By Jon Griffin Posted August 22, 2017
A new category of solutions in the identity and access management world is creating a great deal of discussion. Called cloud directory services, this new IAM category is changing the way that IT admins are thinking about their IT infrastructure. Historically, the core of the identity management world has been dominated by Microsoft Active Directory®. Virtually all other IAM solutions have been built on top of AD.
But with the IT landscape changing to accommodate mixed-platform environments, cloud infrastructure, web applications, and WiFi, the need for a different approach to directory services was required. A new generation of Directory-as-a-Service® is emerging to address the modern organization. Below, we answer a number of questions that IT admins have about this innovative new technology.
10 Questions to Ask About Cloud Directory Services
1. What are cloud directory services?
Cloud directory services are the central, authoritative identity servers that connect your users to whatever IT resources they need to access. Virtual directory identities are the core. They are securely stored within the platform and then federated out to a wide variety of IT resources, from systems to applications and networks. The location of those resources doesn’t matter. It doesn’t matter where the user is located, either. In addition, the cloud directory service is blind to platform and provider – it treats all major platforms and providers as equals. This creates the ability for IT organizations to leverage the right solutions for their organization.
Cloud directory services are secure, highly available, and offered as-a-service. This limits the amount of effort that IT admins need to expend to get central authentication services.
2.How is a cloud directory service different from Microsoft Active Directory?
There are a number of differences between a cloud directory service and Microsoft Active Directory. Perhaps the most striking difference is that IDaaS is agnostic and independent. AD is primarily based on Windows devices and applications, whereas a cloud identity provider is cross platform. Windows, macOS, Linux, AWS, G Suite, Office 365, and many more are treated equally and tightly integrated. Protocols like LDAP, RADIUS, and SAML are used to connect virtually any IT resource to the cloud directory service.
Furthermore, Active Directory has some other built-in assumptions which are hard to ignore. When AD was created almost two decades ago, the IT environment was dramatically different. Virtually everything was hosted on-prem. AD was placed on the internal LAN, and users and IT resources were local to the domain controller. As a result, there was an assumption that every resource would directly connect to AD. Of course, this spawned the process of creating VPN connections for users that travelled remotely. Each user would first log into their VPN, and then they could connect to the network. This would then allow users to authenticate to the domain to access file servers, software applications, and other IT resources.
The second major assumption made was that security would be wrapped around the AD server. As a result, AD didn’t need to have significant security approaches. It would be housed internally where there would be firewall and intrusion detection systems to protect the AD server. If an attacker had reached the server, then they had bypassed all of the safeguards. Which meant an organization was in serious trouble.
The concept of cloud directory services is vastly different. This approach assumes that modern IT organizations don’t have a network. In fact, their “network” is just a collection of IT resources that could be located anywhere in the world, and be from any number of providers. The user’s connection to each of these IT resources should be secure. As a result, the security model of Identity-as-a-Service is also vastly different.
With a cloud directory, security is built in from the core. Passwords are never able to be reverse engineered or visible to anybody. One-way hashing and salting is standard to ensure security. Because there is no trusted network within the platform, all connections are over mutual TLS. Additional security measures are in place to help secure the cloud platform.
A virtual directory service is not just a replacement for Active Directory, it is the reimagination of what directory services should look like for the future.
3. Is it even possible to replace Active Directory?
Yes. Over the past two decades, IT organizations have been accustomed to working with only two directory services solutions: Microsoft Active Directory and OpenLDAP™. While OpenLDAP is popular, it is not used as prevalently as the core identity provider for an organization. Microsoft Active Directory dominated the on-prem directory services space. This made a lot of sense over the past couple of decades because of the environment. Virtually all organizations were hosted on-prem and built on Microsoft Windows. A user and device management system that worked tightly with Windows-based systems and applications was the right choice.
As the IT landscape shifted, and macOS and Linux devices became more popular, AWS was the data center of choice, web applications became a staple, and users became more mobile. IT admins quickly started to learn that if they wanted to keep Active Directory, they also needed to purchase a number of third-party solutions to cover all of the holes.
Cloud-forward organizations opted for a different direction. Instead of patching holes in the AD product line, they opted for an independent directory service called Directory-as-a-Service. The approach of this agnostic identity provider was to shift identity management to the cloud and make it heterogeneous. All major platforms would be treated equally, rather than Windows being the first-class citizen and everything else being either subpar or not supported. To help in supporting more IT resources, another critical innovation was to create a central directory service in the cloud that supported a wide variety of protocols.
IT admins realized that an alternative to Active Directory existed and it enabled them to move completely to the cloud.
4. What are the benefits of cloud directory services?
There are tremendous benefits to a cloud directory service. We’ve listed just a few below:
- Frictionless access for end users – ultimately, the goal for IT is to enable their end users. To do that effectively, there needs to be a mechanism that allows IT to easily grant users access to the IT resources they need. Also, end users need to have an easy way to securely access all of their IT resources. That means having a True Single Sign-On™ approach for authentication to IT resources.
- Tight control for IT – the security of ensuring that access to an organization’s resources is only given to those who need it. Historically, that’s been managed through multiple directory services or mini-directories (local user management). This creates a great deal of work for IT, and increases the risk of being compromised. A cloud directory service helps to reduce the level of effort from IT while also increasing security.
- Avoiding lock-in – historically, directory services have been code for being locked into the Microsoft Windows platform. Today, IT organizations are shifting away from Windows and from single-vendor environments. They are searching for the best IT technology and don’t want to be limited by what they can manage and control via their directory. A modern Directory-as-a-Service implementation gives them the freedom to leverage virtually any IT resource, while still being able to manage user access.
