By Rajat Bhargava Posted September 29, 2014
The hot new trend in managing privileged users is to leverage open source configuration automation solutions such as Chef and Puppet. When you start to understand the benefits of solutions like Chef and Puppet, it is easy to understand why sysadmins, IT admins, and developers like the approach of managing users with configuration automation.
- Simplicity – most implementations take a very simple, easy approach to user management. Every privileged user gets access to all of the servers controlled by Chef and Puppet. Their keys or passwords can be embedded into scripts so that the accounts are always placed on the machines. As the configuration management solutions are idempotent, even if a manual change or mistake is made the accounts are reinstated within a set time period. For situations where there are a modest number of admins and they all need access, the configuration automation approach makes a lot of sense.
- Leverage existing code – because Chef and Puppet have native support for user management, it’s very easy to set-up simple user configurations. Many of these scripts are virtually plug and play where a few updates can be made and they are ready to be used. This saves busy technical employees a tremendous amount of time. It’s time that they don’t have to spare, or more importantly, time that should be spent on critical matters even with the efficiencies of repeatability in script re-use.
- No need to set up or integrate with AD or LDAP – for many organizations, a Chef or Puppet user management implementation may mean no Active Directory or LDAP. Both of those solutions require significant effort to set up, manage, and integrate. Rather than taking that approach, admins and developers can take a much lighter-weight approach to managing access to their servers and specifically to the authentication and authorization of users on servers.
- No software cost – another benefit of this approach is that these solutions are open source. There is no cost for the software, only for the time it takes to implement and manage it within the organization.
This approach to managing users on servers is effective for many organizations. Generally, when they are small, have few servers, have no audit requirements, or are not leveraging a central directory service, you see organizations utilize the configuration automation method to user management.
While there are a number of benefits to this approach, there are also some significant drawbacks. Unfortunately, most organizations don’t think about these drawbacks until they find themselves in a situation where there is a problem.
The challenges that organizations face over time when managing users with solutions such as Chef and Puppet include:
- Not a user directory – managing server users with Chef and Puppet does not provide you with a central directory store. In essence, these users are one-offs for your servers. Those users can’t be leveraged for third-party services – for example, AWS RDS or Redshift. Of course, the benefit of a simple, script-driven approach is in contrast to a managed, central user directory service. However, for many organizations, a central identity provider is a critical component of their infrastructure and approach. Organizations that already have a central directory service – either AD or LDAP – managing users with Chef and Puppet doesn’t leverage your existing user store. For those that don’t have a central directory service, but will likely grow and need one, the configuration automation tool approach will end up being a temporary solution.
- Uniform access to servers – while not every organization uses Chef and Puppet to provide uniform access to all of their users, it is generally the norm. Usually, the amount of code required to provide unique access or create groups is not worth it, so the simple ‘everybody has access to everything’ ends up being the norm. Of course, as organizations grow, this is in opposition to best practices of providing the least amount of access to each employee as required by their roles.
- Lack of scalability – as the organization adds more and more users to the scripts, the principals of reduced scalability come into play. A major byproduct of this is an increased chance of generating errors and having technical personnel spending more time managing the issues resulting from user scripts. For small organizations with few people and those that don’t anticipate growing, the lack of scalability may not be a critical issue. But for most organizations, the lack of scalability translates into increased cost and decreased reliability.
- Lack of integration – because there is no centralized directory service, solutions that provide single sign-on (SSO), or multi-factor authentication (MFA) cannot be integrated to provide your users with the convenience and security of these types of solutions.
- Auditing / security – as organizations grow, they need to track and audit access to their servers. Unfortunately, with the config automation tools, you are unable to easily audit access or offer increased security such as multi-factor authentication. For regulations such as PCI and others, auditing, control, and multi-factor authentication are critical to passing those requirements
Chef and Puppet provide an easy way to get started managing access to servers, especially if they are in the cloud. Unfortunately, they start to hit some key impediments as an organization scales. How are modern organizations combining the simplicity and ease of implementation while solving for the drawbacks of Chef and Puppet? These organizations are leveraging SaaS-based user management solutions. Often called Directory-as-a-Service® solutions, they help easily control access to servers while eliminating the drawbacks of a scripted solution.
A SaaS-based directory services solution provides an easily managed user directory. The cloud identity management platform can be the central, core user store of record for the organization or it can be a mirror of the master directory. Users and servers can be grouped to provide more granular access. User access is fully logged and audited to ensure that the right users have the right access. If access needs to be changed, it can be modified with just a few clicks, including terminating users across the entire server fleet almost instantaneously. Users and servers can be managed across different operating systems and server locations whether on-prem, hosted at data centers, or cloud providers. Further, because the solution is SaaS-based, there is no on-premise equipment or software that needs to be managed. Cloud-based directory services also have the benefit of being easily scalable: you are only charged for what you use.
Managing Users Is Easy With DaaS
Innovative organizations are leveraging config automation solutions to get started but are quickly moving to scalable, secure SaaS-based Directory-as-a-Service systems as their identity management needs become more complex. For more information on SaaS-based directory services, contact JumpCloud®, or sign-up for a free account.