By Rajat Bhargava Posted August 23, 2015
Cloud infrastructure is the new normal. Companies have been adopting tools like Google Apps (now known as G Suite), Salesforce, and Amazon Web Services (AWS) in droves. But many are still operating and maintaining their servers in a dark little room on-premises.
Today’s innovations in technology have made it possible to finally lift the directory into the cloud – where it can seamlessly interact with and protect all of the online avenues that business is taking place in.
But what is a cloud-based directory, how does it work, and what are the benefits and risks?
Here’s what you need to know.
What is a Cloud Directory?
A conventional directory exists to allow devices to list and authenticate users, connect to applications, and additional network services. By providing centralized control over these functions, a directory vastly simplifies the amount of administrative work that IT admins must perform when on-boarding and off-boarding employees.
Above all, a directory should be the single, authoritative “source of truth” when it comes to a user identity. A cloud directory service gives organizations the ability to bring that single source of truth beyond the walls of their building to SaaS-based apps, cloud infrastructure, and remote devices.
Unlike SSO solutions that generally act as an extension to AD or LDAP, a cloud-based directory can serve as a central, core directory service for an organization.
Features of a Cloud Directory
A cloud directory should still perform all the basic functions of a conventional directory, including:
- User Access Control
- Device Management and Policies
But also offer:
- Ubiquitous support for devices and applications
- Increased security
- Decreased levels of overhead
- “Always on” 24/7 availability
Two Approaches to the Cloud Directory
Moving to a cloud directory doesn’t necessarily mean starting over from scratch. Organizations with Active Directory or OpenLDAP may extend their existing directory to the cloud. Click here for more information on extending AD and here for more on OpenLDAP, or continue reading below.
Smaller organizations may not have a directory at all, electing instead to manage and provision their users manually. Of course, as the organization grows, manual management becomes increasingly cumbersome and inefficient. By enlisting the help of a cloud-based directory service, they can bypass on-premises directories altogether but still get the benefits of centralized user and device management. This is also an option for larger, cloud-forward companies who want to forgo on-premises infrastructure as much as possible.
How Cloud-Based Directories Work
At JumpCloud, we’re experts in Directory-as-a-Service (DaaS), an innovative approach to 21st century identity management in the cloud. As in the two approaches above, DaaS can function either as your directory of record or as an extension of your existing directory.
Here’s how it works:
At the core of DaaS is the database that maps users to the applications, devices, and networks that users need. The DaaS platform provides a framework for security and centralized control between your users and the resources they need, whether they exist on-premises, in the cloud, or in third-party SaaS apps.
Directory-as-a-Service is, of course, an infrastructure service. That means there is a dedicated team at all times making sure that your directory is up-to-date with the newest apps and security threats – and running 24/7. Highly scalable, always-on, and requiring no installation or ongoing management, DaaS provides IT admins with an easy-to-use interface and standards-based protocols to integrate with your infrastructure.
For organizations, it’s as simple as populating their users in JumpCloud’s core directory. From there, users can be manually entered or imported automatically. The JumpCloud directory then exposes its user store securely via the LDAP, SAML, and RADIUS protocol.
Functions of a Cloud Directory
Requests to authenticate users are sent to JumpCloud via LDAP protocol, our REST API, SSH, SAML, or other protocol. The JumpCloud agent can also be deployed on your Windows, Mac, and Linux devices for task and policy management, survivability and security auditing.
DaaS is an all-in-one authorization solution that ensures that the right users have access to your IT resources. JumpCloud can manage group membership and sudo access. It can also execute a command when users are added to or removed from any device.
A critical part of a DaaS solution is the ability to manage Windows, Mac, and Linux devices at scale. DaaS simplifies task execution on devices including globally updating policy settings, modifying registry settings, applying patches, and changing system configurations. It ensures consistency across your environment, by allowing you to group like objects and apply the same policies and configurations across them.
