The COVID-19 outbreak ushered in a new era of IT, forcing organizations around the world to work remotely to maintain business continuity. This shift to remote work sparked questions about the efficacy of traditional IT management tools, namely directory services like Microsoft® Active Directory®.
For many IT organizations, Active Directory (AD) is synonymous with identity and access management, but unfortunately, AD struggles to manage remote workers. This pitfall left IT administrators wondering what they could do to keep their end users secure and successful. Ultimately, those questioning AD need to expand their lens and question the concept of the Windows® domain as a whole.
That’s why Rajat Bhargava, CEO and co-founder of JumpCloud, and Alan Shimel, Founder, CEO, and Editor-in-Chief of MediaOps, got together to discuss the shortfalls of the traditional domain. They offer a new vision for IT: the domainless enterprise. Click here to watch their discussion in an on-demand webinar, or keep reading for a summary.
Setting the Stage for Remote Work
COVID-19 sparked an unprecedented shift to remote work as organizations sought to maintain business continuity while keeping employees healthy and safe. While some of those organizations and their workers were familiar with working remotely, many were not.
The result was a scramble to mobilize a remote workforce, leading IT admins to work long hours to make sure their end users could work successfully and securely from home. Many organizations accomplished this goal, reaching a state of pseudo-normalcy so they could continue with their operations.
Now, in the months following the initial COVID-19 outbreak, leaders in business and industry believe remote work is here to stay: 74% of CFOs surveyed by Gartner wish to shift roles in their organization to permanent remote work. In surveying a wider audience of business leaders, Garnter found that 82% want to at least instate part-time remote work policies as well.
Despite the majority interest in remote work policies, some IT admins are less than enthused. Why, you ask? Well, IT organizations that have relied on tools like AD for their identity management needs find that those tools are not cutting it in the remote work world.
Problems with Traditional IT Solutions
Since its inception, Active Directory has remained grounded on-premises, controlling Windows-centric environments from the role of domain controller. Although excellent at managing resources that exist within its domain, the on-prem directory service struggles with those outside the domain.
Unfortunately, in a world where web applications are widely used and preferred, IT admins need to seek out additional tooling to extend their AD identities outside of the domain. What’s more, while it used to dominate the operating system market, Windows no longer holds the monopoly, with Mac®/Linux® systems and mobile devices rising in popularity.
The issue of resources outside of the domain has plagued IT admins for some time, leading many to adopt add-on solutions like identity bridges and web app single sign-on (SSO) tools to compensate for AD’s shortcomings. Now that organizations work remotely, however, even end users exist outside of the domain, making them harder to support as well.
The Fall of Perimeter-based Security
Ultimately, this lack of a fixed perimeter means that the ways an organization’s security might be compromised change dramatically. Traditionally, IT admins constructed “walls” around their domain, using firewalls and other controls to create a defensive line around their AD instance. This scenario enabled end users to work safely from within the domain, keeping bad actors out.
Now that both resources and end users operate outside of the domain, IT admins have considerably different attack vectors to worry about. They can’t put a perimeter around objects outside of their direct control, so in order to maintain security and control, a new approach is necessary.
Because a majority of IT resources moved to cloud infrastructure, it makes sense for the directory service to make the shift as well. In order to do so, however, IT admins need to challenge the concept of the traditional domain, and instead consider shifting to a domainless enterprise model.
By breaking free from being bound by the domain, IT admins can:
- Better control remote users
- Enable users to access a wider range of resources
- Maintain security, regardless of location
Here’s how it works.
How a Domainless Model Works
Domainless IT depends on three core principles: identity, access, and device management.
Identity management in a domainless model uses cloud directory service infrastructure to centralize all of a user’s accounts under a single set of credentials. End users simply need to remember one complex password, and then they will be able to securely access all of their required resources.
In order to ensure this single identity remains secure, IT admins must also make sure their identity management solution provides security tools like multi-factor authentication (MFA). That way, even if an end user’s credentials are compromised due to a successful phishing attack, their identities remain protected. Syncing external directories like those found in G Suite™ or Microsoft 365™ reduces the amount of front-end work done by admins still keeping identities centralized into a core directory service.
With a single set of credentials for users to access everything, IT admins then need to make sure that their access privileges are properly laid out. In a domainless model, security is maintained via the principle of least privilege, that is, based on a user’s role, they’re granted only the absolute minimum permissions they need to do their job.
