How to Convince Your Manager to Move Away from Active Directory

Microsoft’s Active Directory (AD) has been a mainstay of information systems for over 20 years, but it was intended for a different era of computing and business requirements. Its persistence affects IT’s agility, impacts security posture, and limits IT’s capacity to provide the best-of-breed tools that employees expect. The cost of modernizing AD to Microsoft’s specifications can be startling; however, inaction raises operating costs at the expense of IT’s agility and efficiency.

Admittedly, it can be difficult to convince managers that a problem exists or that change is warranted. This article will explain how to align IT’s desire to move beyond AD with the interests of decision makers. It outlines the impact AD can have on your organization and equips you with the negotiation skills necessary to “get to a yes.” Let’s start by outlining the trouble with AD.

The Full Cost of AD’s Legacy

There are hard and soft costs associated with continued reliance on AD. 

Hard costs can include hardware, networking, licensing (including broad adoption of Microsoft security services), and facilities expenditures. You’ll also continue to encounter end user requests that are difficult to implement due to AD’s limitations, which can lead to further hard costs in the form of hardware, networking, and licensing for other products. 

The indirect costs vary and may be harder to quantify; they can reduce your flexibility, cause cultural resistance, and even make it more difficult for your organization to obtain cyber insurance coverage.

AD Isn’t a Business Enabler

AD wasn’t intended to manage anything other than Windows devices within a main office or set of satellite locations. This is not how modern organizations operate.

Today’s workplaces consist of cross-OS endpoints and work happens everywhere. AD doesn’t provide single sign-in (SSO) for cloud apps and network resources without additional components, lacks modern authentication and phishing resistance, and has no built-in conditional access (CA). AD is built around the network perimeter versus emphasizing the significance of every asset, resource, and even access requests.

Its technical limitations also make on/offboarding users more cumbersome and prone to human error. There’s no automation of group memberships, and entitlements are all manually assigned. It’s very easy to overprovision users, and even waste licenses, due to the nature of inherited group permissions. IT efficiency is limited by AD’s lack of automation and difficulty in handling modern workflows. 

The end result is that IT isn’t responsive to business requirements; or worse, it actually impedes them.

High IT Infrastructure Costs

Maintaining the status quo can become expensive, and costs will rise as your organization outgrows your current datacenter’s capacity to serve business needs. You should account for:

• Spending for network overhead, including hardware upgrade, support agreements for firewalls, and switches
• Patching VPN solutions, which have become a favored entry point of attackers
• Paying for business-grade high-speed internet, which can be excessive in rural areas.
• Installing back-up power and failover solutions
• Planning for and executing disaster recovery
• Addressing special hazards fire protection and costly HVAC equipment
• Implementing physical security controls
• Paying additional costs for Microsoft’s server core licensing when you upgrade server hardware
• Deploying point solutions and increased management overhead

Paying the Price for Lock-in

Microsoft has designated AD as a legacy technology that must be secured and protected. Only the most Premium SKU of its Entra ID cloud directory service provides the security controls that it recommends to protect identities and provide strong access control. Additional products like Defender for Identities are suggested to detect lateral movement by attackers from Microsoft’s cloud services to your AD instances. 

In short: keeping AD means adopting a big reference architecture.

Industry experts have also raised concerns about Microsoft monetizing security and abusing the term “legacy” at the expense of its customers instead of fixing AD’s well-documented security defects. These systems can be complex to license and administer, potentially increasing IT headcount and salaries at market rates. Soft costs restrict choice and limit flexibility.

Technologies like Entra ID are mostly purchased as bundles with productivity software, creating a vertically integrated stack out of Microsoft’s services. Consider how people work, how they’re willing to work, and the frustrations they might feel when flexibility is lost. There’s a “culture” around tools and platforms, and that could stall migrations, despite pressure from the top.

Harvard Business Review (HBR) found that 59% of employees indicate that, “their collaboration tools are not aligned with how their teams prefer to work.” HBR recommends that IT should empower users to have a say in choosing applications that will impact how they work. 

JumpCloud’s AD modernization can be easier to implement and learn. Image credit: JumpCloud. Data is based upon what JumpCloud customers have experienced.

Compliance and Cybersecurity Issues

California has instituted privacy laws, California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), where violators are subject to civil penalties. This may just be the beginning, because U.S. national standards are often derived from the states. California laws mirror the European Union’s General Data Protection Regulation (GDPR), which is enforced when breaches occur. Courts may have to step in to determine when and how future penalties are imposed and what level of due diligence will be expected from data custodians.

It’s also important to consider and communicate how any disruption to business operations would have adverse effects on revenues and, ultimately, the reputation of your organization.

No Security Controls, No Insurance

The insurance industry knows these costs, and is expecting greater diligence with a baseline of security controls. Identity is becoming the new perimeter to prevent data breaches, and it’s being heavily emphasized by insurers, along with many others. Underwriting is beginning to consider how potential customers handle evolving adversarial tactics and techniques. They’ll also examine if they’ve been breached before … a preexisting condition. Failure to manage cyber risks can impact insurability, and AD isn’t up to the job for today’s IT environment.

