Active Directory® and Zero Trust Security




Updated on April 8, 2021

For most IT organizations, using Microsoft® Active Directory® is often a default choice. For almost 20 years now, there hasn’t been a viable alternative to the legacy directory services solution. As traditional security methods shift to the new Zero Trust Security model, is Active Directory the right solution to take organizations forward? In this article, we’ll discuss Active Directory and Zero Trust Security.

It is critical to start the discussion by defining Zero Trust Security, and exploring why it is an important security approach for IT organizations.

What is Zero Trust Security?

The premise of Zero Trust Security is that all IT resources (and users) are untrusted. Only after they have been challenged appropriately can they be trusted, assuming they have passed those challenges. In this trust model, for example, each access transaction must verify the user/identity, the device, network path, and ensure the correct authorization rights.

This approach is diametrically opposed to the perimeter security model, where IT resources and people are considered safe on the inside of the network once they log in, and insecure on the outside. Traditionally, the internal network was created by Microsoft Active Directory (AD) as the domain controller on-prem, secured by using firewalls and VPNs. On the inside is the trusted domain and the outside is the untrusted internet.

Of course, the modern world we live in doesn’t work this way. End users are working from home and on the road with a variety of compute devices, in addition to accessing IT resources not hosted internally. With a global pandemic underway, remote work is more critical than ever. Add to that the constant announcements of data breaches and compromises, and it is clear that the existing security model doesn’t work. In short, there is no internal network and network perimeter, but rather a fluid Internet where users hop on and get work done, hopefully securely.

The Rise of Zero Trust Security

Understanding the realities of how modern users work and organizations function, along with the reality of security and compliance requirements, the Zero Trust Security Model emerged as a different approach to building and running modern networks. Every access transaction would require a number of factors to build trust. The concept of joining a domain and being on the ‘inside’ with safety wouldn’t exist.

For most IT organizations, Active Directory has been the identity management standard, along with the concept of the domain. IT admins connect their users to their IT resources through AD and a user logs in to their Windows machine and has access to whatever they need. In a traditional, Windows-based on-prem network this model can seem to work, but it runs counter to the Zero Trust Security model concepts. That is, AD traditionally favors a strong perimeter to protect trusted assets, rather than viewing all sources of network traffic as potential attack vectors as with Zero Trust.

Further, with web applications, cloud and non-Windows file server options, cloud infrastructure from AWS®, and more, the AD domain controller isn’t able to connect and secure access to all these different IT resources. Of course, with more remote work than ever, it creates even more complications. The result is that IT organizations patch the holes and add identity bridges, web single sign-on (SSO), and other tools to enable users to connect to what they need creating additional work, costs, and most importantly security risk.

The Breakdown of Active Directory

Fundamentally, the concept of the domain doesn’t end up working because of the variety of IT resources needing management outside of the domain. Then, when considering the inherent risks associated with a perimeter-based model, IT organizations end up searching for a different approach to their identity management needs. With a next generation approach to directory services, IT organizations can embed the concepts of Zero Trust Security without being tied to an on-prem network, a single provider, or legacy security model.

Called JumpCloud Directory Platform, this modern approach to identity and access management (IAM) is focused on creating trust with each type of IT resource regardless of the platform, provider, protocol, and location. In this approach:

  • macOS® and Linux® systems are first class citizens, just like Windows®, and even have multi-factor authentication (MFA) capabilities to further step-up identity verification. 
  • Network access can be controlled uniquely via cloud RADIUS and 802.1x services along with the ability to dynamically conduct VLAN assignments
  • AWS cloud infrastructure can be accessed through SSH keys and non-Windows file servers can use the LDAP protocol with Samba attributes as is best for them. 
  • The cloud directory verifies each step of the access transaction including the user’s identity, their device, the network/location, and their authorization rights. 

In short, this cloud directory is securely authenticating and connecting users to their IT resources, managing their systems to ensure compliance and security, and leveraging network security techniques to keep connections secure. Utilizing Conditional Access capabilities, IT admins can ensure that users are accessing resources leveraging multi-factor authentication or step-up security techniques, on their corporate devices, and while connected to trusted networks or at trusted locations.

Learn More

If you’d like to learn more about reimagined Active Directory and Zero Trust Security with JumpCloud®, please contact us or check out our Resources page for more information. Learn more about how we can help you level-up your security through Zero Trust techniques.

JumpCloud Free is a free solution for up to ten users and ten 10 systems. You also get 10 days of premium 24×7 in-app chat support as well. Sign up here and try JumpCloud today.


Related Posts
Enabling MFA with Active Directory isn’t always easy or free, and brings up a number of questions for IT admins. Here we answer the top four.

Blog

MFA and Active Directory: Four Common Questions

Enabling MFA with Active Directory isn’t always easy or free, and brings up a number of questions for IT admins. Here we answer the top four.

With the IT environment changing, many IT admins find themselves searching for an open source Active Directory alternative.

Blog

Open Source Active Directory®

With the IT environment changing, many IT admins find themselves searching for an open source Active Directory alternative.

Learn how to provision one identity to virtually all IT resources - systems, apps, files, and networks. Try JumpCloud Free.

Blog

User Provisioning & Active Directory

Learn how to provision one identity to virtually all IT resources - systems, apps, files, and networks. Try JumpCloud Free.