The move to IT-as-a-Service started years ago, but one area that has not made the leap is directory services. Will the shift to Infrastructure-as-a-Service also move the directory – which is an authentication, authorization, and device management platform – to the cloud and delivered as a service?
An integral part of building out cloud infrastructure is managing user access control. Generally, organizations opt to build out some variant of directory services when they create network infrastructure, which aids in centralizing control and keeping access organized and secure. When building out cloud infrastructure, though, most organizations don’t leverage directory services. Instead, IT admins tend to manually manage users or turn to configuration automation solutions such as Chef or Puppet. However, the manual and scripted methods are prone to risk and errors, so organizations have been searching for ways to automate this process.
Better Ways to the Approach Identity Management Situation
Install and Manage LDAP or Active Directory
A first option for IT organizations is to spin up OpenLDAP or Microsoft Active Directory within their environment. This is a significant step up from the manual and scripted methodology because it is systemized. Both users and devices are cataloged and controlled, and changes to the system are propagated as expected. IT admins don’t need to worry about “zombie users” or devices that have been forgotten with users on them. There are two downsides of this approach: you have another directory service to manage and you’re forced to install, configure, and manage multiple directory systems. That’s a tremendous amount of ongoing work and expertise required, especially in the case of LDAP. Organizations are looking for a simple, straightforward identity and access management strategy.
Amazon Web Services understands that controlling access to cloud servers is an issue and attempts to provide help. Specifically, AWS allows you to create a standard user through its IAM service. While this can be a dangerous method from a security perspective—due to the lack of auditability—it can be helpful in small environments. Alternatively, AMIs are available for both OpenLDAP and Active Directory. AWS also offers a lightweight cloud directory service for VPC that can be connected back to your core AD instance (if you have one). However, while AWS services point you in the right direction, they still leave you with the following holes and gaps: How can you have one single, authoritative directory? Can it manage your Linux and Windows devices as well as authenticate, authorize, and manage them? Do you still have a great deal of manual work to do? How do you handle your on-prem device, applications, and WiFi access? Can you easily integrate with Google Apps or Microsoft Office 365?
The third and most complete option IT organizations have is to leverage Directory-as-a-Service (DaaS). DaaS is a cloud-based directory service that either (1) creates one central directory in the cloud for all users, devices, applications, and networks or (2) bridges on-premise Active Directory to AWS cloud infrastructure. A cloud-based directory is easy to setup, configure, and run. Because it is a SaaS-based service, IT admins only need to register for an account, add or import users, and then install a lightweight agent. The agent can be leveraged on an AMI or through Chef or Puppet. The cloud-hosted directory service logs all user access and provides detailed accounting to admins. Further, a virtual identity provider can operate in VPC or in the classic AWS EC2 infrastructure as well as on other compute infrastructure such as Google Compute Engine, SoftLayer/IBM, Digital Ocean, and others. A cloud-based directory service is the simplest, yet most comprehensive approach to AWS and directory services. Beyond the integration with AWS, an Identity-as-a-Service platform can be your hosted LDAP solution, RADIUS-as-a-Service, True Single Sign-On™ to cloud and on-prem applications, multi-factor authentication for Linux and Mac, and device management platform.
If you are trying to manage your user access to servers on AWS, give these three options a consideration. While all of them have pros and cons, we think you will find that a cloud-based Directory-as-a-Service offered by JumpCloud® may be the most complete option for a difficult problem. Feel free to sign up for a free account. Your first 10 users are free forever.