Are Cloud-Based Directories Secure?

By Rajat Bhargava Posted September 14, 2016

We often get asked if cloud-based directories are secure. Not only is it a good question, but it is also one we have come to expect. But perhaps the better question is, how is your directory service secured whether it is in the cloud or on-premises? The directory service is a core part of any organization’s network infrastructure, housing credentials and what those credentials can access. While a directory service seems like it would be a good target, modern cloud-based directories shouldn’t be overly appealing to hackers. Let us explain why.

Inner Workings of Cloud-Based Directories Security


Whether a cloud-based directory service is secure or not depends on the implementation. Obviously, we cannot speak for other solutions, but we can discuss what constitutes a solid, secure cloud-based directory service. There are a large number of security items that happen behind the scenes with any cloud identity provider. We’ll review what the best solutions should be doing.

One-Way Hashing and Salting of Passwords

SSO Logo

Identity providers store credentials and sensitive information. Those passwords should be one-way hashed and salted. They should be unrecoverable. While encryption alone is used by most providers in the space, it’s not acceptable alternative from a security standpoint. Encryption requires a key for decryption, putting it at risk of being compromised. A one-way hash that has been salted cannot be recreated without the exact password as the input. Make sure your cloud identity provider employs this method.

SSH key management with JumpCloud

No Storage or Generation of Private Keys


Unified cloud directory services will manage and store SSH keys (at least the most comprehensive ones will). However, they won’t let you store or generate private keys. Private keys should always be generated on a person’s private device that they know has never been compromised. That private key should not be created elsewhere and stored outside the user’s control. Unfortunately, it is routinely done. Some providers offer these services for convenience, but they are a significant security risk. Solutions that store public keys are preferred with private keys stored where they should be – privately.

Multi-Factor Access for Administration


Administration of the service needs to be protected. The best way to do that is to add multi-factor authentication (MFA / 2FA) to the login process for admins. Ideally, the service also offers multi-factor for users and in other places. MFA / 2FA is one of the best ways to step-up security in any user access situation because the second form of authentication is a token that the user has or knows, making it much more difficult to obtain for would-be hackers.

Logging and Event Data


Understanding and having access to the user authentication data is critical for any cloud-based directory service. You need to be able to see who has and who has not been granted access. Data can also give you insight into security risks. If you are seeing a lot of access attempts, you will want to investigate how and why those are happening. An Identity-as-a-Service platform will give you that insight and help you have the identity security visibility you need.

Security Training / Compliance


With any SaaS service, you are entrusting your data to a third-party provider. That provider should have better security training and compliance activities than you. It’s their job and something that they spend all their time working on. The best Directory-as-a-Service® provider has an in-depth training and compliance program.

A cloud-based directory service supports your security and compliance initiatives. It should be a step-up of your overall security. In fact, it should be a relief that you have professionals managing this critical security solution. The best providers have all of these capabilities and more. In fact, they will have a number of other security solutions such as firewalls, access control lists, VPNs, and network segmentation among others.

JumpCloud: Secure Cloud-Based Directories    


If you would like to learn more about how JumpCloud’s Directory-as-a-Service platform supports your identity management security initiatives, drop us a note. You can rest assured that our cloud-based directory is based on a foundation of security and trust. We are happy to discuss it with you in detail.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts