Centralised identity management and directory federation services have undoubtedly revolutionised the way organisations communicate and collaborate with each other. However, there are situations where these services are either not appropriate or are not permitted. For example:

• Financial institutions, bound by stringent data security and regulatory requirements, often mandate separate directory environments.
• Organisations with competing subsidiaries may need different directory services to maintain control and compliance with competition laws.
• Defence organisations typically require totally separate domains to safeguard sensitive information.

A great example of where it can make sense to share at least some information is that of email address lists. The global address list (GAL) used by Microsoft Exchange is automatically created from every mail-enabled object in an Active Directory forest.

Synchronising all or selected contact information from separate GALs can significantly streamline business communications and this is where a secure directory synchronisation tool can help.

What is directory synchronisation? 

Directory synchronisation is the process of synchronising user identities and their attributes, such as names, email addresses, and group memberships, between different directories, such as an on-premises directory and a cloud-based directory.  

This can be useful for organisations that use multiple systems and applications, as it can help to ensure that user identities are consistent across all systems and applications. 

In addition to simplifying user identity management, a directory synchronisation tool can also be useful for security purposes.  

What should I look for in a secure directory synchronisation tool? 

When looking for a secure directory synchronisation tool, there are several important factors to consider: 

Encryption: When searching for a directory synchronisation tool, it’s crucial to prioritise data security. A good tool should provide robust security features that protect data both in transit and at rest.  

To ensure secure data transfer during synchronisation, look for tools that support encryption of data in

LDAP (Lightweight Directory Access Protocol) supports encryption and authentication mechanisms using SSL or TLS, making it a secure choice for synchronising directory information.

Furthermore, using port 636 for LDAP communication over SSL/TLS provides an additional layer of security, as it ensures that the data being transmitted is encrypted in transit. This makes it more difficult for attackers to intercept and read the information, which helps to protect the confidentiality and integrity of the data being transmitted.

In addition to data in transit, it’s also recommended to encrypt any data at rest using strong encryption algorithms. This provides an extra layer of protection against potential data breaches or unauthorised access to sensitive information. 

With InetOrgPerson, you get a complete and accurate representation of user identities and access rights, ensuring that user data is accurately and consistently synchronised between different systems and applications. Many organisations choose to use InetOrgPerson instead of the basic User object class, which only supports a limited set of attributes.

So, if you want to make your user management and access control more efficient, accurate and secure, make sure your directory synchronisation tool supports the InetOrgPerson class.

“The difference between this and the alternatives I’ve seen and used is that it makes the task of building a global directory very simple and straightforward…it didn’t disappoint.”

Steve Goodman, MVP

Access control: The directory synchronisation tool should support granular access controls, allowing you, for example, to limit synchronisations to specific objects, organisational units (OUs), points in the directory tree, or to specific any exclusions.   

To meet subsidiary autonomy and high security needs it may also be required to delegate control over what gets synchronised to the owner of each directory system that is being synchronised, rather than this being centrally managed.  

Scalability: As a follow on from this point, large organisations may need to synchronise hundreds of thousands of objects across several different countries. An ideal directory synchronisation tool should allow agents to be decentralised into each country, and, for added security, each location should be able to:

• manage its own user accounts and access rights, and
• share only the necessary information with a central location.

This helps to reduce the workload on the central IT team and ensures that each location has more control over their own directory environment. In addition, by configuring what is shared to a central location, the participating countries/locations can ensure that only the necessary information is transmitted, reducing the amount of data that needs to be synchronised.

“We have been using this tool for a number of years and have been extremely happy with the product and quality of service we have been provided with. It is extremely easy to configure and to set up any new connections with a variety of different directory types.”

Microsoft Solutions Provider Partner

Auditing and logging: A reliable directory sync tool should have robust auditing and logging features that allow you to track changes and monitor activity in real-time. 

By using such features, you can easily detect any suspicious or unauthorised activity, and respond quickly to any potential security threats. These auditing and logging capabilities can also be useful for compliance purposes, ensuring that you can track and document any changes made to user accounts, group memberships, and attributes, etc., during synchronisation. 

This way, you can easily review any changes made, detect any potential issues or inconsistencies, and take appropriate actions to maintain the security and integrity of your directories.

Disaster recovery: The ideal directory synchronisation tool should have a disaster recovery plan in place to ensure that your data is not lost in the event of a system failure, outage, or other disaster. 

Support and maintenance: To ensure the security and optimal performance of your directories, it’s essential to select a directory synchronisation tool backed by a responsive and knowledgeable support team that offers suitable service level agreements (SLAs) to ensure that they meet your organisation’s needs.    This will help ensure that you have the resources and assistance you need to keep your directories secure and up-to-date with the latest security patches and feature enhancements, helping to minimise potential security risks. 

Summary 

To summarise, if you need to keep a number of different directory systems in step with each other in order to facilitate seamless business operations, it’s essential to use a directory synchronisation solution that offers security features across all aspects of its operation.  

This will help ensure the integrity and security of user identity information throughout the synchronisation process and help you meet the various compliance remits and business ‘information barriers’ you need to maintain.