By Vince Lujan Posted May 7, 2019
Microsoft® Active Directory® (AD) is the quintessential example of domain-based IT management software. However, in light of Zero Trust Security, is it possible to achieve a domainless Active Directory?
It’s an interesting question, given that the Windows domain and the notion of trusted assets therein has historically been the foundation of AD. So, AD and Zero Trust Security would seem to be incompatible at a glance, but let’s explore the concept of a domainless Active Directory below.
Active Directory and Zero Trust Security
Active Directory works best with on-prem networks and Windows®-based environments. AD natively operates by establishing a network of trusted assets, known as a domain, which are protected by an AD domain controller, VPN, firewalls, and other security mechanisms.
The goal is essentially to create a strong perimeter to protect trusted resources from the open internet. As a result, external sources of network traffic (e.g., users) must first authenticate and ultimately be authorized to access internal domain resources such as systems and applications.
Zero Trust Security, on the other hand, is a security model that effectively eliminates the separation between an internal domain that’s safe and the open internet that’s dangerous. Rather, all sources of network traffic are viewed as potential attack vectors that must generate trust before they are authorized for user access—and with good reason too.
Bad actors are now attacking traditional networks from inside and out, often bypassing perimeter-based security by targeting trusted assets. Thus, Zero Trust Security is effective because it basically eliminates the concept of trusted assets (i.e., the domain) altogether.
Active Directory OR Zero Trust Security
Yet, eliminating the concept of the Windows domain undermines the foundation of Active Directory. AD will not work without a traditional domain at its core. So, unless Microsoft updates their two decade old approach to directory services, the thought of a domainless Active Directory doesn’t seem to make sense.
Consequently, IT admins are often forced to choose between Active Directory and Zero Trust Security. For those that choose the latter, the challenge then becomes finding a next generation AD alternative that supports their Zero Trust Security initiative.
Of course, not just any AD alternative will do (e.g., OpenLDAP™, Apple® Open Directory). For one, it must be built to support Zero Trust Security. Further, it would ideally reimagine the aging AD platform for the cloud era. After all, IT organizations have come a long way from on-prem networks of Windows-based systems and resources.
In fact, cross-platform system environments (e.g., Windows, macOS®, Linux®), a variety of web and on-prem applications, physical and virtual file storage alternatives, and networks spanning multiple locations are all in common use today—all of which must be managed from one centralized location and tirelessly authenticated to achieve Zero Trust Security. That’s a tall order.
The good news is that a next generation Active Directory alternative is reimagining AD for the cloud era. This modern IDaaS platform is called Directory-as-a-Service® (DaaS), and it connects users to their IT resources regardless of their platform, provider, protocol, and location.
Additionally, as a cloud identity management platform, DaaS forgoes the concept of the traditional domain, yet still gives users True Single Sign-On™ access to virtually all of their IT resources. As a result, IT organizations can leverage a domainless Active Directory-like functionality to achieve the ideals of Zero Trust Security with JumpCloud.
Zero Trust Security with JumpCloud
JumpCloud® Directory-as-a-Service is perfectly suited to support your Zero Trust Security initiative. The DaaS platform is essentially a domainless Active Directory alternative without a domain or anything hosted on-prem, but with added support for cross-platform system environments, web and on-prem applications, local and virtual file storage, and remote networks.