AD DS and Zero Trust Security

By Vince Lujan Posted March 27, 2019

AD DS and Zero Trust Security

As IT security has become a focal point in the modern era, the relationship between Active Directory Domain Services (AD DS) and Zero Trust Security has come into question. Many IT admins are unsure of how a traditional, domain-based identity management solution, such as AD DS, can fit into their Zero Trust Security model.

After all, the Zero Trust Security model stipulates that all sources of network traffic (regardless of platform, provider, protocol, or location) must build trust and, ultimately, be authenticated for user access. Yet, AD DS is focused on Windows® and relies on a strong perimeter to protect trusted assets found within the Windows-centric domain.

Fortunately, a next generation cloud identity provider (IdP) has recently surfaced that is effectively AD DS reimagined for modern networks. But before we get into that, let’s take a closer look at AD DS with respect to Zero Trust Security.

Overview of AD DS and Zero Trust Security

Active Directory Domain Services (AD DS) is the core solution used to manage a Windows-based domain. AD DS has been around for almost twenty years, and is now grappling with a new era of IT along with a new security model.

When the concept of AD DS was introduced in 1999, IT networks were predominantly on-prem and Windows-based. Thus, AD DS was effectively the only solution required to securely manage and connect users to all of their Windows-based IT resources, all of which was bound to the AD domain.

The IT landscape started to change around the turn of the century, as a wide variety of non-Windows resources were delivered remotely from what would become known as the cloud. With that, AD DS began to struggle.

For one, AD DS was not suited to support non-Windows resources operating outside of a traditional domain. Consequently, IT organizations were forced to segment their identity management approach with a variety of third-party add-ons (i.e., SSO, PIM, GADS).

Then, bad actors started attacking networks from both inside and out, often exploiting security holes created by decentralized identity management strategies. As a result, IT admins began to lose faith in the perimeter-based security model altogether.

The concept of Zero Trust Security emerged in response to this lack of trust for traditional networks. Unfortunately, as the world moves to this perimeter-less, mixed-platform model, AD DS and Zero Trust Security seem to be at odds.

Zero Trust Security in Focus

With Zero Trust Security, the concept of the domain is much more fluid. There is no fortified perimeter to protect trusted assets within an internal domain, but rather, all sources of network traffic must build trust and ultimately be authenticated before they are authorized for use.

In practice, this means that a user must first authenticate into their Windows, macOS®, or Linux® based system. Then, it must be established that the system can be trusted, system-to-system communication is secure, and that the user’s access rights are valid.

Only then will the user be granted access to a particular IT resource. In doing so, the thought is that the network is more secure because a bad actor would conceivably need to bypass multiple layers of security in order to compromise an organization’s most critical data and applications.

That said, actually achieving a Zero Trust Security model has its own set of challenges. As you may have guessed, these challenges are primarily related to identity and access management (IAM), especially in a pure AD environment.

The good news is that a next generation cloud identity management solution is embedding the concepts of Zero Trust Security into its operating model and functionality. It’s called JumpCloud® Directory-as-a-Service®, and it is effectively AD DS reimagined for the modern era of IT.

Zero Trust Identity Provider

JumpCloud has taken a cross-platform, vendor-neutral, protocol-driven approach to delivering directory services from the cloud. The Directory-as-a-Service platform securely manages and connects users to virtually any IT resource, regardless of the platform, provider, protocol, or location. As a modern cloud identity provider, the tenets of Zero Trust Security are built into the comprehensive platform. The end result is that IT admins can achieve a Zero Trust Security model, while gaining the freedom to choose the best IT resources for their organization.

Contact JumpCloud to learn more about AD DS and Zero Trust Security, and to see how the Directory-as-a-Service platform is perhaps better suited for your Zero Trust Security initiative. Sign up for a free account and check out the full functionality of our platform for as long as you need. We offer 10 users free forever to help you get started. Check out our knowledge base for additional documentation and our YouTube channel for supplemental videos.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts