5. Creating and Managing vApps : 5.3 Directory Services in vCloud : 5.3.1 Hosting Locations for Directory Services
   
5.3.1 Hosting Locations for Directory Services
When selecting the placement of directory servers in the vCloud, consider the strict availability and longevity requirements for directory service servers in balance with the applications that will be supported by the deployed instance.
5.3.1.1. External to the vCloud
VMware recommends that any services that support the vCloud Director instance and infrastructure be hosted externally to the vCloud Director managed environment. Specifically, directory services should be hosted external to the vCloud and can be configured using standard procedures for virtualizing the service. Follow design guidelines for virtualizing Active Directory and other directory platforms. Using vCloud does not change these practices.
In a private vCloud architecture, directory services can be hosted external to the vCloud environment if there is no geographical separation between host platforms.
5.3.1.2. Within the vCloud
vCloud-hosted applications are dependent on directory service. After you determine the level of dependency, performance gains are achieved by encapsulating and distributing directory servers with dependent vApps services that are offered in the vCloud.
The expiration of run-time and storage leases for vApp hosting directory services can lead to unexpected outages for dependent applications. A solution to vApp expiration is to create a separate vCloud Director organization that has indefinite leases to host services that should not expire.
Provide for isolation between any redundant directory servers hosted within vCloud. To avoid single points of failure it might be necessary to distribute directory servers over multiple provider virtual datacenters that do not share physical dependencies.
5.3.1.3. Single Sign-On
As IT systems proliferate to support business processes, users and system administrators face an increasingly complicated interface. Users typically have to sign on to multiple systems, with multiple sign-on dialogs that might involve different user names and authentication information. System administrators must coordinate and manage user accounts within each system to maintain the integrity of security policy enforcement.
The goal of the vCloud Director 5.1 Web Single Sign-On (SSO) feature is to simplify the sign-on process to provide an authentication service that can be used by service providers and enterprise customers.
Access control is a key security model component because it restricts unauthorized users. It is part of what is known as the triple A process of authentication, authorization, and accountability. Authentication systems have traditionally been based on passwords, and many organizations now use more advanced technologies such as tokens or biometrics. Some organizations enforce two-factor authentication.
Although knowing who should be authenticated serves as a basis of access control, authorization is also an issue. Authorization defines what access the user has and what capabilities are available. A vCloud administrator is normally authorized to perform more functions than an ordinary user. To control access to the end tenant’s vCloud organization, limit authorization to only the required functions.
Single sign-on addresses a problem common to all service providers and enterprise customers. Various systems within the service provider and enterprise likely require the user to log on to each system with different credentials. Single sign-on addresses this problem by authenticating users once to a single authentication authority and then providing access to all other protected resources without re-authenticating. Kerberos and directory services are examples of authentication systems that can implement single sign-on. Before implementing single sign-on, consider security implications. For example, if an attacker can authenticate as a given individual, that attacker can then access multiple systems.
Compliance requires that identities be controlled. Risk management involves event identification, analysis, and response mechanisms faced by a service provider or enterprise. Risk management is not only a defensive operation to minimize risk effects, but it is also proactive, enabling the service provider or enterprise to take advantage of the triggering of a risk event. Compliance is the process of implementing procedures to meet the governance policy. Compliance requires a level of monitoring, analysis, and reporting. These elements are tied to identity management. Governance policies establish who has access to which functions in the service provider or enterprise and the conditions that are imposed on that access.
Service providers and enterprises typically request single sign-on functionality because they want end tenants to log in to their own portals and be redirected to the vCloud Director portal without re-authenticating. Service providers also encourage single sign-on because it significantly decreases administrative costs by reducing password-related tasks and support. Handling authentication can be done on a centralized basis rather than a per-application basis. Single sign-on additionally enhances security and compliance for service providers and enterprises by providing a central facility to log all system and application access.
vCloud Director and its single sign-on feature must be interoperable and work with the existing service provider and enterprise infrastructures. Providing interoperability greatly increases the use of the vCloud Director single-sign on functionality and reduces the inconvenience users experience when asked to re-authenticate.
Service providers and enterprises can offer a vCloud Director web-based portal application to enable vCloud end tenants to administer and troubleshoot identity information and perform self-service requests to add, remove, or change user roles.