By Rajat Bhargava Posted February 5, 2015
Over the last several posts, we’ve analyzed how and why Microsoft Active Directory® isn’t a “complete solution” for modern organizations.
Within the multi-part series, we look at:
- The change in the IT landscape
- The impact of Google Apps (now known as G Suite)
- Possible solutions – (you’re here)
- How DaaS is addressing this problem
We hope you enjoy the series and look forward to your feedback.
Part I (The change in the IT landscape) describes the current IT landscape and the problems that it presents for current AD implementations. Part II (The Impact of Google Apps) focuses on the unique impact that Google Apps has on the directory services market. With the shift to their corporate GApps (now G Suite) product, a schism has been created where corporate email lives in the cloud, but directory services is on-premise. This less than ideal scenario is what many IT admins are dealing with today.
Now, in part III, we look at how IT admins are dealing with this problem of having email in the cloud and their directory services on-premise.
Here are some of their directory service options:
Traditional Solutions to This Problem
Unfortunately for organizations looking to shift from AD and Exchange, or those considering just starting with Google Apps, figuring out how to securely manage user identities may give pause. Historically, those early adopter organizations of Google Apps solved the user and device management problem one of two ways: (1) they handled it manually, or (2) they leveraged LDAP or Active Directory in addition to Gmail.
Or those that haven’t fully embraced BYOD culture, generally opt to leverage Google Apps and manually manage user and device access.
In these types of scenarios, IT doesn’t generally have to manage or control access to the user’s desktop or laptop. For access to internal applications or their server infrastructure, IT manually creates the user accounts. If access to the user’s device is needed to help troubleshoot a problem, the user and IT admin get together and manually handle this. While not an optimal solution, it does need to be compared to the costs of time and money of using AD and Exchange. Google Apps Directory (now Google Cloud Directory) doesn’t really function as a core directory service, but more of an application user management system to GApps.
Another issue that needs to be contemplated with this scenario is security. Without user and device control, security will take a back seat. However, for many organizations this dilemma of AD and Exchange or Google Apps plus manual user and device management leads them to the more cost-effective, flexible solution of Google Apps and manual management despite the security concerns.
Often need to leverage Google Apps along with an existing LDAP or AD. A shift to Google Apps (especially email) will notably reduce the burden on IT, but doesn’t solve the critical user and device management needs. For this, the IT organization turns to LDAP or AD and other remote management tools. The central directory is LDAP or AD which is then synced with Google’s user directory functionality.
The benefit of this approach is that there is one central directory where users are created, terminated or modified. For those on the IT side that need access to the company’s servers or internal infrastructure, LDAP or AD can be the authentication source as well. Both of these capabilities dovetail nicely with the decision to move to Google Apps. This said, as for remotely managing user’s devices, LDAP does not provide this capability, but there are numerous third party tools that do. AD does give you the capability to remotely manage Windows devices, but not Macs or Linux devices. Google Apps Directory Sync, known as GADS (now Google Cloud Directory Sync or GCDS), will often force you to have another server in your environment that you manage.
In short, trading AD and Exchange management for LDAP or AD is viable for some organizations, but still requires the IT organization to have significant expertise and time to manage this scenario. This approach is still expensive and leaves you with one foot in the cloud era and one in the legacy on-prem world – hardly satisfying your desire to go completely cloud. Unfortunately, Google’s lack of a core, cloud-based directory service that can authenticate devices, LDAP apps, and much more doesn’t help the problem.
In our next post we dive into the complete modern solutions for directory services, including describing a new SaaS based directory, known as Directory-as-a-Service® or “DaaS” that has re-invented how directories operate.
Stay tuned for how next generation Identity-as-a-Service platforms are making their mark.