For the modern organization, nothing is more important than security. So it’s no surprise that we’re often asked, “Is a cloud-based directory service safe?”
It’s a good question and one that is deeply rooted in the history of identity management. So before we discuss the state-of-the-art security practices that are implemented by cloud-based services today, I want to take a few moments to discuss the conventional approach and how it has influenced our view of security today.
The History of Identity Management
Traditionally, identity and access management platforms have lived on-prem. Of course, 20 years ago there wasn’t the concept of the cloud as it exists today, so it made sense that an identity provider would be on-prem.
IT organizations did leverage directory services solutions and store their user credentials there. In that era, OpenLDAP and Microsoft Active Directory were popular options.
Because those solutions were hosted on-prem, the directory services platforms themselves didn’t need to focus on security. Sure, they needed to be secure, but there would be a moat of sorts around those identity management solutions. Organizations would have firewalls, intrusion detection systems, VPNs, encryption, and all kinds of other network security systems.
With all of these protections, there was no incentive to make the directory itself more secure. Therefore, the prevailing view became that a directory service needed to be on-premises because that platform in and of itself wasn’t secure enough. It also needed to be supplemented with additional security measures.
With that as a backdrop, you can understand the line of questions around security.
Of course, modern Identity-as-a-Service providers understand this problem. Hosting a directory service platform in the cloud can’t start with the same approach as on-premises solutions. Security for Directory-as-a-Service® is built from the ground up. Any service that is hosted on the public internet needs to take security seriously. The approach that JumpCloud® has taken with our Directory-as-a-Service platform is to have multiple layers of security.
Inner Workings of Cloud-Based Directories Security
Whether a cloud-based directory service is secure or not depends on the implementation. Obviously, we cannot speak for other solutions, but we can discuss what constitutes a solid, secure cloud-based directory service. There are a large number of security items that happen behind the scenes with any cloud identity provider. We’ll review what the best solutions should be doing.
Layers Of Our Cloud-Based Directory Service Safety Include:
Salted and Hashed Passwords
Any passwords stored within JumpCloud’s cloud-hosted directory are one-way salted and hashed. They should be unrecoverable. While encryption alone is used by most providers in the space, it’s not acceptable alternative from a security standpoint.
Encryption requires a key for decryption, putting it at risk of being compromised. A one-way hash that has been salted cannot be recreated without the exact password as the input. Make sure your cloud identity provider employs this method.
No Storage or Generation of Private Keys
Unified cloud directory services will manage and store SSH keys (at least the most comprehensive ones will). However, they won’t let you store or generate private keys. Private keys should always be generated on a person’s private device that they know has never been compromised. That private key should not be created elsewhere and stored outside the user’s control. Unfortunately, it is routinely done. Some providers offer these services for convenience, but they are a significant security risk. Solutions that store public keys are preferred with private keys stored where they should be – privately.
All communication within the Directory-as-a-Service platform is done through mutual TLS. This level of communication requires certificates on both sides of the connection which steps up the level of security.
Multi-Factor Access for Administration
Administration of the service needs to be protected. The best way to do that is to add multi-factor authentication (MFA / 2FA) to the login process for admins. Ideally, the service also offers multi-factor for users and in other places. MFA / 2FA is one of the best ways to step-up security in any user access situation because the second form of authentication is a token that the user has or knows, making it much more difficult to obtain for would-be hackers.
Logging and Event Data
Understanding and having access to the user authentication data is critical for any cloud-based directory service. You need to be able to see who has and who has not been granted access. Data can also give you insight into security risks. If you are seeing a lot of access attempts, you will want to investigate how and why those are happening. An Identity-as-a-Service platform will give you that insight and help you have the identity security visibility you need.
A cloud-based directory service supports your security and compliance initiatives. It should be a step-up of your overall security. In fact, it should be a relief that you have professionals managing this critical security solution. The best providers have all of these capabilities and more. In fact, they will have a number of other security solutions such as firewalls, access control lists, VPNs, and network segmentation among others.
While the technology layers are an important piece of the security puzzle, so is training all of your employees to understand how they can support your security posture.
A cloud-based directory service is an innovative approach to solving the identity management problem for modern, cloud-forward organizations. New technologies always come with questions. In this case, the question has been whether a cloud-hosted directory is secure. With a significant number of best practice approaches to security, modern directory solutions can be as secure as or even more so than their on-premises counterparts.
With any SaaS service, you are entrusting your data to a third-party provider. That provider should have better security training and compliance activities than you. It’s their job and something that they spend all their time working on. The best cloud directory has an in-depth training and compliance program.
Put Safety First With JumpCloud
If you would like to learn more about how JumpCloud’s Directory-as-a-Service is secured and how it can help you be more secure, drop us a note. Since your first 10 users are free forever, give our SaaS directory service a try for yourself.