By Rajat Bhargava Posted April 17, 2014
Another key scenario that we have heard when talking with customers is how to manage user access to a Windows server in the cloud. In talking with a number of hosting and cloud providers, we have heard Windows cloud server uptake anywhere from 25% to 50%. So it’s clear that organizations are shifting their Windows servers to the cloud. The interesting problem is that managing administrator access to those Windows cloud servers is not so easy! Waving your hand and saying AD will handle it belies some of the key challenges that having Windows in the cloud presents.
Organizations that are leveraging Windows servers internally often use Active Directory to manage user accounts. Decent-sized Windows shops can use the power of AD and all that it brings – GPOs, groups, etc. Of course, the challenge with AD is that it is a heavy application that requires dedicated management. It isn’t easy to set up, configure, operate, and maintain. However, it provides great control over a domain for larger organizations. As soon as organizations start to spin-up Windows servers in the cloud, it introduces a new paradigm that AD wasn’t really built for.
To manage privileged user access for Windows cloud servers, organizations have a few options. We’ll review the options and then go through some of the pros and cons. If you have AD internally, you can try to leverage your existing implementation for your cloud servers. Another option is to set up AD in the cloud and have that exclusively for your cloud servers. A third option is to purchase an on-premise piece of software that will connect your internal AD implementation with your cloud servers. The fourth option is to manually manage those accounts. We’ll discuss the fifth option here shortly, but those have generally been the options that IT pros have been left with to manage Windows admin accounts.
The positives and negatives of each approach are:
Extend your existing AD solution:
You already have AD setup and running, your users are already in one central user database, and your admins are already managing it. That’s a great start. The downside to this option is really simple: security. In order to make this one work, you need to expose your AD server to the Internet. For most companies, that’s a bright line that they won’t cross.
Secondary AD system:
This allows you to manage your Windows servers “natively” through Microsoft. But the challenge is that your admins now have two AD systems to manage. They won’t synch theoretically because you are unwilling to expose your initial AD implementation to the Internet. This option may be a possibility for those that don’t have an AD server internally. Then again, if you don’t have one internally, why would you have one for your cloud servers?
There are identity and access control solutions that marry cross-platform and multiple locations together. These are legacy pieces of software mainly focused on enterprise authentication, authorization, and auditing. They were built to solve the whitespace of Linux and Windows co-existing and now multiple locations for your servers. The positives are you can centrally manage everything, but the cost is extreme. You have yet another identity management system – a heavy-duty one at that – to manage and maintain. These systems are also expensive and follow the old-school enterprise software license model. No pay as you go here!
Manually manage user accounts:
This is not a bad option if you have a few servers and few admins. If things are relatively stable too, then you may just do it the old fashioned way and manually manage it. As soon as you hit any size or scale, this becomes unwieldy. Then, you are back to thinking about the first three options.
JumpCloud’s Directory-as-a-Service® platform for windows servers:
If like many DevOps and IT pros out there, none of these options seem that great to you, we agree! Managing Windows administrator access in the cloud should be simple and easy. That’s one of the problems that we have focused on solving. There is no doubt that AD can be a fantastic solution inside an organization. However, when you mix in the cloud, you need a cloud-based solution to solve the problem of managing users. You will avoid creating security risks, wrestling with heavy enterprise software, and spending more time managing solutions that weren’t meant for the cloud. The goal of JumpCloud’s Directory-as-a-Service system is to enable DevOps and IT admins to quickly and easily manage and control Windows (and Linux, Mac…see below*) server access.
After registering for an account at JumpCloud®, we install a lightweight agent on your servers. From there, your admins log in normally with whatever username and password they have already set up. It is a seamless integration into your user management flow, except it is centralized across everything. On top of that, you can easily manage groups of servers and users. It’s simple, central Windows user management for cloud servers. This SaaS-based solution is pay as you go and consistent with the cloud model. There’s no heavy-duty software to install and manage. You just get to accomplish the task at hand – managing your accounts.
*If you have both Windows and Linux cloud servers in the cloud, you have effectively blown up the AD model. Getting AD to work with Linux servers is clearly possible and people do it, but it is a painful exercise. Therefore, most DevOps and IT admins that we have spoken to opt to manage their Linux SSH user access through a different method. Fortunately, JumpCloud’s cloud-hosted directory service supports both platforms from our central console. If you have both platforms, it’s something that we have already considered. Furthermore, if you happen to use multiple cloud providers, that’s another key issue that we have solved for as well.
So, if you have Windows servers in the cloud and are thinking about how you can off-load the task of managing admin accounts or make it simpler, then give JumpCloud’s Identity-as-a-Service platform a spin for your servers. It only takes a few minutes to try, and you will be eliminating wasted time quickly. Let us know how it goes – we’d love to hear your feedback!