By Greg Keller Posted July 31, 2015
The forecasts are in and businesses are moving to the cloud in droves. 42% of IT decision makers are planning to increase spending on cloud computing in 2015 (ComputerWorld). The cloud directory is the latest piece of core IT infrastructure migrating to the cloud.
Directory services are at the core of just about every company. Yet, conventional directories have been rooted in old, legacy software that needs to be hosted on-premises. As organizations move more of their infrastructure to the cloud, where do they house a server with their directory software? They clearly do not want to do that on-premises if they are shifting everything to the cloud.
So how does a cloud directory stack up to what IT admins can build on-premises? In order to answer that question, IT admins need to consider a number of factors:
Support for Devices, Applications, and Networks
The whole goal of directory services is to securely connect users to a wide variety of IT resources, but those resources are moving off-premises. SaaS-based applications are appearing for virtually every task a user needs to accomplish professionally. Infrastructure-as-a-Service providers such as AWS, Google Compute Engine, and others are providing the core server infrastructure for millions of organizations worldwide. IT organizations are embracing BYOD (Bring Your Own Device) policies, so offices today are a mashup of operating systems and devices.
Legacy directories such as Microsoft Active Directory® and OpenLDAP are struggling to operate in this environment. With non-Windows operating systems and non-LDAP protocols gaining popularity, IT admins can’t control and secure access to all of their IT applications, devices, and networks.
This is where a cloud directory comes in. Specifically, a Directory-as-a-Service® (DaaS) solution that can transcend the gap between on-premises and cloud worlds to unify access. DaaS can be so versatile because it’s native to the cloud and leverages a number of different protocols from LDAP to SAML to Kerberos long-term.
Maintenance and Management
On-premises directories require hardware and software maintenance from the IT organization. IT admins manually configure and maintain their directory services. As new versions are released, IT is on the hook to upgrade. As new devices and applications are introduced into the organization, IT takes on the task of ensuring that they are managed. The amount of work that is required to run your own directory really adds up over time.
A cloud directory can function as “managed for you” directory services. In this scenario, the cloud directory is managed and maintained by a third party directory services provider. All software is maintained and current. Support for new devices and applications is vetted by the provider and not by IT. Similar to numerous other IT solutions in the cloud, it shifts the burden from IT to the provider. Since the directory is their specialty, the provider gains economies of scale and is able to develop more capabilities and support than any individual IT organization can.
Availability and Performance
With on-premises directory services, you are responsible for the availability and performance levels. You can spin up redundant infrastructure and ensure that you have a high availability setup. If you want more performance, you increase the capacity from the server to the network. It’s all under your control.
But it’s also all your responsibility. If your systems go down in the middle of the night, that’s your problem to solve. Because your systems are local to the directory infrastructure, your performance generally won’t be very good.
Contrast with cloud directory services, for which performance is the responsibility of a third party provider. A good Directory-as-a-Service provider will have a global, redundant network to ensure consistent, quality performance and availability. If you are worried about the latency of a cloud directory, take the time to benchmark it to ensure that your performance is within reasonable tolerances. Of course, run the scientific analysis, but also just do the test with a few people to get a gut feel if they can feel the latency or not.
Directory services house your users’ identities. Obviously, those need to be well protected pieces of data. But for legacy directories, there isn’t any great inherent security built into the platform. AD and LDAP assume that they are behind the firewall and within your network, so it’s probably safe. That is their view of security.
A cloud directory lives on the Internet. So cloud directory services providers understand that they need to start with security. This includes building a layered defense mechanism, from one-way hashed passwords to network based security and levels in between.
Often organizations over estimate their security mechanisms, relying on the fact that the directory is on-premises to translate into security. The only fair way to weigh your options is to match up the security attributes side-by-side to see whether your security approach for an on-premises directory surpasses a Directory-as-a-Service provider’s. Since the provider specializes in directories, they are often able to invest more significantly in security because they amortize the costs across their entire customer base.
Should You Move to a Cloud-based Directory Service?
As organizations think about moving their directory services to the cloud, these four areas above are a great place to start evaluating the pros and cons of making the move.
Most organizations quickly determine that the breadth and depth of Directory-as-a-Service solutions outpaces what IT organizations can do internally. But, each organization should go through their own in depth process to determine what is best for them.