By Jon Griffin Posted August 13, 2017
The economics of running Active Directory® in a modern organization is much more complicated today than it was a decade ago. When most of the IT environment was Windows and everything was hosted on-prem, the idea of calculating the ROI of Active Directory was very different. In large part, there wasn’t an alternative, so there was very little to compare costs. Most companies required a central user management system to control user access to their Windows-centric network, applications, and devices. So, the calculation of cost really centered around the hours that the IT team would save by not managing user access manually. If an automated system like AD could save time, that was the ROI calculation. So what’s the bottom line on the cost of Active Directory?
The Cost of Active Directory has Changed
Today, though, running Active Directory on-prem is a completely different experience and cost center. Windows is not the only operating system for organizations. The cloud has changed where IT resources are stored. Users are more mobile than ever. WiFi is nearly ubiquitous, and web applications are the preferred method of accomplishing tasks. In this environment, the calculation for costs related to Active Directory are far different. In fact, the equation for the cost of Active Directory looks like the following:
Cost of Active Directory = servers + software + hosting + backup + security + monitoring + VPNs + IT admin + 3rd party SW + multi-factor authentication + governance
In addition, there could be more depending upon what else you would like to accomplish in your organization. Active Directory is just the building block that IT admins use to build out their entire identity management strategy. When you add in all of these additional costs, you can see the total cost is significant. Each of the aforementioned costs is broken down below to help you fully grasp what the ROI factors are:
- Servers – the size of the implementation will dictate the size of the servers, but the number of servers will be dictated by the number of locations. Plus, each location will have multiple servers to ensure high availability. Authentication is a 100% uptime service, so multiple servers are crucial. As part of the server hardware, IT admins will need to purchase the storage, and to ensure that there isn’t any loss of data so a RAID system will be required.
- Software – Windows software purchasing can get complex. Sometimes everything is included in a Microsoft Enterprise Licensing Agreement (ELA), so you won’t need to count each component separately. If you are looking to use Active Directory you will need Windows Server licenses, server CALs (client access licenses), and client CALs. All of this needs to be purchased for the number of servers and number of users.
- Hosting – there is a cost to every server hosted internally – or even externally. The fully loaded cost needs to include the space, power, cooling, networking gear, and bandwidth. Of course, this is difficult to allocate and many IT organizations just skip this cost, but it is a true cost. With more services being moved to the cloud, this doesn’t need to be a fixed cost anymore.
- Backup – just like other critical data, backup storage and services are necessary. A loss of Active Directory data would be catastrophic for an organization, especially for those that are subject to compliance. Generally, IT organizations have backup solutions in place, and that leads to the cost via an allocation for the software and hardware.
- Security – with Active Directory, the security model is dependent upon the organization. AD doesn’t have a great deal of security mechanisms built in. As a result, the organization has to make sure that they have security mechanisms in place for the network, the server, and the data. All of this translates into additional allocations of costs and potentially direct costs related to securing the AD servers (e.g. host-based intrusion detection systems).
- Monitoring – a 100% uptime service needs to be monitored, and IT staff need to be alerted if there are any failures. Generally, monitoring costs scale with the number of servers or processes monitored. As such, it should be straightforward to determine the direct running cost of Active Directory.
- VPNs – Active Directory follows a direct connect model. This requires that every device or application can directly connect to the AD server. As a result, every endpoint must be networked back to AD if authentication is to occur. Generally this means the implementation of VPNs. With VPNs there are costs for the VPN client software, and often the VPN hardware where the connection terminates.
- 3rd party software – if macOS or Linux devices are present, then third party software is required to sit on top of Active Directory to manage those systems. The cost of the software is generally dependent upon the number of devices being managed. If you are looking for single sign-on (SSO) to web applications, then you have a per user cost to include there as well. These costs can easily add up to being more than the costs of AD itself if the network is largely macOS and Linux-based.
- Multi-factor authentication – with security being a critical concern, many organizations are now implementing a second factor for authentication. When a user logs into a device or application a second factor is requested. This is often a pin code on a token or smartphone. The cost of the MFA software and hardware is part of the identity management implementation.
- Governance – logging of authentication data and the analysis of it is critical. Usually IT admins will select third party software to support this effort. Any organization under compliance requirements will need this software and those that are conscious of security will generally care about governance and audit logging.
This list is hardly comprehensive list, but it does provide a framework to start to analyze the costs of running Active Directory. JumpCloud has created an ROI calculator for organizations to model their AD costs and compare that to alternative approaches and solutions. If you wold like a copy of this AD ROI calculator reach out to us directly with a request.
Looking at AD From a Cost Perspective
When the conversation shifts to replacing Active Directory, by looking at it from a cost center it can help drive your requirements for a new solution. It is clear that a managed solution that can operate from the cloud will cancel a number of costs out. Further, if the solution is cross-platform and independent, then additional costs go away. If you include extended functionality such as web application SSO, multi-factor authentication, and event / data logging, you continue to chip away at the costs.
Because there were no other solutions available that resembled Active Directory and made sense for almost a decade and a half, it never made sense to deeply analyze the ROI of AD. Today, with Directory-as-a-Service®, there is a credible, cost-effective alternative to Active Directory.
So what’s the bottom line? At the very least, you should look into whether a cloud directory such as JumpCloud is a better (less expensive) fit for your infrastructure. To ask us specific questions about your environment, drop us a note. We would be happy to talk about the full cost of Active Directory and how it looks for your organization.