These trends are converging to dramatically upend the economics of cyber incidents. Fortunately, there are steps that you can take to start the process to achieve better security with your manager’s buy-in, trust, and clear alignment with corporate goals. 

Understanding Objections

Unfortunately, many managers possess a solid grasp on the threats posed by cyber criminals, but don’t feel the urgency. It can seem as if there’s never a “good time” to get started. 

You may encounter objections, including:

• A misunderstanding of fiscal costs
• A perceived lack of urgency
• Undervaluing anything that’s not directly associated with “the business”
• The notion of “we don’t click on emails” serving as sufficient security
• Executives (or owners) who micromanage but don’t understand technology very well

These scenarios all come down to how some managers fail to view IT as a function of the principal business … it appears ancillary. IT needs to learn to market to the people establishing the budget that it’s not an ancillary function. Your challenge is “getting to yes.”

Getting to Yes

“Those who defer doing something about cybersecurity have elevated other interests or concerns above it. Using a ‘getting to yes’ approach means understanding their interests,” said Dr. Art Hochner, professor emeritus of management at the Fox School of Business at Temple University. Dr. Hochner specializes in teaching negotiation skills to thousands of students. 

He continued, “Maybe they are sold on the idea, but don’t have time to implement, don’t have a good grasp on what exact steps to take, or would benefit from some hand-holding along the way. The key is to find out what they see as their key interests — e.g., meeting deadlines, managing their time, knowing how to avoid pitfalls and large expenses, etc.” 

That can’t be done by trying to sell them on technology alone. For a more effective negotiating strategy, Dr. Hochner recommends following these steps instead:

• The Jedi mind trick: Make it their idea. Your end goal should be for the decision makers themselves to believe that migrating is vital to their interests, versus a “good to have.” For instance, Hochner noted that the best car salespeople were the ones that allowed him to take vehicles out for a test drive to sell himself. “[I] didn’t need them to tell me anything much. But, of course, I wanted to buy a car, so I took the time to seek them out,” he said.
• Listen: Your initial task is to actively listen and learn why they’re deferring action. Hochner recommends asking them why directly and then, “just shut up and listen … you can learn a lot by staying silent.” The FUD approach, where only your organization’s risks are emphasized, isn’t going to be successful.
• Guidance: Transform excuses into guidance by helping them define their interests. For example, respond to excuses such as, “I don’t have the time,” with a collegial mindset that respects their interests but moves the ball down the field:
  • What would help you find the time?
  • Is there something I could do to help you clear your schedule?
  • Can we agree on a specific time for us to reconnect? 
• Social proof: Show them what your peers or competitors are doing and ask questions such as, “Do you want to know more about how they were able to do it?”
• Empathy: Utilize emotional intelligence by emphasizing that your organization isn’t alone in its constraints and experiences, but that there’s a “well-worn path” to achieving better security and IT efficiency. Consider sharing endorsements from people that they may know.
• Reciprocity: Think of something meaningful that you have to offer such as a free consultation that could trigger a “reciprocation response” that evokes an obligation to give something of value back to you.
• Liking: According to Hochner, “Show them how much you are like them. People don’t care how much you know until they know how much you care.”
• Authority: Establish yourself as a trustworthy messenger. For example, consider the tactic of admitting any known flaws and weaknesses before the other party seizes on those. IT teams should emphasize solutions, not problems and establish risk-based programs that are defensible and can demonstrate success.
• Consistency: Leverage their past statements to move them to actions consistent with their prior commitments. “Small steps enable you to get a series of yeses, leading to a real commitment,” Hochner said.

Additional Resources

University of Pennsylvania professor of organizational behavior Dr. Karren Knowlton recommends reading:

• “Switch,” by the Heath Brothers
• “Drive,” by Dan Pink
• “Leading Change,” by John Kotter

Migrate Away from AD with JumpCloud

JumpCloud’s Open Directory Platform provides a smooth path to migrate off or modernize AD, once you’ve succeeded in aligning IT’s and management’s interests. Active Directory Integration (ADI) has configuration options that will enable you to determine where and how you want to manage users, groups, and passwords. It also provides a migration tool to transfer identities.

Cross-OS device management is a critical component to control and protect modern IT infrastructures. JumpCloud pairs the ability to manage every endpoint with an open directory platform to secure every identity and resource. This unified approach delivers strong access control while consolidating your tools for increased IT operational efficiency. Try JumpCloud for free and find out if it’s the right option for your organization’s journey away from AD.

Our customers tell us that asset management is also important for security and IT operations. JumpCloud is enhancing its platform to unify SaaS, IT security, and asset management.

Learn more about how admins will be able to consolidate security, asset, device, access, and identity management with JumpCloud and how those features go hand in hand.