As the movement to replace Microsoft Active Directory® with a cloud hosted directory service has started to take hold, there are a lot more questions about whether Directory-as-a-Service® can help an organization be compliant with security regulations.
This blog post is a guide for how to talk to your auditors about JumpCloud.
Auditing and the Directory
The three core areas to communicate to your IT auditors are below:
Visibility / Evidence –
Auditors want visibility into any system. JumpCloud’s Directory-as-a-Service® platform is a critical component of any IT infrastructure. As a result, during the audit process, IT organizations need to present that the cloud identity management platform can be transparent with data from the system. Specifically, JumpCloud’s cloud hosted directory can provide detailed event data for any changes made to the platform by administrators or end users. This can include when users were added, terminated, or modified. It could also include when those users gained access to critical systems, applications, or networks. Further, authentication events into systems can be logged so that IT auditors can review when people logged into critical systems. This data can be pulled from the JumpCloud platform via API calls.
Auditors want to see that you have demonstrable control over your IT systems. This means that only certain people should be able to be admins within the JumpCloud identity management system. There should be a disparity between those that can control the system and those that need to access the system. That control should have checks and balances and be in the hands of the IT organization. Further, IT auditors want to know that the systems that you have implemented can’t be circumvented. There should only be one identity provider within the organization and authentications should occur from the central directory. The more local directories in place, the more complex the situation and the more likely auditors will be wary. By having JumpCloud be our authoritative source of truth for identities, it becomes the one place auditors can look for your controls.
Increased security –
New platforms should inevitably add more security. When organizations were leveraging Active Directory and OpenLDAP, they needed to prove that those systems were being secured. With Directory-as-a-Service, IT admins can simply point to the long list of security systems that JumpCloud has implemented. Many of these security mechanisms are significantly stronger than those used by legacy, on-prem directory services solutions. As well, many IT organizations don’t have the time or budget to add layers of security around the central identity provider. JumpCloud’s security starts with one-way hashed and salted passwords and extends to multi-factor authentication into the JumpCloud console. In between, JumpCloud has ensured that data at rest and in transit is secured, systems are tested on a regular basis, monitoring is in place, and there is training for all personnel. JumpCloud also undergoes its own audit and the results of that audit can be shared with customers and their auditors.
Understanding the Auditor Perspective
It’s important to point out that any new technological advancement is viewed with concern by auditors. An organization’s audit firm is an independent organization that is chartered with ensuring that the organization being audited is following proper procedures and protocols to satisfy the requirements.
Overview of IT Auditing
Auditors and Innovative Technology
New technology isn’t an automatic better choice when it comes to compliance. That technology needs to be vetted and understood. Auditors need to ensure that the new innovation doesn’t expose new issues that are unique and different from those created by the legacy technology. Most auditors aren’t trying to stifle innovation, but rather ensure that these new technologies expose an organization to less risk than before.
This path has been seen time and again in the IT compliance realm.
Example: AWS and Cloud Infrastructure
Recently this level of skepticism was for public cloud infrastructure. Early in the lifecycle of the public cloud, most auditors were not comfortable with the shared, multi-tenant infrastructure. As Infrastructure-as-a-Service providers such as AWS, Google Cloud, and others shared more information and were audited themselves, it became a much more widely accepted platform.
A similar path was followed when virtualization emerged. Could a virtual server expose an organization to more risk than one physical server per task? Of course, auditors over time became comfortable with that too. Auditors are generally highly rational individuals and if there is strong evidence that a particular approach will work, they are generally open to seeing the evidence.
Example: Directory Services
The same path illustrated above holds true when it comes to the modern innovation of Identity-as-a-Service and specifically Directory-as-a-Service.
For the last two decades, IT organizations have leveraged really only two directory services solutions: Microsoft Active Directory and OpenLDAP. Both are well understood by auditors and expected within every organization. Virtually every major IT security statute or regulation has at its core, controls that focus on who can access what resources and how. Controlling access to confidential data and systems is at the heart of any audit and it is why it is critical to share specific data when using a cloud hosted identity management platform.
Any audit – whether for PCI, HIPAA, SOX, SSAE16, ISO27001, or other – is focused on evidence or visibility to confirm a particular regulation, control over the IT system, and security. Each of these components needs to be described in detail to regulators to ensure that a system is viewed as positively supporting an overall audit. Remember that your identity management platform is just one component of the overall audit, so having the details of how your IDaaS platform supports the regulation is important.
JumpCloud DaaS is Viewed Favorably by IT Auditors
JumpCloud’s Directory-as-a-Service platform is indeed an innovative approach to identity and access management. With clear communication to auditors, the cloud hosted platform is viewed extremely favorably by IT auditors. Many JumpCloud customers have undergone and passed audits with our Directory-as-a-Service platform at the core of their IT infrastructure.
JumpCloud is Here to Help
In addition to the advice above, JumpCloud’s engineering staff is more than happy to talk with auditors and also share our own audit results if necessary. A cloud hosted directory service is clearly the next wave and it is already a viable alternative to Active Directory and OpenLDAP. Please let us know if we can help provide more information and resources to help you through your audit.