Current events demonstrate that the IT industry needs a new framework for identity and access management (IAM).
We’re seeing a deluge of headlines about what this moment will mean for the future of work — everything from “We’re in the midst of a massive work-from-home experiment. What if it works?” to “Why you may still be working from home after the coronavirus crisis is over.” This moment will likely have far-reaching effects on how we work, how we commute, and where we’re located in relation to our work, and IT leaders will be called upon to facilitate the technical transformation securely for their organizations.
Traditional IT approaches and architectures will not continue to serve organizations adequately into the future, but new ways of securing users, devices, and organizational data will come to the forefront.
History of the Domain
Active Directory® and its associated domain ruled enterprise IT when employees were tethered to traditional offices, immobile workstations, and internal networks. It was dubbed the “moat and castle” or “perimeter” approach to IT security. However, the rise of SaaS applications, mobile devices and new operating systems, and ways to work outside the traditional office have each challenged the domain model.
Beyond that, high-profile cases have revealed that trusting all internal traffic by default can be a grave security threat to organizations with stolen or misused credentials.
AD now requires identity bridges and extensive vendor management to federate authoritative identities everywhere they’re needed, and it requires solutions like VPNs and RDP ports to shuttle users back to internal networks. Such options expose organizations to additional risks by introducing more vendors and unnecessary access points into their environments.
Future of IT: The Domainless Enterprise
Rather than establishing a secure perimeter around a brick-and-mortar office, IT admins need architectures to secure each user and their device(s) anywhere they go.
The “domainless enterprise” enables admins to establish a core digital identity for each user, paired with agent-based control of each device that accesses organizational data. Admins can then provision IT resource access via tailored permissions for each digital identity. This approach treats the organization instead like an apartment building in which each resident has a unique key that allows them access only to the areas within the building they need — and all traffic is untrusted by default.
It does not require domain controllers or other on-premises hardware, aside from user devices, to securely provision and administer resource access. We’ll examine below how organizations can take this approach.
Domainless Enterprise Architecture
The engine of the domainless enterprise is a cloud directory service with an authoritative user store. Via cloud LDAP and RADIUS, SAML, OAuth, and other protocols as they emerge, admins can federate core identities from the central directory everywhere they’re needed. The directory both stores user attributes and maps those attributes to resources, rather than requiring vendors or disparate user stores.
Admins can authenticate those users based on their credentials and multi-factor authentication methods like TOTP, as well as other factors such as their geography and patterns, and secure their devices with configuration policies launched from the central directory via the agents.
By moving authentication and authorization away from internal corporate networks and on-premises hardware and into secure, cloud-based architecture, admins can ensure that users always have direct access to their permitted resources through their devices.
Users can be imported into a cloud directory service in bulk from AD or other directory stores, like G SuiteTM and Office 365TM, or created for the first time in the directory service itself. From there, admins can automate user provisioning workflows and regain centralized control of their environments, but neither IT architectures nor users are bound to a traditional office. Click here to learn more about the modern domainless enterprise.