By Ryan Squires Posted September 21, 2018
Identity and access management (IAM) is a cornerstone of IT and has been for decades. Yet, with the majority of traditional on-prem IT infrastructure migrating to the cloud via vendors such as AWS® and GCP™ and applications shifting to the web (e.g. Slack, G Suite™, O365, GitHub, and tens of thousands of others), IT admins are wise to wonder if IAM will follow suit. The risk of fragmenting identities across systems, applications, files, and networks is a very real threat that many admins face with the shift to the cloud. Thankfully, there is a solution that encapsulates virtually all IT resources into a single panel. First, though, let’s explore the definition of cloud identity and access management.
What is cloud identity and access management?
In order to get a grasp on what cloud identity management is, we need to understand IAM as a whole. The overarching concept of IAM is simple enough; IAM makes it so that the right users are able to access the right IT resources, securely. In practice, the concept ensures that members of the marketing team, for example, aren’t accessing source code repositories from engineering and engineering isn’t reviewing financial data in the account system. Or, IAM ensures that students aren’t accessing the teacher’s WiFi network. Essentially, the concept describes the ability to manage core user identities and their access to various IT resources across a network.
Back in the day, circa 1999, there was one on-prem enterprise software product that predominantly managed systems in an organization’s IT environment. That solution was Microsoft® Active Directory® (MAD or AD). Built upon the LDAP and Kerberos protocols, AD was able to take the world by storm because the majority of IT infrastructure, systems, and applications were Windows®-based. It made sense that a Windows-based identity provider federated access to Windows systems and applications as well as wired networks. But, with the introduction of web apps that authenticated and authorized via SAML, AD needed add-on solutions to federate AD credentials to web applications. Further, IT admins want to secure their networks with RADIUS, which again is not something that AD offers out of the box. Add in the fact that new systems (Mac® and Linux®) made their way into the enterprise, and AD really began to falter.
IAM Requirements Now
So, what IT admins need is an IAM solution that connects their users to any resource they need regardless of platform, protocol, provider, and location. It must work from a single pane of glass and provide not just Single Sign-On, but True Single Sign-On, a component of JumpCloud® Directory-as-a-Service®, that allows users to connect to virtually all of their resources with one set of credentials, not just web apps. Below are the protocols and services JumpCloud offers via its Directory-as-a-Service platform.
Protocols in the Cloud
LDAP has been an on-prem solution for the majority of its life. It is important to organizations because LDAP acts as a core identity provider (IdP) that allows users to authenticate against it in order to gain access to applications and systems. It also stores user information such as username, password, email, and address among countless others depending upon how LDAP is setup. Shifting LDAP cloudward allows organizations to free up their IT personnel to work on tasks other than setting up, maintaining, and securing an LDAP server. LDAP-as-a-Service management ensures users are able to authenticate and authorize via LDAP without all the headache of on-prem solutions.
RADIUS allows IT admins to properly secure their networks by allowing users to authenticate to the wireless access points (WAPs) with unique credentials. This method of authentication is much safer than simply passing around a scrap of paper with the shared service set identifier (SSID) and password. Protecting the network with unique credentials makes it much harder for hackers to break into the network and steal valuable data. Cloud identity access management via RADIUS-as-a-Service makes organizations, and the networks they rely on, much more secure.
SAML is used to authenticate and authorize users to web-based applications. While it was once an on-prem implementation stashed next to an AD or LDAP server, it has shifted to the cloud.. Users authenticate through (SSO) portals or browser plugins where users can gain access to multiple applications instead of having to juggle multiple passwords. IT admins that utilize SAML SSO applications will have less help desk tickets to address because users will only have one password to remember, or forget, depending on your perspective. That one set of credentials enables access to Office 356™, Salesforce®, and many, many more web applications.
Multi-factor Authentication (MFA) and Cloud IAM
Activating MFA ensures that even if a hacker gains a user’s credentials, they will also have to obtain their smartphone and screen lock pin in order to access either a system or application. Leveraging MFA ensures that identities are secured by two different sets of credentials—the password and time-based one-time password (TOTP) code. With JumpCloud Directory-as-a-Service, MFA can lock down Macs at the system level, requiring an MFA code at the login screen. JumpCloud DaaS also provides MFA for critical hosted AWS, GCP, and Azure Linux servers, forcing hackers to provide an MFA pin code they definitely will not have access to from a remote location.In addition, JumpCloud can implement MFA into the JumpCloud user and admin consoles so that MFA can be added to web apps.
Best Approach to Cloud IAM
The modern, secure solution to identity sprawl is to tightly integrate all usernames and passwords into one cloud-based identity and access management solution. By making this shift, users will be able to access IT resources from any location and do so regardless of platform, provider, and protocol. The tool best suited for this task is JumpCloud® Directory-as-a-Service®. Users will now be able to access on-prem implementations like NAS devices from Synology and QNAP, cloud infrastructure from AWS®, GCP™, and Azure®, RADIUS-protected WiFi networks, and legacy LDAP applications, while using the same credentials they use for their systems (Windows, Mac, and Linux), web-based, software-as-a-service (SaaS) applications like G-Suite™, Office 365™, and Salesforce® with True Single Sign-On™.
Learn More About JumpCloud
When you’re attempting to unravel the definition of cloud identity and access management, think of it as a solution that allows both on-prem and web-based resources to be accessed via a single identity while being managed by IT admins from a single pane of glass. JumpCloud Directory-as-a-Service allows for all the disparate parts of your IT infrastructure to be integrated into one easy-to-manage solution that even provides users the ability to self-service their password changes. Give JumpCloud Directory-as-a-Service a try for free today; you’ll be able to manage 10 users for free — forever. If you have any additional questions on cloud IAM, drop us a line. Below is a whiteboard video explaining the JumpCloud Directory-as-a-Service cloud IAM protocols and architecture, enjoy.