Using a cloud directory service, admins ensure that only authorized users have access to resources, especially those resources that store critical information. This is highly dependent on protocol-based access control, using industry standards like LDAP, RADIUS, SAML, etc. to securely federate identities where needed.
Regardless of the resources they’re authorized to use, every employee depends on their system to access their other tools. As such, the system or device needs to be configured to ensure that it’s as secure as possible.
Through group policy-like enforcement from a cloud directory service, admins can harden user systems with controls like screen lock and full disk encryption to keep bad actors from accessing the machine. An installed system agent pushes these changes live, working wherever the user finds themselves, provided the system is connected to the internet.
The Cloud Directory Service
Unlike its traditional, on-prem counterparts, a cloud directory service is browser-based and offered as-a-Service, making it accessible even when admins are working remotely.
A cloud directory service transcends labels like all on-premises, hybrid cloud, or fully cloud, instead supporting nearly any IT environment. By federating identities through industry standard authentication protocols, a cloud directory service allows users to access and employ their on-prem and cloud resources with ease.
As such, the cloud directory service subverts the usual concept of the domain, creating a domainless enterprise by managing identities and their access to virtually all resources. This approach also precludes the need for perimeter-based defense models, paving the way for dynamic security.
Dynamic Over Perimeter
In a dynamic security model (also known as zero trust security), admins focus on securing identities first and foremost instead of the usually network-focused approach of a perimeter security model. This is largely due to the fact that user identities are the number one target for security breaches.
If an attacker compromises an identity, it rarely matters how strong an organization’s network defenses are; the bad actor can log in under the guise of the compromised user without meeting much resistance and go about their nefarious business. By prioritizing identity security through strong, centralized passwords and functions like MFA, admins can secure users regardless of if they’re at home or in the office. Limiting those identities based on their access rights also limits the scope of a potential breach, meaning there’s less damage overall if an end user falls victim to an attack.
From there, admins must then focus on securing user systems, the gateway to all other IT resources. By implementing system-level MFA, FDE, and other security features through group-based policies, admins can ensure that the system is as secure as possible once it’s in the hands of the end user. Then, through cloud-based monitoring and continued policy management, that system remains secure — remote or otherwise.
Unlike with perimeter-based defense models, the network serves less of a major function, acting as more of a conduit than a secure zone. Because remote users are often working from home or some other place they have an internet connection, it’s difficult for an IT admin to control those networks. If users are accessing resources through secure protocols, however, organizations don’t need extensive VPN infrastructure to connect users back to the domain.
Instead, admins can implement RADIUS through their cloud directory service to ensure that users present their unique credentials upon login to in-office networks. RADIUS also provides the ability to add MFA to VPN connections for organizations that wish to use VPNs to further secure their users.
Ultimately, there’s no silver bullet to security; with any setup, there is a real possibility that you will be breached. But, to borrow a military phrase, don’t fight a war in the present with weapons from the past. Perimeter-based defenses rely on traditional, domain-bound networks that simply aren’t feasible with today’s web applications and remote users. With a domainless, dynamic-security model, it doesn’t matter if users are in-office or working from home, they can be secured.
How to Transition to a Domainless Model
Like with any major infrastructure transition, going domainless isn’t something that will happen overnight, but can happen incrementally with success.
To start, IT administrators need to seek out a cloud directory service option that can manage virtually all IT resources. Armed with that solution, admins can start by controlling identities and their access to certain aspects of their environment such apps, systems, etc.
Organizations heavily invested in AD infrastructure should consider phasing out their domain controller over time by systematically lifting their identities to the cloud directory service. Some vendors even offer tools to help aid admins in this process.
A cloud directory service can also be used to help bridge the gap between the AD domain and resources/users that exist outside of it. This AD integration approach reduces the amount of money and time spent jumping between tools like SSO and identity bridging solutions, consolidating these needs into a single platform that sits atop an AD instance.
If your company doesn’t have any domain infrastructure, then going domainless is easy. For example, you can read this story about one IT admin’s process for choosing, implementing, and operating an all-in-one directory service so he could manage and secure remote workers.
To learn more about what it means to be a domainless enterprise, reach out to us. As experts in the cloud identity management space for the past five years, we want to help all IT admins pioneer their own domainless architecture to streamline and secure their environments — regardless of if they’re remote or on-premises.