active Directory efforts.
The basic question to answer is: Is the need to safeguard of judicial computerized information adequate to justify the establishment of a separate Active Directory, given the drawbacks explained?
Summary
Of all the factors to consider, I believe there are three that are most important:
1) The entity controlling the Active Directory has theoretical control over all devices receiving security authentication from the Active Directory Server. We can put a virtual "fence" in place that says ITD has to do specific things related to security, but no matter how high the fence, ITD will always be able to jump over it because they control the Active Directory.
Without control of the Active Directory, we cannot implement proactive management tools like Altiris.
Implicit in the theoretical control issue is the concept of separation of powers. Does the separation of powers concept extend to include security for network resources? Is the need to safeguard resources adequate to justify a separate Active Directory?
2) The need to keep and maintain a user id and password for so many different systems is a common complaint. Implementing our own separate Active Directory will perpetuate the need for duplicate user ID's within State Government.
3) Implementing our own Active Directory will result in duplication of efforts and costs. We would need to license each computer for both Active Directories; maintain Active Directory servers; maintain the knowledge and expertise within our staff to manage an Active Directory. All of these are duplications of the effort ITD puts forth to manage its own Active Directory.
Consideration and Recommendation
From a fiscal and technical perspective, the decision to join ITD's Active Directory is easily reached. However, as mentioned, there are other factors related to the safeguarding of judicial information that need to be considered.
It is my recommendation that the Court Technology Committee endorse the establishment of a separate Active Directory within the Judicial Branch.
??
??
??
??
Technical Discussion of Active Directory Alternatives May 19, 2005
Court Technology Committee
Page 1 of 3