Cloud Security through the LDAP Protocol
For directories, security is of the utmost importance. Directory-as-a-Service works thanks in part to LDAP servers that are placed around the world for LDAP clients to authenticate against.
This hosted LDAP system ensures that only an organization’s devices and applications can authenticate against its user base. DaaS achieves this through the requirement of passing organization and API keys to ensure strict security.
Here’s how JumpCloud’s hosted LDAP solution works:
- A core directory is constructed in the cloud. This directory is the user store for an organization’s employee, contractor, and partner population.
- LDAP server endpoints around the world function as the bridge between LDAP client authentication and authorization requests to the core directory in the cloud.
- LDAP clients are configured to point to the hosted LDAP servers. The LDAP clients ensure that they pass the organization’s IDs to the hosted LDAP servers to ensure that they are able to authenticate their users. LDAP clients further pass username, password, and/or SSH key information to the LDAP servers to be validated.
- JumpCloud’s hosted LDAP solution then returns the proper authentication and authorization responses.
How does this connect with an existing Active Directory instance?
Many organizations are interested in managing users on AWS, Google Compute Engine, or other Infrastructure-as-a-Service provider. Or perhaps they are interested in managing Linux or Mac devices – a capability that AD doesn’t have. Directory-as-a-Service can extend AD to control and manage these non-Windows platforms.
To connect the two platforms (AD and DaaS) together, the AD Integration installation process includes installing a small agent on AD servers. This agent synchronizes the users and their access within Active Directory to JumpCloud. The two systems—AD and JumpCloud—operate in parallel during the migration.
Any changes in Active Directory are automatically replicated in the DaaS solution, keeping both systems in sync. By running both systems in parallel, organizations can ensure that users are able to continue accessing everything that they need. Over time, IT admins can switch where authentication is being validated to JumpCloud from Active Directory. This migration path from AD to DaaS is ideal for IT admins. It ensures that the transition is smooth and controlled. For more information on how to install AD Integration, consider watching the video below.
Benefits of a Cloud Directory
Forward-thinking organizations have been leveraging the cloud aggressively, from Google Apps to AWS. It just makes sense: cloud offerings generally provide faster service, fewer costs, and reduced time and resources needed for management.
The same can be true with a cloud-based directory:
Minimal Set-Up and Upfront Cost
Installing a conventional directory involves a lot of set-up, along with the purchase of some pretty expensive hardware. Cloud directories on the other hand can be very quick to set-up and require no additional hardware.
Pay as You Go
With an on-premises directory, smaller companies still needed a full-sized directory with a full-sized price tag. The model was one-size-fits-all. The cloud model, on the other hand, allows organizations to pay for only what they use, whether small or large. JumpCloud offers their DaaS free for the first 10 users.
A wide variety of devices and applications have taken the workplace by storm. This includes Windows, Mac, and Linux compute devices, cloud servers hosted at AWS and Google Compute Engine, SaaS-based applications such as Salesforce or Workday, and on-premises applications. A good cloud directory can manage all of the above – and be prepared for the next workflow-innovator coming down the pipeline.
A lot of the work with a traditional directory goes into managing the server and troubleshooting network complications. With a good cloud directory, things are simpler. If your device or application is connected to the Internet, it can authenticate against the DaaS.
Available Anywhere, Any Time
With the rise of remote work and BYOD, more of an IT organization’s infrastructure is located across the world than ever before. A directory that’s hosted in the cloud can be authenticated against from anywhere, 24/7.
IT admins have long-needed to scramble for tools to improve security. But with a cloud-based directory, monitoring, recovery, and data protection should all be built-in to the service. It’s like having a highly-trained crack squad always on alert, protecting your credentials through hashing and encryption, along with a host of additional security methods.
For more information on how our cloud-based directory works, consider watching the whiteboard video below or reading this blog post. Please drop us a note if you have any questions, or sign up for a free account. You’ll be able to explore all of our features, and your first ten users are free forever.