Or – The Time to Break Free from On Premise Directories Has Come.
Greg Keller – Chief Product Officer
Your author has some gray hair. I am painfully admitting this as I type those words, but with that gray hair comes history and a deep memory of business computing over the last 23 years as a software product manager and business builder. In this post, I want to paint the story of one of the core aspects of business computing, directory services.
It’s a largely overlooked, yet mission critical, aspect to the efficiencies within your enterprise. For time ad infinitum, directories have always been…’just there’. Yet everything around them has evolved and modernized. So, it’s time to talk about directories and their history… e.g., their appearance in corporate offices, the influence on them from a whirlwind of technology advances, and finally, to their state in our modern, cloud-driven, world.
But first, let’s go back in time.
We’ll Begin in 2000
December 31st, 1999 came and went. The world survived Y2K – bunkers filled with surplus food and weapons, notwithstanding.
The financial bubble had not yet burst but fissures were forming. Venture capital was still flowing like a river, investing into ideas that lacked any business validity, but made up for it with hand puppets in Super Bowl ads.
But let’s talk about the banal: your office in 2000.
Cube farms. You worked in a sea of gray, 6’ x 6’ grids. A human Tetris City. Every once in awhile a head would emerge, not unlike a prairie dog’s, scanning the cube-sea looking for co-workers to escape for the 10am coffee. You’ll go try that “Starbucks” that everyone has been raving about, even though you know Peet’s tastes like real coffee.
Your desk is a beige formica. You have a cork board with a real calendar hanging. Below your desk is a workstation. It has a floppy disc drive for 3 1/2 “ media and a thick blue ethernet cord serpentining into the abyss below your desk. On your formica, you have a massive tube monitor sitting in the corner. Every once in awhile you hit its ‘degauss’ button. You’re pretty sure it made the image better.
Microsoft is the center of your world. You login to the workstation with a CTRL + ALT + DEL keystroke. You enter in your ‘domain’ credentials and your password and presto: you’re in. You open up Windows Explorer so you can get access to your files on your “G:\ Drive” that IT set up for you. Little do you know that your files on that G:\ drive are on a machine, like the one under your desk, in the IT guys’ room down the hall. It’s the one with numerous coffee ring stains on the top of its case.
This whole existence (other than the Starbucks runs) was brought to you by Microsoft’s Windows 2000 Active Directory Services® – a.k.a. “AD”, the evolved and productized version of Windows NT, which had been previewed a few years earlier. These were the days when Microsoft was office computing.
There was no mobility. Cell phones had antennae and the only person who had a laptop was your CTO and it weighed 11 pounds. When you went into a meeting, you had a notebook and pen, not a tablet, and co-workers were not distracted by their phones. At the center of an employee’s productivity was Microsoft and its myriad services and products:
- Microsoft Office 2000® – Word, Excel and PowerPoint. This is how you got your job done… oh, and your job was creating and sharing documents. And Office included FrontPage so you could build web pages! Because, you know, the Internet and FrontPage was the doorway to many great internet ideas.
- Windows Server® – All roads led to your servers, likely managed in your office somewhere in a closet. They contained network drives, Microsoft SQL Server to serve up data to apps, and myriad other services to dish content to employees on the domain.
- Windows Exchange Server® – While launched in 1993, Exchange Server really took steam in 1996, enabling rapid peer to peer communication leveraging text editing features that were not available in more simplistic messaging systems. It was a game-changer.
- Windows 2000® – Your gateway to everything mentioned above. You’d CTRL + ALT + DEL your way into computing bliss after hearing the soothing boot up chime.
Your Windows machine was loaded with all of the applications you needed to get your job done. The Office suite and your Exchange email client as mentioned above were the most abused, in addition to a phalanx of other tools that needed to be installed by an administrator on your workstation so you could do your job.
This was typically very expensive ‘per seat’ software ranging from business intelligence tools for reporting, workflow products, drawing tools, etc. Moreover, anything critical required elaborate and privileged VPN connectivity which often timed out and caused you near-aneurysm-inducing experiences.
But this was your world and every office in your building, your city, your state and your nation was computing in exactly the same way. We were a Microsoft world then.
The Forecast: Cloudy
By the mid 2000’s the Internet was in full stride. With the exception of the influence mobile computing has brought to accessing the internet, 2005’s internet was very much like we know it today. You’d fire up Netscape or Internet Explorer, you’d search on Ask Jeeves or Google for your topic, and get transported.
One important difference between then and now:
At home, you were mostly using the Internet for commercial and personal needs (buying things, accessing information, etc.) And you were doing the same thing at work, borrowing your company’s bandwidth. In other words, you were not logging in on-line to any applications to assist your work productivity. You were surfing to find information and likely to buy stuff. But you certainly were not regularly in a browser accessing work tools, save for primitive intranets. Those were still all desktop apps.
