By Greg Keller Posted February 2, 2015
This is the 3rd blog of our four part series on cloud server user management. Here’s a list of the others.
- Cloud Server User Management
- 6 Ways to Manage Users on Cloud Servers
- Challenges of Connecting Directory Services to Cloud Computing (you’re here!)
- Connecting Cloud Servers to your AD or LDAP Store
We’ve talked a lot about different methods to connect your internal user directory store with your cloud server infrastructure. As a recap, here are the methods that we’ve discussed:
- Manual user management
- Config automation (e.g. Chef/Puppet)
- Expose AD/LDAP to the Internet
- Secondary AD/LDAP user store
- Enterprise identity management solution
There are four core problems with this collective group of solutions.
Problem 1: Multiple Directories
It is critical for organizations to have only one source of truth for users on the network. As you can imagine, multiple directories or manual cloud computing user management can easily cause conflicts or disagreements in data. Manifestations of problems in this category can be catastrophic. Imagine what could happen if a terminated employee still had access to critical servers because there wasn’t an in-sync directory service mapping of users to server access. Security could be breached instantaneously. What’s more, security of data inherently becomes more complex as companies grow.
While maintaining multiple disparate directories is never a good idea, the practice has been driven by very real, and in some cases, seemingly insurmountable technical issues. By default, LDAP does not share the same schema as Microsoft Active Directory®. Therefore, extra efforts must be made to have Windows, Mac, or Linux clients authenticate against OpenLDAP™. Making one directory drive an entire organization is not a trivial task, so many organizations opt for two directories, one AD (usually the primary directory, because of its superior management UI) to cover the Windows systems, and a slave LDAP server to cover everything else.
Problem 2: Network Configuration/Security Exposure
The move to the cloud and cloud computing for many companies is an acknowledgement that networking and network related configurations aren’t an effective use of their time. Unfortunately, exposing your directory service to the Internet or standing up an additional directory store in the cloud each come with network configuration requirements. You’ll need to be careful to walk through the right access controls and make sure that all of your machines can talk to each other properly. You’ll need to:
- Setup the correct firewall configuration
- Ensure proper routing
- Configure any necessary VPN connections
- Deal with SSL certificates and configurations
While not impossible, it’s an added task that most organizations moving to the cloud would rather avoid.
Problem 3: Reliability Issues
A number of the approaches listed above also have inherent reliability issues.
First of all, manually managing user access is subject to human error. Did every person get the access that they needed or did they get too much access? Was the user’s name typed in properly? Or was there a typo? Creating additional directory servers in the cloud also starts an additional chain of work. Directory servers need to be highly available because any downtime can mean your users can’t do their work.
Finally, exposing your directory server to the Internet can invite attacks or cause it to be subject to Internet connectivity issues between your cloud servers and your directory store. You’ll need to address those issues either through load balancing or increased capacity.
Problem 4: High Cost
Traditional solutions to server directory services problems are expensive for organizations, whether it is from a monetary standpoint or a time and resources perspective. Either way you cut it, managing users across your organization is often not a core competency. It needs to be done well and securely, but the costs of having resources focus on this task versus core tasks can be expensive.
The Real Solution
The sixth solution we have discussed is Directory-as-a-Service®. JumpCloud’s DaaS solution is focused on solving these specific issues. By extending your internal AD/LDAP directory to JumpCloud®, you continue to have one user store of record. As a cloud-based directory service, the networking is effectively taken care of for you, thereby simplifying the complex management issues and reducing human errors. To get started, businesses need to simply point their server to authenticate with our LDAP server or install the agent. Both methods (authentication with our LDAP server or an installed agent) are highly secure and reliable with multiple levels of redundancy. As a SaaS-based service, customers get to off-load the software, hardware, and management costs to JumpCloud creating a more cost-effective cloud computing solution.
JumpCloud’s cloud-based directory service covers a lot of ground for organizations. It’s an Identity-as-a-Service platform that centralizes user management, is a virtual LDAP server, True Single Sign-On™ provider, RADIUS-as-a-Service infrastructure, 2FA add-on (for Windows, Mac, and Linux), device management tool, and more.