As AWS® continues to gain more momentum in the market, user access is becoming a key problem for IT and DevOps personnel. AWS has a number of different approaches to this problem. The first is to leverage their Identity and Access Management platform (AWS IAM) for controlling access to the AWS portal. This controls who can do what on AWS as a service. Access at the cloud server or cloud desktop level is also critical. For this, AWS has created a suite of solutions called AWS Directory Service and recently released AWS Directory Service for Active Directory®. The Identity-as-a-Service space has been heating up with AWS, Microsoft® with Azure AD®, Google Apps Directory, and JumpCloud® Directory-as-a-Service® all attacking the market with different approaches.
The Components of AWS Directory Service
AWS Directory Service is a collection of three different services: Simple AD, AD Connector, and AWS Managed Active Directory.
AWS Simple AD
AWS Simple AD is aimed at small organizations that do not have an on-premises Microsoft Active Directory instance. Simple AD is a self-contained open source Samba instance that controls access to Windows® servers and desktops at AWS. It is managed through Windows Server administrative tools that the customer must already have.
AD Connector connects an on-premises Active Directory instance to the Samba instance located at AWS. In this case, the data from the on-prem AD is synched with AWS’s Samba instance. Users are controlled locally at the Microsoft AD level and they are federated to the AWS cloud via Samba. Again, the focus with this approach is largely Windows servers and desktops, but the key difference is that there is already an AD instance in place at the customer’s premises. The latest managed AD service may make AD Connector obsolete.
AWS’ Managed AD service is now a full blown Microsoft Active Directory instance hosted in the AWS cloud. This service requires an existing AD instance located at the customer’s premises. Data from the on-prem AD is synched to the AWS AD. AWS’ service covers a great deal of the administrative burden of managing AD software and networking. The managed AD service would, of course, focus on Windows servers and desktops. With a greater emphasis on AWS’ managed desktop service, Workspaces, it isn’t surprising that customers have asked for greater user authentication and device management capabilities.
The Issues around AWS Directory Service
There are a number of different issues with the AWS Directory Services approach. Organizations today are shifting to a multi-platform environment. Many of AWS’ servers are Linux. Microsoft AD and Samba both are limited in their ability to manage users and the device itself with Linux. Another reason many organizations have been moving away from Active Directory on-premises is because they are largely a Mac shop. This is the second issue with AWS tying its directory services to Microsoft Active Directory. If an organization does not use AD or wants to move away from AD, they are unable to do so. With Microsoft’s Azure AD centered on the Azure platform, it is curious to see AWS leveraging their most significant competitor’s old technology. Microsoft has trumpeted that Azure AD is an entirely new, modern code base. Yet, AWS is saddled with Microsoft’s legacy.
A Cloud Directory Solution
While both AWS and Microsoft are focused on building solutions that lock-in their customers with their platforms, IT organizations worldwide are looking for more flexibility. Their goals are to choose whatever platforms, locations, and protocols that are best for their business. A vendor independent solution such as Directory-as-a-Service is critical to allowing organizations to leverage whatever they feel is best, avoiding vendor lock-in, and having just one cloud-centric directory service for all of an organization’s IT resources regardless of whether they are on-prem or in the cloud.
Major IT vendors are all looking to leverage identity management platforms to use with their other services and solutions. IT organizations will be faced with significant decisions about how to manage their identities in the cloud and on-prem in a world that heterogeneous, multi-locations, and multi-protocol. If you would like to learn how JumpCloud’s Directory-as-a-Service can centrally manage all of your AWS infrastructure as well as your systems on-prem and elsewhere, drop us a note. We’d be happy to discuss it with you. Or, feel free to give JumpCloud’s DaaS a try – your first 10 users are free forever.