For most IT organizations, using Microsoft Active Directory is a default choice. For nearly 20 years, there hasn’t been a viable alternative to the legacy directory services solution.
As traditional security methods shift to the new Zero Trust security model, is Active Directory the right solution to take organizations forward? In this article, we’ll discuss Active Directory and Zero Trust security, where these two conflict, and introduce an alternative directory platform that delivers on the principles of Zero Trust.
It is critical to start the discussion by defining Zero Trust security, and exploring why it is an important security approach for IT organizations.
What Is Zero Trust Security?
The premise of Zero Trust security is simple: trust no one (not even your own grandma) when it comes to IT resources and verify everything. Only after a user has provided sufficient proof that they are who they say they are can the organization grant them access to the goods.
What does this look like for IT admins on a practical level? Each access transaction must verify the user/identity, the device, network path, and ensure correct authorization rights.
This approach is diametrically opposed to the perimeter security model, where IT resources and people are considered safe on the inside of the network once they log in, and insecure on the outside.
Traditionally, Microsoft Active Directory (AD) pioneered the internal network as the domain controller on-prem, securing Active Directory by using firewalls and VPNs. The thinking went like this: on the inside is the trusted domain and the outside is the untrusted internet.
Of course, the modern world doesn’t work this way. More end users are working from home than ever before, and many of them are using a variety of personal devices to access organizational IT resources not hosted internally.
Add the seemingly constant announcements of data breaches and compromises flashing across news headlines, and it is clear that existing Active Directory best practices and the old-school security model is broken. In short, there is no internal network and network perimeter, but rather a fluid internet where users hop on and get work done, hopefully securely.
The Rise of Zero Trust Security
Understanding the realities of how modern users work and organizations function, along with the reality of security and compliance requirements, the Zero Trust security model emerged as a different approach to building and running modern networks.
Every access transaction would require a number of factors to build trust. The concept of joining a domain and being on the “inside” with safety wouldn’t exist.
For most IT organizations, Active Directory has been the identity management standard, along with the concept of the domain. IT admins connect their users to their IT resources through AD and a user logs in to their Windows machine and has access to whatever they need.
In a traditional, Windows-based on-prem network this model can seem to work, but it runs counter to the Zero Trust security model concepts. That is, Active Directory security traditionally favors a strong perimeter to protect trusted assets, rather than viewing all sources of network traffic as potential attack vectors as with Zero Trust.
Further, with web applications, cloud and non-Windows file server options, cloud infrastructure from Amazon Web Services (AWS), and more, the AD domain controller isn’t able to connect and secure access to all these different IT resources. Of course, with more remote work than ever, it creates even more complications.
The result is that IT organizations patch the holes and add identity bridges, web single sign-on (SSO), and other tools to enable users to connect to what they need, creating additional work, costs, and most importantly security risk.
The Breakdown of Active Directory
Fundamentally, the concept of the domain doesn’t end up working because of the variety of IT resources needing management outside of the domain. Then, when considering the inherent risks associated with a perimeter-based model, IT organizations end up searching for a different approach to their identity management needs.
With a next-generation approach to directory services, IT organizations can embed the concepts of Zero Trust security without being tied to an on-prem network, a single provider, or legacy security model.
Called JumpCloud Directory Platform, this modern approach to identity and access management (IAM) is focused on creating trust with each type of IT resource regardless of the platform, provider, protocol, and location. In this approach:
- macOS and Linux systems are first-class citizens, just like Windows, and even have multi-factor authentication (MFA) capabilities to further step up identity verification.
- Network access can be controlled uniquely via cloud RADIUS and 802.1x services along with the ability to dynamically conduct VLAN assignments.
- AWS cloud infrastructure can be accessed through SSH keys and non-Windows file servers can use the LDAP protocol with Samba attributes as is best for them.
- The cloud directory verifies each step of the access transaction including the user’s identity, their device, the network/location, and their authorization rights.
In short, the cloud directory facilitates secure authentication, connection, and verification of users and their IT resources, managing their systems to ensure compliance and security, and leveraging network security techniques to keep connections secure.
Utilizing conditional access capabilities, IT admins can ensure that users are accessing resources leveraging multi-factor authentication or step-up security techniques, on their corporate devices, and while connected to trusted networks or at trusted locations.
Streamline Zero Trust with JumpCloud
If you’d like to learn more about reimagined Active Directory and Zero Trust security with JumpCloud, please contact us or check out our Resources page for more information. Learn more about how we can help you level-up your security through Zero Trust techniques.