- Cost effective – in the past, IT admins couldn’t even worry about the cost of their identity management platform, because there wasn’t another choice. They were at the mercy of the vendor and they knew that it was a must-have IT infrastructure component. The good news with cloud directory services is that their approach to a central identity provider can be much more cost effective.
IT organizations are incredibly busy and they are the enablers for today’s organizations. A central cloud directory service can provide significant benefits for virtually any organization.
5. What do I need to implement cloud directory services?
The good news is, you don’t need much. Because the cloud directory services platform is hosted in the cloud, you don’t need any servers or software. Plus, you won’t be responsible for the ongoing maintenance of the directory service.
What you will need is a thoughtful approach to centrally managing identities across your organization. There are a number of implementation approaches and documents that can help you to either create a new IDaaS infrastructure for your organization, or to assist you with migrating from Active Directory:
- Quickstart: Active Directory® Migration Guide
- Set Up and Secure a Modern Office in 30 Minutes [Video]
- JumpCloud Directory-as-a-Service® Knowledge Base
6. What can I connect to a cloud directory service?
The goal of a virtual identity provider is to securely manage and connect users to virtually any IT resource they need to access. This includes their systems (Windows, macOS, and Linux), applications (on-prem and cloud), and networks. Modern Directory-as-a-Service is aimed at being the central identity provider for an entire organization. This means that the identity management platform must be provider, platform, and protocol agnostic.
Cloud directory services will work with AWS, G Suite, Microsoft Office 365, and other providers. All major operating systems are supported so that users can be managed locally and natively. A multitude of protocols is necessary to help the core identity service connect to LDAP, SAML, RADIUS, SSH, REST, and more. All of these different approaches to supporting a wide variety of IT resources results in the ability for the cloud directory to act as the central identity provider for an organization.
7. How reliable is a cloud directory service?
Cloud directory services are built to be highly available and resilient. In many parts of the cloud directory, there are survivability techniques in case of the service or the Internet being down. For instance, authentication to a user’s system or cloud server is highly resilient. The authentication process is handled locally. For services like LDAP, RADIUS, and others that are completely hosted in the cloud, authentication failures can occur if the connection is severed. This is not dissimilar to on-prem situations where a directory server can fail, so authentication won’t occur.
The infrastructure of the cloud directory platform is located globally and is highly resilient with redundant components.
8. How secure is a cloud directory service?
A virtual identity provider embraces the process of being highly secure. Any credentials stored are one-way hashed and salted. Communication between any components are encrypted, and any data is encrypted when at rest. In addition, the cloud directory service leverages a number of other security techniques, including protecting the infrastructure through segmentation, security groups, vulnerability scanning, and penetration testing.
Because a cloud identity management service is often hosted, IDaaS providers spend extra time and attention on security. In fact, these cloud identity providers can amortize the costs of enhanced security techniques across a broad group of customers. This enables them to invest more than an individual on-prem client could do.
9. What happens to a cloud directory service if the Internet is down?
This is a reasonable question for a directory service that is hosted in the cloud, since Internet connections can break and downtime can occur. The cloud directory service is highly resilient for the bulk of the highly critical situations – systems, for example. Other areas of the service are handled similar to when an authentication server fails on-prem. With JumpCloud’s cloud directory service, a lightweight agent installed on a user’s system ensure they can still access their device even when not connected to the Internet.
10. I’ve heard that Amazon, Google, and Microsoft all offer cloud directory services – is that true?
Yes and no. The market for cloud directory services is getting a lot of attention from the tech titans out there. While you can use the term loosely to describe cloud directory services for AWS Directory Service, G Suite Directory, and Azure Active Directory, they aren’t really central identity providers for an entire organization.
Their approach to directory services has largely been to focus on being the user management system for their own platform. Under the covers, AWS Directory Service is really Active Directory or SAMBA. It works for Windows devices on the AWS platform, but it isn’t meant to be the source of truth for your on-prem systems, applications, and networks.
G Suite Directory is largely a contact database and authentication source for Google Apps and a select few web applications. Since G Suite Directory Sync is what is used to connect to the on-prem directory server, you can see their assumption is that either AD or LDAP exist in an environment. Directory-as-a-Service leverages G Suite’s APIs to directly create and manage user identities in one central location.
Azure Active Directory is similar to the previous two and is an excellent user management system for Azure-based systems and Office 365.
Unfortunately, all of these “cloud directory services” struggle with managing on-prem resources. Systems like Windows, macOS, and Linux are prime examples. They don’t work across providers, either. Plus, they’re limited in the support of protocols like RADIUS, LDAP, and SAML, among others.
A central identity provider should be provider, platform, protocol, and location independent. It shouldn’t lock you into any one provider, and should be your central source of truth whether your users and systems are located on-prem, in the cloud, or are mobile anywhere around the world.
Next Steps to Determine if Cloud Directory Services are Right for You
The answer to whether or not cloud directory services are right for you and your organization depends on a large number of factors. Those factors often include your IT environment, platform choice, providers, user base, cost requirements, and many more items. You should take the time to deeply evaluate each of those requirements to ensure that you make the right choice for your organization. A cloud directory service can be an excellent addition to your IT infrastructure and it replaces a number of solutions, including Active Directory. But you’ll want to make sure that it’s right for you.
Take a glance at our technical datasheet for a concise rundown of JumpCloud’s features and compatibilities. You can also contact us directly if you have questions about cloud directory services or would like a demo. Finally, if you’re a hands-on learner, sign up for a free account and give it a try for yourself. You can easily compare it to Active Directory to determine what is the right choice for your organization.