Back pedaling a bit: In the late 90’s I was an up and coming product manager at a ‘small company’ (we weren’t calling them ‘start ups’ like we do now…) in downtown San Francisco. I’d walk toward the Embarcadero down Market Street for lunch and pass a building that had their street-level windows all plastered with paper. It was some sort of new ‘dot com’ company. The paper had a logo on it. It was this logo:
As a software PM, I thought this was a joke. Here I was slaying myself in the software industry pushing hard to build great things out of software and this company was taking the wind out of the industry’s sails. The company was Salesforce and only a few days later I’d learn what “the cloud” was.
At its core, the cloud is software. The take-away from Benioff’s slogan was not the death of software per se…but rather the death to traditionally buying, installing, configuring, optimizing, scaling and managing software products…like a CRM system. The cloud. It made sense.
But who the hell would trust their customer information up…in space? It was safer on a server, in a closet in our building with a precariously wavering cup of Starbucks on top of it. Right?
This period of the cloud’s acceptance and growth was mind-boggling. Never before could a small team, say, a marketing team, get budget, bypass IT….who’d historically needed to research, acquire, test, install and roll out software….and sign up directly for the service and pay for it by a manager’s credit card. Instant efficiency and departmental self reliance done all through their browser and a solid internet pipe to their building. Other departmental teams in your company would follow suit, adopting piecemeal cloud-based solutions to help get their jobs done:
- Infrastructure as a Service: Engineering teams started to leverage ‘elastic computing’ in Amazon’s burgeoning web services platform. Instead of asking for space on some server in the company’s co-lo, they could personally spin up virtual images of operating systems for testing. And while virtualization and the hypervisor craze of the late 00’s was in vogue… it wasn’t quite the same as the initial experience AWS presented. Primarily Linux, this meant development teams could move faster by not having to actually configure and run server infrastructure, but put that computing resource need back on Amazon and rent it by the hour.
- Software as a Service: Salesforce is nearly eponymous with SaaS but it was the first domino that cascaded a whole industry to demonstrate the simplicity of ‘killing software’ and not managing any application footprint on your premise. The other dominoes followed…
- Microsoft Exchange→ GMail
- Domain Name Server→ VeriSign
- Network File Shares→ Dropbox
- PeopleSoft→ Workday
That decade, 2000-2010, was game changing. An explosion of startup communities across the nation rushed in to solve legitimate business problems by leveraging the internet and the exploding cloud, modernizing and displacing traditional solutions that for two decades prior had been implemented ‘the only way’: installed and managed on premise. The second economic collapse of 2008-10 could not stop the momentum and the growth of wireless, elegant mobile computing devices, and economically favorable conditions enabling low risk to build and market software ideas ignited the cloud into a storm. But what was looming on the horizon with this explosive adoption of services began to threaten traditional IT managers: identity management.
This is a mess. – Love, your IT Team
That office 2000 was tight. Your IT staff actually had time for those Starbucks runs back then. They knew their material, almost all having MSCE certifications. They could operate a Microsoft Domain blindfolded.
Yet by 2010, these same IT pros were left in a fairly chaotic mess. Their charter as an IT team was to provide onboarding and workflow efficiencies to employees and security governance for your organization. Now? The Wild West. While the same old Windows workstations were well governed and managed, many new resources were penetrating the firewall and were out of their purview or technical acumen to control and manage. The profile of the IT’s office was changing…
- WiFi – As it became easier to order Windows laptop systems from internet-based suppliers like Dell, your employees could work where they needed to within the range of your offices’ wireless access points. Unless there was a knowledgeable member of your staff who could wrangle RADIUS and uniquely authenticate your employees, all folks invariably enjoyed the ‘simplicity’ of sharing your SSID and common password. Easy peasy (but not necessarily secure).
- Mac – Employees by the mid ‘00s are starting to leverage their own computing devices in your domain. Bringing in shiny white plastic laptops that connected easier to WiFi than their Windows counterparts, so surfing was a breeze. But they were largely inferior to Windows at the time due to the app limitations. Vendors writing locally installed apps knew that Windows was still ‘the target OS’ and they had not really seen the cloud moving faster into the workplace. In short, Apple was a ‘joke’ and was not enterprise focused. It was the iPod company. But it was white… and had a browser… and made you cool.
- The Remote Office and Traveling Employee – Devices like laptops gave rise to the requests by employees to their managers to ‘WFH’. Moreover, traveling employees could be more productive by towing around what was their floor-oriented workstation in a backpack. This was not entirely problematic for IT Admins, but required some VPN configuration know-how and the ability for that domain-managed machine to ‘phone home’ to the corporate Domain Controllers for instructions, policy updates, etc.
