Active Directory® and Zero Trust Security

By Zach DeMeyer Posted February 12, 2019

Zero Trust Security AD DaaS

For most IT organizations, using Microsoft® Active Directory® is often a default choice. For almost 20 years now, there hasn’t been a viable alternative to the legacy directory services solution. As traditional security methods shift to the new Zero Trust Security model, is Active Directory the right solution to take organizations forward? In this article, we’ll discuss Active Directory and Zero Trust Security.

It is critical to start the discussion by defining Zero Trust Security, and exploring why it is an important security approach for IT organizations.

What is Zero Trust Security?

The premise of Zero Trust Security is that all IT resources (and users) are untrusted. Only after they have been challenged appropriately can they be trusted, assuming they have passed those challenges. This is largely diametrically opposed to the perimeter security model, where IT resources and people are considered safe on the inside of the network, and insecure on the outside. Traditionally, the internal network was created by Microsoft Active Directory (AD) as the domain controller on-prem, secured by using firewalls and VPNs.

Of course, the modern world we live in doesn’t work this way. End users are working from home and on the road with a variety of compute devices, in addition to accessing IT resources not hosted internally. Add to that the constant announcements of data breaches and compromises, and it is clear that the existing security model doesn’t work. In short, there is no internal network and network perimeter, but rather a fluid Internet where users hop on and get work done, hopefully securely.

The Rise of Zero Trust

Understanding the realities of how modern users work and organizations function, along with the reality of security and compliance requirements, the Zero Trust Model emerged as a different approach to building and running modern networks. Every interaction would be required to build trust. The concept of joining a domain and being on the ‘inside’ with safety wouldn’t exist.

For most IT organizations, Active Directory has been the identity management standard, along with the concept of the domain. IT admins connect their users to their IT resources through AD and a user logs in to their Windows machine and has access to whatever they need. In a traditional, Windows-based on-prem network this model can seem to work, but it runs counter to the Zero Trust Security model concepts. That is, AD traditionally favors a strong perimeter to protect trusted assets, rather than viewing all sources of network traffic as potential attack vectors as with Zero Trust.

Further, with web applications, cloud and non-Windows file server options, cloud infrastructure from AWS®, and more, the AD domain controller isn’t able to connect and secure access to all these different IT resources. The result is that IT organizations patch the holes and add identity bridges, web single sign-on, and other tools to enable users to connect to what they need creating additional work, costs, and most importantly security risk.

The Breakdown of Active Directory

Fundamentally, the concept of the domain doesn’t end up working because of the variety of IT resources needing management outside of the domain. Then, when considering the inherent risks associated with a perimeter-based model, IT organizations end up searching for a different approach to their identity management needs. With a next generation approach to directory services, IT organizations can embed the concepts of Zero Trust Security without being tied to an on-prem network, a single provider, or legacy security model.

Called Directory-as-a-Service®, this modern approach to IAM is focused on creating trust with each type of IT resource regardless of the platform, provider, protocol, and location. macOS® and Linux® systems are first class citizens, just like Windows®, and even have multi-factor authentication (MFA) capabilities to further step-up identity verification. Network access can be controlled uniquely via cloud RADIUS and 802.1x services along with the ability to dynamically conduct VLAN assignments. AWS cloud infrastructure can be accessed through SSH keys and non-Windows file servers can use the LDAP protocol with Samba attributes as is best for them. In short, this cloud directory is securely authenticating and connecting users to their IT resources, managing their systems to ensure compliance and security, and leveraging network security techniques to keep connections secure.

Learn More

Make work happen with Directory-as-a-Service

If you’d like to learn more about reimagined Active Directory and Zero Trust Security with JumpCloud®, please contact us or check out our Resources page for more information. Directory-as-a-Service is a free solution for up to ten users forever. Sign up here and try JumpCloud today.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts