By Rajat Bhargava Posted December 19, 2014
While Infrastructure-as-a-Service (IaaS) providers like AWS make setting up servers simple, they also complicate matters significantly for managing users. IT professionals have been managing users within an organization for decades. In some cases, this management was handled by solutions such as Microsoft’s Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). But AWS has introduced a whole new paradigm with extreme speed, elasticity, and automation, rendering existing methods of user management largely ineffective and extremely complex.
In this post, we go over the four primary challenges associated with managing AWS cloud server users.
1: Old School User Management Techniques are Too Slow for the Dynamic Nature of the Cloud
Old school user management models were not built for the fast pace of the cloud. The cloud is built for speed and agility with the ability to burst up and tear down instances in seconds based on automated inputs such as application load or traffic. Admins can no longer be involved in every step because manual user management is simply too slow. Admins need systems that can handle the scale and dynamic nature of the cloud.
2: There is No Clear, Single User Directory
With servers potentially all around the world, what user directory do remote devices talk to? And, how is it kept secure? Many companies utilizing AWS are using Google Apps and Gmail. While Google Apps is far more open than Microsoft’s Active Directory, the leading user data store, neither solution inherently supports creating user accounts across your AWS server infrastructure. AWS’ Directory Service solution is effectively only for Windows-based servers and desktops hosted at AWS, although they are aware of the issues their customers are facing. Most organizations have just opted to recreate their users on servers manually or within another tool rather than try to integrate a variety of user directories for cloud servers, on-prem laptops and desktops, on-prem LDAP-based applications, SaaS-based applications, or network access. This lack of integration is a significant loss of productivity for DevOps and IT pros.
3: Today’s IT Organization is Cross-Platform and Hybrid Cloud
The days of geographic centralization and a homogenous platform are long gone. Today, your AWS cloud servers can be placed in any number of locations around the world. Further, as Linux has grown exponentially over the years as a cost-effective server platform, no longer are organizations reliant on solely Microsoft solutions (in fact, experts estimate that 1 in 5 devices are Windows). The variability in providers and platforms adds another dimension of complexity to the user management equation. In addition, authentication infrastructure needs to be as cloud-scalable as the rest of your environment and accomplishing this is very expensive and requires specialized skills.
4: Monitoring Users is Inherently More Challenging with Cloud-Based Systems
The largely forgotten step of user management and monitoring of user access is made all the more difficult with cloud servers. How do admins collect all of the user logs, centralize them, and then analyze the results when instances, devices, and people are spread out through the cloud? Furthermore, if they are able to do that, with a mobile workforce, how will they be able to accurately detect real compromises from false alarms?
Directory-as-a-Service is the Solution
AWS has effectively blown up the standard operating models of user management. This is why federating your existing directory—AD, LDAP, or GApps—to AWS is critical. A Directory-as-a-Service® is the one solution that serves as a bridge between your core user directory and AWS and can deal with these critical challenges in addition to the ones above:
- Dynamic nature of cloud—All AWS servers can be easily connected to only the authorized users for AWS. Because users are controlled centrally, the dynamic nature of IaaS can be tamed.
- Clear user directory—A DaaS solution centralizes directory authority. Multiple directories are not necessary and changes in the core directory propagate through to the AWS servers.
- Cross-platform—DaaS translates authentication, authorization, and management to Windows, Linux, and Mac devices regardless of whether the core user store is AD, LDAP, or GApps. This solves the problem of AD being a predominantly Windows solution.
- Tracking AWS logins–AWS servers have mission critical applications on them. DaaS ensures that organizations know who is accessing what, when.
User management on AWS servers is challenging organizations. Historical methods of managing users don’t necessarily work in the cloud, but a different approach can still provide the control and security that IT admins are looking for. Bridge your existing directory to AWS through a DaaS solution.