The Strain on Employee Identity
2011-2016 (e.g., ‘modern times’) has been an interesting period for the industry on many levels. Employees are accessing more diverse applications online that were once hosted internally and on-premise. It became clear to the security industry at large that employees were becoming a massive attack vector for breaches simply due to the fact they were leveraging the same (typically weak) password for all of their services… their system, applications, et al.
The problem was (and largely remains) this: Identity silos.
But the tidal change to cloud was fracturing the once centralized control and management of identities into distinct silos:
- Silo 1 – Active Directory: It managed all the legacy and on-premise resources, including the employee’s machine, the internally managed SharePoint or Confluence Servers, internal networking and authentication to file shares, etc.
- Silo 2 – Single Sign-On (SSO): Solutions for the new wave of SaaS-based apps now widely in use.
The SSO movement penetrated the market very opportunistically and provided coverage for the now exploding SaaS industry. It took advantage of progressive protocols such as SAML, that at their core were designed to authenticate and subsequently deny or authorize access between a source of identity and a web-based service like an app.
Moreover, ‘SSO’ tools started to be the ‘formal’ employee interface to their identity. This is worth additional explanation. The employee interaction with an Active Directory-governed identity was extremely limited. For the most part, it involved minimal UI, accessed either by CTRL + ALT + DEL on their Windows host, or via https://owa.yourcompany.com (the primitive web-based access point for your company’s Exchange server). Both would allow rudimentary employee updates, primarily password changes. The rest of the identity: all managed by your trusted IT Staff within Active Directory.
What the SSO industry did was defer to, and primarily leverage, your company’s ‘authoritative’ version of the employee identity managed in Active Directory, and then apply an elegant, web-based front door to your organization for your employees to access apps and self-manage a few aspects that IT admins had to do in the past. This instituted greater efficiency through familiarity (new employees understood personal portals from their non-work applications) but, more importantly, it provided secure access to the new wave of SaaS-based applications that would now be logged in to with core Active Directory creds. No more identity silos. No more individual accounts per web app. No more weak passwords. All driven from your on-premise Active Directory. Genius.
And then the CEO enters your office and asks: So, how can we go all cloud?
Yes, You Can Put Your Identities in the Cloud
Your CEO is not being totally unreasonable. We all know there are significant advantages to moving to cloud-based services. With each infrastructure move (i.e., servers, core applications, collaboration and communication tools, etc.) you are reaping benefits. Above and beyond them all is to free your IT staff from unnecessary overhead (e.g. managing servers that underpin apps or other services) and allow them to focus on the critical needs to help drive your business forward, faster. Get them out of tweaking servers and acquiring more infrastructure, and into architecting and driving better IT solutions for your business to make it move faster.
The SSO and Active Directory solution discussed above, while efficient, is still the core hurdle your CEO wants to jump over: get rid of the machines and their need to be baby sat! Active Directory requires server management and overhead costs. And sure, Azure Active Directory is a possibility – if you are only trying to manage on-premise Windows systems (sorry Mac and Linux) or servers anywhere else but Azure.
The point is to be able to manage your entire environment, wherever it is, whatever the make. The only question: is this even possible?
The Evolution of Directory Services
Yes, there is a way to fully manage your IT infrastructure either on-premise or in the cloud. Directory-as-a-Service® (DaaS) has taken the SaaS-based model laid out by the innovators of the 2000’s and brought it to the core of IT: the directory itself.
JumpCloud’s Directory-as-a-Service is a complete solution to replace Activity Directory. It authenticates your users to the systems, applications, and networks they need. JumpCloud supports a number of authentication protocols such as LDAP, SAML, RADIUS, SSH as well as JumpCloud’s REST API. Simply set up your groups and your users have True Single Sign On™ access to what they need – and only what they need.
System management is another key component of a directory. With JumpCloud you can execute virtually any task or schedule sets of tasks on Windows, Mac, and Linux systems.
As you would expect from a cloud-based service, JumpCloud is highly scalable, always-on and above all – secure. Multi-layered security ensures your user identities are safe at every end point. Hashing algorithms, data-transfer and data-at-rest encryption, multi-factor authentication, password complexity management, and event logging gives you security and visibility into activity in your environment.
The Future is Here
I bet if you look around, you’ll see your infrastructure is moving to the Cloud, your employees are using more and more SaaS vs legacy applications, and Macs are popping up like weeds. It’s time your directory evolves to keep pace with our rapidly changing IT world and ensures your technology choices are not dictated by a directory, but rather what is best for you and your employees to be more efficient. It’s time to take a look at the future of identity and access management – and it’s in the cloud.
If you want an overview of what it actually looks like to replace Active Directory with JumpCloud, take a look at our Quick Start: Active Directory Migration Guide. We also have a new, light ebook about the reasons admins are finally ‘Breaking Up with Active Directory’.