By Greg Keller Posted January 6, 2015
As the rapid expansion of cloud infrastructure has exponentially increased in the last 5 years, and the variety of device types desired by employees is overtaking the stalwart Microsoft Windows in the enterprise, the need for robust directory services has come rushing to the forefront of IT Director’s priorities. The expanding footprint of cloud and heterogeneous operating systems requires more breadth in coverage by IT teams, both from a management and security perspective as well as an expertise perspective.
JumpCloud launched the first Directory-as-a-Service® (DaaS) to alleviate these issues and simplify a modern enterprise’s cloud and on-premise resources. On the heels of this release, Amazon’s AWS team launched a new service as part of their management console: Directory Service.
Consumers now need to know the capabilities of each approach in a side-by-side comparative review. The following post focuses on comparing and contrasting AWS and Directory-as-a-Service.
What is the AWS Directory Service?
Amazon’s AWS Directory Service (DS) is a new capability offered by Amazon. It is accessed through the AWS Management Console. As part of their “IAM” set of services, AWS Directory Service is tightly intertwined with Microsoft’s Active Directory product, enabling a connection to an existing on-premise Active Directory and helping extend users managed in AD to Amazon EC2 infrastructure. Amazon refers to this as “AD Connector.” If the AWS customer is not using Active Directory, they may also install “Simple AD,” which is essentially a Directory database using the SAMBA protocol, and very similar to the Active Directory database itself. In the case of Simple AD, management tools such as those that ship with Active Directory are still required, and in both cases the approach is designed to help customers with Windows user provisioning and workloads (e.g. AWS Workspaces – their desktop-as-a-service solution). AWS also markets a hosted Active Directory solution as well that requires a cloud version of AD and your own on-prem version as well.
What is JumpCloud Directory-as-a-Service (DaaS)?
JumpCloud’s DaaS is a cross-platform (Windows, Linux, and Mac OS X) cloud-based directory offering that has capabilities which range from centralized user management, single sign-on, virtual LDAP, RADIUS-as-a-Service, provisioning, authentication, and authorization with the IT resources they need access to. DaaS allows businesses to access workstations, cloud infrastructure, on-premise resources, and applications both locally and SaaS-based. As a cloud directory service, DaaS is a complete end-to-end solution providing simple-to-use interfaces for both administrators and employees. Just as the core of any business is its people, at the core of Directory-as-a-Service is user management or core directory services. The core is surrounded with capabilities and services to help provision and manage users with infrastructure. These capabilities include:
- Hosted LDAP – Applications and other services can authenticate and authorize users through JumpCloud’s virtual LDAP interface. SaaS-based LDAP eliminates the management cost, as well as the complexity of building, managing, and scaling your own LDAP server infrastructure.
- Extension of Microsoft Active Directory® – Companies with Microsoft Active Directory as their primary user management store can leverage JumpCloud to simplify the “extension” of users to cloud infrastructure (AWS, RackSpace, Softlayer, etc), eliminating the need for a secondary directory and all the networking and security issues around it.
- True Single Sign-On™ – In addition to only needing a single set of credentials to access your on-prem devices and cloud servers, you get the benefit of integrating web applications, on-prem applications, and WiFi authentication among all of the other areas of the cloud-based directory. One identity to rule them all™.
- WiFi authentication – Your core cloud directory service also can serve as your authentication point for your WiFi network. Through a RADIUS-as-a-Service infrastructure integrated into the cloud identity management platform, user credentials are required to access the WiFi network. This is a significant step-up from just an SSID and passphrase.
- Management of Devices – DaaS enables users to be provisioned and managed on a variety of OS types from Windows, to Linux, to macOS. It provides excellent survivability (the users are on the host, so network issues do not affect accessibility), and the ability to apply configurations and policies across the organization.
A General Comparison of AWS Directory Service and JumpCloud DaaS
AWS-DS and JumpCloud DaaS offer directory services designed to provision and manage users against Amazon EC2 cloud infrastructure. Both technologies execute on solutions that help control, manage, and secure users on rapidly bloating cloud infrastructure. Additionally, both technologies help simplify what have been fairly error prone processes in the past through manual processes and complex scripting. Both offerings provide a core directory and/or the ability to extend Microsoft Active Directory users to AWS EC2 instances.
Contrasting AWS Directory Service and JumpCloud DaaS
There are numerous differences between the approaches, philosophies and breadths of coverage between AWS-DS and JumpCloud Directory-as-a-Service. Amazon has an obvious need to concentrate on their stack, helping, for example, the authorization of users to other AWS Services such as Zocalo or AWS Workspaces. Workspaces in particular was ripe for an implementation of user management, mainly due to the fact that the initial VDI infrastructure had no direct association with a directory to aid in the provisioning and management of users to those virtualized desktops.
The initial AWS-DS implementation is focused on simplifying the extension and management of users to AWS infrastructure (Servers, VDI/Workspaces and other services) by leveraging Microsoft Active Directory. A prudent choice given the fairly widespread use of AD in enterprises. JumpCloud’s posture and our path forward on the platform is to ensure neutrality and provide a heterogeneous approach to authenticate, authorize and manage users on a wider variety of resources. This could include operating systems ranging from Windows, Linux and macOS, to cloud computing platforms ranging from Amazon to Softlayer to Rackspace, to applications that exist on-premises or in the cloud.
In order to draw out these differences in detail, a more finite examination is needed.
|JumpCloud DaaS||AWS Directory Service|
|SaaS-based||Yes||No – Customer is responsible for installation and provision of management tools.|
|Core User Directory||Yes||Yes – AWS/Windows Only|
|Core Management Interface||Yes||No – Requires Active Directory Tools even for their directory set up|
|Windows Device Management||Yes||Handled by Microsoft Active Directory and only for Amazon VPC|
|Linux Device Management||Yes||No|
|macOS Device Management||Yes||No|
|Windows User Management||Yes||Yes|
|Linux User Management||Yes||Yes|
|macOS User Management||Yes||No|
|MFA||Yes – Linux Only||No – Requires RADIUS|
|Active Directory Connector||Yes||Yes|
|G Suite (Google Apps) integration||Yes||No|
|Supports user and server instance management in other clouds, or on premise||Yes||No|
|AWS User Management||Yes||Yes|
Conclusion of Comparing and Contrasting AWS and DaaS
Both JumpCloud and Amazon are pushing deep into identity management and specifically user management on growing cloud infrastructures. Amazon has a dedicated interest in helping their customer base more deeply manage users on their EC2 platform and more specifically across their own services (e.g. Workspaces). But it follows a similar Amazon pattern in regards to implementation, namely it’s highly technical, requires deep expertise to implement, and requires source tools for management.
JumpCloud, in contrast, is positioning itself as an easy to use, neutral platform for Identity-as-a-Service. Amazon AWS, RackSpace, Softlayer, Google Compute Engine all feel and look the same to a JumpCloud administrator…as do Windows, Linux, and macOS and the myriad of authentication protocols including LDAP, SAML, RADIUS, and others. One easy-to-operate console to manage them all. Because in our minds, we are working to simplify the lives of IT admins and the people they serve in their organizations, while strengthening the technology behind them.