By Ryan Squires Posted March 18, 2019
Is there any value to Active Directory® (AD) without a domain? While that may seem counterintuitive at first blush, the answer is yes, there is a tremendous amount of value in that proposition. There is one caveat, though: that’s not how Microsoft® AD really works. Before we dig in to why the concept of Active Directory without the domain is an interesting thought, we should take a step back and evaluate the current IT landscape. Doing so will allow us to uncover what exactly is driving the questions around domainless Active Directory.
Tools Existing Outside of the Domain
With the introduction of the cloud and non-Windows® resources into IT environments, the bedrock of what used to make up IT networks has shifted. The introductions of cloud infrastructure from AWS®, web applications (Slack, Salesforce®), macOS® and Linux® systems, WiFi, non-Windows file servers, G Suite™ / Office 365™, and more has forced IT admins to look for new approaches to manage their heterogeneous and dispersed infrastructure. Couple that with an intense focus on security because of what feels like daily breaches in the news, and a new operating and security model is required. That is, a security model that regards all sources of network traffic as a potential threat.
Zero Trust, Zero Domain
The security architecture we’re talking about is Zero Trust Security. With a model implementation by Google called BeyondCorp™, Zero Trust Security is having a ripple effect throughout an organization’s IT infrastructure. And, perhaps the most critical impact has been on the identity provider and domain concept. Zero Trust Architecture starts with the idea that everything on the network is untrusted and there is not a network perimeter. In other words, there is no internal domain that is “safe” and an external realm that is “unsafe.” As a result, this approach to security has forced many IT organizations to question the domain altogether. They want to know if they can still manage user access to IT resources without the domain, which is how we come full circle.
Active Directory and the Domain
The underpinning of Active Directory is the domain. In fact, while this may not be widely known, the overarching solution from Microsoft is in fact called Active Directory Domain Services (AD DS). At a different time, the idea of a network perimeter and internal safety made a great deal of sense and AD DS was the vehicle to accomplish that. But, in the modern cloud era, one where macOS and Linux® machines are prevalent, traveling workers are here and then gone, and IT resources hosted in faraway servers are now the norm—the idea of an on-prem directory that connects users to their resources is an antiquated approach.
Not All is Lost
But that doesn’t mean we have to scrap all of what the domain provided, we just need to make sure that our users and IT resources are safe and adhere to the tenets of Zero Trust Security. For example, the all-Windows network provided an excellent user experience in that users had one set of credentials for all of their IT resources. That meant one identity for their system, applications, files, and the network. This scenario existed because everything was on the domain, but a True Single Sign-On™ approach for the modern, cloud era would connect users to the tools they use daily while maintaining that trust is something that is earned on the network, not simply granted. What solution can we use to get the best of both worlds?
JumpCloud® Directory-as-a-Service® takes a single set of credentials and federates them to multiple protocols and instantiations of an individual’s identity. That means systems (Windows®, Mac®, and Linux), applications via SAML and LDAP, files on-prem and off, AWS cloud infrastructure by way of SSH keys, and networks via RADIUS are each accessible via one username and password combination. Then, IT admins can ensure that only the right user is accessing the user portal by fortifying it with multi-factor authentication. That means users must provide correct answers when prompted with their password and MFA code. We can’t trust them if they don’t have both.
Security Without the Domain
If you’re ready to enhance your security and leave the domain behind, sign up for a JumpCloud account today. It requires absolutely no credit card and enables you to manage up to 10 users using the full scope of the Directory-as-a-Service product. If that’s not enough, visit our pricing page to see how JumpCloud can scale when you grow. If you have any further questions, feel free to visit our Knowledge Base or drop us a line.