By Rajat Bhargava Posted February 23, 2015
This blog is part of a four-part series, as listed below:
- The Directory-as-a-Service Movement
- Heterogeneous IT: The #1 Reason your Directory will be in the Cloud
- Cloud Infrastructure is Reason #2 your Directory will be in the Cloud
- Business Gmail: Reason #3 why your Directory will live in the Cloud
We are over halfway through our blog post series of why your directory will be in the cloud. In this post, we discuss why the move to cloud infrastructure is driving the need for a new kind of directory.
The Introduction of IaaS to Business
One of the great innovations of the last decade was the introduction of Infrastructure-as-a-Service (IaaS). The development means organizations no longer need to invest money into purchasing their own hardware for important business functions. Data centers and servers are now managed and maintained digitally in cloud servers.
How is this Cloud Infrastructure Possible?
IaaS enables the rental of compute and storage resources and, as a result, was a game changer for organizations of all sizes. The challenge, of course, was that as core infrastructures moved from “in house” to a new outsourced location, on-premise control of user access via directory services was virtually eliminated.
AWS was an early entrant to the IaaS fray and today there are hundreds of companies providing these cloud hosting capabilities. Realistically, it’s a smart move. With technological advancements, businesses can do more, faster. But it’s important for organizations to consider the way they manage their new cloud-based infrastructures—especially from a user management perspective. Moving sensitive data to the cloud, and not fully managing all user access to that data, can put a business at high risk for a cyber attack.
Currently there are a few methods that organizations leverage to try to tackle the problem of managing users provisioned to cloud infrastructure:
- Manual user management or via scripts. Manual user management is arguably the most common method of managing users on cloud servers. It’s not complex, but is obviously the most work in terms of time. Every change must be manually inserted into either a Chef/Puppet script, or executed on the server directly. Most admins opt for this method because it’s the least costly option. Of course, this method is prone to human error as it’s difficult to manage complex access, and there is no audit record of who did what.
- Expose AD/LDAP to the Internet. Another option admins contemplate is to expose Microsoft Active Directory® or LDAP to the Internet (although this is rarely chosen as the preferred method). By enabling cloud servers to directly talk to their user store, admins can make changes in one place and have them propagate to all of their devices. Of course, the risk here is that the AD or LDAP server could be compromised. AD and LDAP aren’t inherently secure—they are designed to be placed inside of a network with multiple layers of security around them. Exposing AD or LDAP to the web is possible, sure, but it’s a high risk venture with limited upside.
- Set up a point-to-point VPN tunnel. A variant of the previous option is to connect cloud servers and user store together via a secure VPN. This is a much more secure option. The downsides are that it’s intensive to setup and manage. For instance, as you add more cloud providers to the mix for redundancy, each of those will need a VPN set up to the AD or LDAP user directory. But, it’s still a much stronger option than the two previous options. This shifts the pain to be network and configuration focused.
- Replicate AD / LDAP in the cloud. Another option is to spin up another complete instance of AD or LDAP on the cloud provider. With AD, a secondary domain controller or domain trust is often established. With LDAP, it’s often raw LDIF database replication. But, this option increases server cost, management overhead, and means more things can go wrong.
- Purchase enterprise software to bridge. Over the years, large enterprises have purchased solutions to “bridge” their AD or LDAP server to other data centers or remote offices. This same technology can be used to connect cloud servers to the AD/LDAP user store. These tools end up being enterprise-class tools, meaning that they take significant time and effort to install, are expensive, and are difficult to use. This path is effectively leveraging a legacy solution and model to solve a modern problem.
How a Cloud-Based Directory Service Solves all of these Problems
A cloud-based directory service that can span multiple networks is the ideal choice to control and manage cloud-based infrastructure along with a company’s on-premise devices. JumpCloud’s Directory-as-a-Service® was built to solve this exact issue and also match the quick, agile approach of IaaS. A cloud-based directory can easily extend the key users of IaaS to those cloud servers without the expensive, manual effort described earlier or the security risks.
As reason #2 of why a cloud directory service is necessary, cloud infrastructure is a dramatic, game changing innovation that will change the IT landscape as we know it.