By Zach DeMeyer Posted October 6, 2019
As IT organizations add more cloud infrastructure to their environments, such as AWS®, Google® Cloud™, Microsoft® Azure® and others, IT admins and DevOps engineers are struggling with how to manage user access to them. As such, organizations are wondering if they can sync AD with cloud infrastructure.
Modern AD Struggles
Many of today’s organizations still use Microsoft Active Directory®, but as they shift to the cloud, they are at a crossroads of how to manage access to cloud resources. After all, Active Directory (AD) was created in a bygone era, where wall-to-wall cubicles housed clunky Windows desktops, all connected to massive on-prem servers via snaking Ethernet cabling. Today’s IT environments are almost completely different, with employees working from many locations, using laptops on a cafe-style WiFi network, and performing their duties using cloud-based applications and infrastructure.
AD wasn’t designed with this sort of IT atmosphere in mind; the IT admins that use it subsequently have to find solutions to cover AD’s struggles. Specifically regarding cloud infrastructure, AD has trouble connecting its identities with non-Azure infrastructure solutions (i.e. AWS, GCP™) because they exist outside of the Windows domain. Even with Azure, you need a slew of additional solutions, such as Azure AD, Azure AD Connect, and Azure AD Domain Services.
Options for Syncing AD with Cloud Infrastructure
Because of this shortcoming, IT organizations need to find ways to best sync their AD instance with their cloud infrastructure solutions. After all, cloud infrastructure often holds sensitive data that can be potentially disastrous for an organization if compromised. Therefore, syncing cloud infrastructure identities with ones in AD gives IT admins a way to boost their security posture.
Thankfully, there are a wide range of options for IT admins and DevOps engineers to consider when looking to manage user access to cloud infrastructure. Let’s cover several of them.
Manually Managing User Access
For relatively small cloud environments, manually managing user access to Linux® and Windows servers and other applications is completely viable. As the number of users and the volume of servers and/or applications increases, however, it becomes difficult and tedious.
Leveraging Configuration Management Tools
As DevOps engineers move to managing their infrastructure through code, they can also extend that approach to identities. Solutions such as Chef, Puppet, Ansible, Salt, and others give DevOps engineers the opportunity to manage user accounts via coding. Of course, as the size and complexity of the environment grows, that requires more coding from the team.
Implementing a Cloud AD or LDAP Instance
Installing an identity provider in the cloud is always an option. Some vendors even offer managed directory services solutions. While a potentially good option, these often require additional integration with the on-prem directory already in place.
Extending an On-Prem AD to the Cloud
Another option is to use a directory extension solution that will bridge Active Directory identities to the cloud. The benefit to this approach is that it keeps one authoritative identity managed in a similar fashion to traditional AD use, but the identity is now also extended to AWS, GCP, and others. The downside is that it requires an additional solution beyond AD to actually extend identities.
Using Cloud Directory Services
Although these are all great options for organizations that need to sync AD with cloud infrastructure, cloud directory service solutions offer a centralized way to sync AD with cloud infrastructure and more while offloading much of the work involved. IT organizations can leverage cloud directory services to extend their AD instance to cloud infrastructure and other resources, or use them to replace AD altogether.
If you would like to learn more about using cloud directory services to sync AD with cloud infrastructure, please reach out to us. We’d be happy to answer any questions you might have.