By Greg Keller Posted November 17, 2014
This is 2nd blog of our four part series on cloud server user management. Here’s a list of the others:
- Cloud Server User Management
- 6 Ways to Manage Users on Cloud Servers (you’re here!)
- Challenges of Connecting Directory Services to Cloud Computing
- Connecting Cloud Servers to your AD or LDAP Store
Connecting Cloud Servers to your AD or LDAP Store Managing users on cloud servers is a painful process. If you have more than just a few servers, ensuring that the right people have the right access gets complicated—fast. For instance, at any given moment IT admins must ensure that every server is covered, any and all changes are logged, and all users are in sync with the core user store all at once—and all this must be managed on an on-going basis.
There are a number of approaches admins can take to manage users. We highlight the pros and cons of some of the most common approaches, below.
Manually managing cloud server accounts
Many IT admins choose to manually create, manage, and delete users on their cloud servers. IT admins are notified (generally via email) of who requires what access to the cloud servers and they will manually provision and manage users on the cloud servers. This entails the following:
- Logging into the servers themselves
- Managing the user creation
- Account and user modifications
- Handling the termination process
- Communicating with the user (generally insecurely)
However, as the number of servers and users grows, this tedious process presents some significant challenges around tracking access. Adding capabilities such as multi-factor authentication become problematic, and configuring those solutions on a case-by-case basis can be time consuming. Moreover, when using AWS many IT admins will leverage a simple ec2-user account for access largely because it’s easier, and thereby lose any on-host auditing capability.
Leverage configuration management tools
Another user management paradigm is leveraging configuration management tools, such as Chef, Puppet, Ansible, Salt, CFEngine, or others, to add or remove user accounts. However, this can be a quick, easy, inexpensive, and reasonably maintainable method if you have just a few users and very simplistic access rules (for example, all users have access to all servers).
But smart admins know this isn’t a long-term solution, because it’s not scalable.
As organizations grow, they quickly hit a barrier and it can become maddeningly complex to manage large numbers of users with complex access rules. IT admins become burdened with the time-consuming task to update code every time access roles change, with no easy way to off-load what should be a purely administrative task to someone with less training.
Expose LDAP or AD to the Internet
Another option is to expose LDAP or AD to the Internet and let servers talk directly to user directories. Through additional security and configuration, the LDAP or AD servers can be locked to only talk to certain servers. However, depending upon the network architecture and growth of servers this may or may not be an option. If it isn’t, then the user directory store is available to be queried by anybody on the Internet.
Stand-up an entirely new LDAP or AD instance in the cloud
Still another option is to create another directory store. Generally this involves standing up a new instance of AD or LDAP in the cloud. This works well if the cloud setup is logically in a Virtual Local Area Network (VLAN) or equivalent enclave where the directory server can talk to each of the servers. Additionally, the cloud directory store needs to be synchronized with the main user directory or manually updated. The benefit is that this method gives IT admins the ability to manage users for their cloud servers via either LDAP or AD. The problem is it creates an extra layer of work for IT admins.
Implement an enterprise identity management solution
Larger corporations sometimes leverage an existing enterprise-class identity management solution, or purchase a new one, to manage cloud servers. Generally, this approach involves installing the solution on-premises, connecting it to the main directory store, and then installing agents on each device that needs management. Often, this is implemented with the help of the vendor’s professional services. The benefits of this type of solution are that it can be leveraged for internal desktops and servers, and can sometimes include mobile device management capabilities, too. For management of cloud servers, IT admins will install agents onto servers which will talk back to the solution’s main on-premise server. While an excellent solution, this approach is often too costly and cumbersome for most organizations to implement.
The last significant approach is to leverage a Directory-as-a-Service™(DaaS) solution. A cloud-based directory serves as a the bridge between an on-premises AD or LDAP user store, and cloud infrastructure. A lightweight agent placed on the internal user store can synchronize users to the cloud-based directory. From there, cloud servers are then able to talk to the Directory-as-a-Service and authenticate access. Because the DaaS solution lives in the cloud there is no networking to be done and servers can talk to the cloud directory either through a secured connection or via an agent that’s been installed on each server. User changes are all handled in one place—within the internal directory—and are propagated first through the cloud directory, and then to each server. The benefits of this approach are simplicity, availability, and security. Of course, organizations need to be comfortable leveraging the cloud, otherwise this isn’t an option for them.