By Greg Keller Posted August 25, 2016
We hear this one pretty often.
This resistance makes a lot of sense when you step back and think about it.
Consider the Conventional Directory
The concept of directory services was born on-premises and most IT infrastructure was located on-prem. Add in the fact that a directory service is a core security infrastructure component and it is easy to see why IT pros are hesitant to think about shifting the directory to the cloud.
To be fair to both sides of the debate, there are definitely situations where a cloud-based directory makes no sense and cases where an on-prem directory makes no sense.
We’ll try to talk about those in this blog post, but we’ll try to help ferret out the middle as well. We’ll share a framework for how to think about whether a cloud-based directory service is interesting for your organization.
Reasons You Shouldn’t use a Cloud-Based Directory Service
Let’s get some of the easy points out of the way. Here are a few situations where a virtual identity provider won’t be of much help to your organization.
Regulatory / Compliance Requirements State that you must have Physical Control –
Some regulatory requirements are incredibly strict and require the organization to have physical control over their environment. This is tantamount to saying no cloud.
Mind you, that few regulatory requirements actually say this, but many still interpret their requirements this way. You should double check with your auditors on whether that is truly the case or not. Many regulatory and security compliance rules are cloud friendly, but if you are in the Department of Defense or intelligence agencies, then your use of the cloud will be limited and likely only to a very private cloud infrastructure within the DoD. Some financial institutions are also subject to this heightened security requirement.
Note that if you are subject to PCI, HIPAA, or GLBA, you are fine and the cloud is acceptable. You may have to answer some specific questions related to your use of it and you may need to work with your providers, but there aren’t restrictions from using cloud tools and technology.
100% Microsoft Environment and All in One Location –
Historically, the market share leader in on-prem directory services has been Microsoft Active Directory. It’s really a great solution for Windows environments. AD has been around for almost 20 years and so if you are an all Microsoft shop and expect to be for a long time to come, then your answer is likely Active Directory.
Note that your users should all be located in one location. Active Directory is a little tricky with remote employees and multiple offices. You will quickly run into the notion of having VPNs, redundant AD servers, and synchronization issues. But, if everybody is all together and they are all Windows, you have your answer.
Neither of the Above?
Outside of those two use cases, we’d argue that Directory-as-a-Service® is a viable alternative to the local directory service. But, there are some basic questions that many people have about a cloud-based directory service and how it could even work. Let’s hit those here.
Questions When Considering a Cloud Directory
Q: Is it secure?
A: Yes, it is. JumpCloud spends a great deal of time, money, and energy on security.
Remember that AD assumes that you are within the interior of an organization and therefore doesn’t have the same level of focus on security. There is an assumption that your organization has built those security layers into the infrastructure and AD gets to take advantage of that.
A cloud-based directory doesn’t make those assumptions and builds the layers of security into the SaaS infrastructure and the solution itself. There are detailed documents on how we think about security and each of those is helpful. The short notes on it are that all credentials are one-way hashed and salted, all communication is conducted over mutual TLS, and the infrastructure itself is monitored and reviewed with strong network security practices.
Q: What if the Cloud Directory goes down?
A: This is also a good question and relevant for any cloud service. With the case of Directory-as-a-Service, a number of safeguards are in place to let the system continue to operate despite an outage.
For instance, users will continue to have access to systems even with the cloud directory offline. Accounts are created locally where credentials can be safely cached for any outages or functioning in no-Internet environments.
A global network of LDAP and RADIUS servers ensures that a directory outage will not impact authentications for those services. In short, the platform has been built with survivability in mind. By comparison, if your on-prem directory server were to be offline, there is potential for greater disruption.
Q: What if I lose my Internet connection?
A: There is a slight difference from the previous answer when your Internet connection is disabled. Systems and their agents will continue to function as before so there should be no loss of service.
For LDAP-based authentication, many applications cache credentials and for those that do, there is no impact. For others and RADIUS, there is potential downtime with your Internet connection being severed. There are ways to solve this by creating a redundant Internet connection as well as configuring your LDAP apps to cache credentials and your RADIUS configuration to fall back to a general SSID and passphrase for network access.
Q: How does it create a domain for me?
A: It doesn’t! We know that’s a bit mind blowing. You don’t have to carry the concept of a domain forward if you want. You can think of it a little differently. You still will have access to all of the IT resources you need, but the cloud directory manages that access.
In effect, you get a custom build domain without all of the heavy lifting. You still get True Single Sign-On™ capabilities to virtually all of your IT resources, but you don’t need to implement the domain controller and have more servers on-prem.
Q: Can I still access my on-prem file server and printers?
A: Yes. JumpCloud’s Directory-as-a-Service helps you access the existing resources you need to access without the need for a domain controller.
Making the Decision
A unified cloud directory will stretch your mind a bit. Some of the concepts are different than what you have been historically accustomed to. For instance, the lack of a domain concept is new for people as is the concept that users can continue to authenticate even in the context of an outage. If Active Directory or LDAP were offline, the consequences would be far different than with an outage of a cloud directory. In many ways, because the directory lives in the cloud, security and reliability must be significant areas of focus and as a result there are important innovations in those areas.
If you would like to learn more about why a cloud-based directory service could be useful for your organization, drop us a note.
And, if your team is a little skeptical, that’s ok. We are here to help and the skepticism is healthy, but we can help you work through it in a rational manner.
We all know that a cloud-based directory service is the future, it is a matter of clearly conveying why that will be the case. Let us know what we can do to help you in your Identity-as-a-Service discussions or feel free to give JumpCloud’s Directory-as-a-Service platform a try for yourself.