Work happens wherever the device and the person using it are located. Whether that’s a traditional office, home office, coffee shop, coworking space, or airplane tray table, IT leaders need to be able to secure the device and connect the user to their requisite resources through it.
IT departments need more than just a new toolset to achieve this kind of fluid access control and device management — they need an entirely new architecture. Here, we’ll explore how IT architectures have evolved and what organizations need now to meet the demands of the modern era.
Active Directory & the Domain
Active Directory® thrived in contained Microsoft ecosystems. Via on-premises domain controllers, it connected users to and managed on-premises Windows devices, and it established a secure perimeter around organizational resources.
However, it was built in an era when a network was defined by the physical office building where employees worked. Despite its strengths in physical office spaces, AD is not a fluid architecture. It requires significant investments in hardware and on-prem networking, and it wasn’t designed for work outside the office. From the outset, IT admins had to retrofit it for workers on the road, like salespeople, which sparked the dawn of the VPN client.
Beyond that, it has not adapted to rapidly evolving technological and cultural changes that are driving the workforce to adopt new tools and new ways of working. Whether a workforce is entirely remote or dependent on a suite of SaaS apps and cloud infrastructure, AD is no longer the best way to manage users and their access to resources, because it requires identity bridges and other add-ons to be a comprehensive solution. A new architecture now exists to eliminate the need for such AD add-ons, though.
A Boundless Domain: Remote & Flexible Working
An organization might be all-remote all the time, like GitLab with 1,200 employees distributed across the world. An organization might also maintain remote offices, acquire companies outside its region, or manage select remote workers, like salespeople. An organization might also need to respond to urgent outside pressures, as we’re seeing now with the COVID-19 pandemic.
Our current reality as seen on the news, and in our communities, demonstrates an incredible change of pace. As we change our behaviors and the ways we work, we’re relying on the internet more deeply. This is especially pronounced in the business world and exacerbated in companies with an IT architecture that isn’t prepared for these large-scale changes in the workforce.
Organizations need innovative architectures to support them — architectures that ensure business continuity in the face of change. The “domainless enterprise” employs IT architecture that’s fluid, flexible, and responsive. It supports secure work from any location or circumstance. It also supports resource access that’s customized for each person based on their role and needs.
This architecture is device-centric, regardless of OS or provider. Whether an employee is logging in on a Windows desktop or a Mac laptop, IT needs to be able to secure and manage that device. This architecture is also user-centered because each user has individual IT resource needs.
The heart of a domainless enterprise is a central cloud directory service, which serves as the hub for securely connecting users and their systems to the IT resources they need to accomplish their jobs. From a central cloud directory, IT needs only an internet connection to provision users to their devices and secure those devices, as well as provision users to all their IT resources, including SaaS apps and cloud infrastructure. From this same cloud directory, IT admins can control access, secure identities, protect systems, and audit all access — all without the need for an on-prem domain controller.
How to Implement the Domainless Enterprise
Directory services for the domainless enterprise are entirely cloud-based and platform-agnostic. They perform as the authoritative repository for digital identities and can federate those identities everywhere they’re needed via an internet connection.
The architecture has several components:
Device Security & Trust
This architecture relies on lightweight agent-based control of devices.
A user should be able to log into their company-controlled device, secured with credentials + MFA, and access their authorized resources. Via the agent, IT admins can configure the devices, lockdown security, and monitor data such as uptime and storage capacity — as well as immediately suspend access for any security reason.
With this architecture, a user has one authoritative identity that IT controls, manages, and monitors. From a central cloud directory, IT can federate that identity to resources including SaaS apps, cloud infrastructure, RADIUS network access points, and LDAP-reliant apps and devices. It can also sync with and manage changes between services like productivity suites (i.e., G SuiteTM or Office 365TM) that require user stores.
This new architecture allows us to redefine the domain, which was previously limited to an office-based environment. It allows the new “domain” to stretch wherever employees perform their work, without the need for VPN connections to the network or other complex networking. All an employee needs in this model is a workstation and an internet connection. Further, users only need to change their secure credentials in one spot — on their device — for virtually all their IT resources, which dramatically reduces the risk of an identity compromise through phishing.
At JumpCloud®, we built the world’s first cloud directory service because we wanted to enable this domainless enterprise for all organizations. Click here to learn more about securely connecting user identities to systems, apps, files, and networks from the cloud.