Microsoft’s recent Azure AD outage prevented authentications to a number of services and delayed the release of Zack Snyder’s Justice League. This latest Microsoft outage, coupled with the recent vulnerability in Microsoft Exchange (HAFNIUM) surely has some IT teams asking ‘is there a better way?’
The answer is yes.
One snarky tweet noted on the Justice League delay, ‘serves you right for using Azure’. There is a great sport made out of picking on industry giants, and Microsoft with its pervasive, legacy on-prem footprint is leading with its chin. If you’re using Azure AD as part of your IT infrastructure, you may be seriously questioning if you should be considering a different authentication solution.
Microsoft has done a ton right from the very beginning. It’s tempting to give a whole history of the PC and the internet here, but I’ll let wikipedia handle that. Let’s just call out one of the company’s first great visions…
A World Of Work That Is Easy To Manage
Let’s time travel magically to the year 2000. All employees use the same tools, all from the same vendor, all centrally managed from a single system, making it possible for IT to easily create and manage a secure, stable environment in a physical office. This group of computers, and everything on them and everything they connect to, is called a domain.
Everything comes from Microsoft including the domain controller, which keeps track of which people should have access to which resource across the domain. There is really no other game in town, because there doesn’t need to be: work gets done almost entirely on Windows machines, notably with very few security breaches.
But like every great tech story, this doesn’t last for long…
The Plot Twists
Enter internet for the masses (thanks Marc), Macs in the enterprise (thanks Steve), mobile computing (Steve, again), and some really kickass SaaS applications (thank you Salesforce, Workday, Slack, and Dropbox), and suddenly IT is thrown into total chaos.
You’ve got Marketing people wanting to use MacBooks. You’ve got Sales people clamoring for Salesforce. HR is demanding Workday. DevOps teams proliferating instances in AWS. Suddenly that nice, clean world of a single domain controller that IT could use to connect everyone to everything now only serves a slice of the world.
Onboarding people became a nightmare, since each user, system and IT resource requires an identity to manage. So when you hire your smart new employee, she needs an identity in Salesforce, an identity for Workday, an identity for Slack and AWS, and so on and so forth for every application. And if she has a MacBook, she needs that to be managed, too.
And this is where the Microsoft vision failed. The single domain made up of entirely Microsoft IT products and controlled by a single domain controller did not account for a world where technology innovation continues and new technology is adopted. And it certainly did not account for the idea that things would not all be contained in a physical location and managed within the domain.
IT was forced to make some tough decisions. Could they require everyone to stay on Windows machines so they could retain control and security with a domain controller? Or should they allow users to decide what tools they need to get their work done? That decision was made at organization after organization as IT and the business came to terms with what was right for their situation. While not every organization moved to a more heterogeneous world, most did.
This meant a new way of managing IT resources. The domain controller could not manage Macs, SaaS applications, AWS or workers connecting from remote locations (even pre-COVID, this was a challenge solved mainly by VPNs). The lack of central management expanded the security perimeter and exposed organizations to new threats. So, vendors got to work creating new ways to manage different categories of resources that weren’t managed by the domain controller.
IAM and SSO vendors like Ping, Okta and OneLogin were created to have a ‘single’ identity integration into Active Directory to manage web applications like Salesforce, Jira and Workday. MDM vendors like Jamf and Fleetsmith created a category called device management to manage Apple devices in the enterprise. Microsoft created a tool called Intune to manage mobile devices.
And IT was subjected to more chaos. Too many vendors with too many identities. And everyone focusing on a specific problem rather than stepping back and finding the solution for the big picture: that IT needed a single directory to connect everyone at work to everything they needed to get work done.
Damn. Microsoft had it (mostly) right.
A Better Way
So how do you achieve the benefits of a domain-protected IT environment and create secure and simplified identity and access management in today’s world?
At JumpCloud we call this the Domainless Enterprise, and it is enabled by having a single cloud directory rather than a legacy or bespoke approach to identity and access management. This single directory has four requirements:
- Open. The world is not going to return to homogeneity. It’s most likely going to continue to get more mixed as innovation accelerates and remote work (even in a hybrid sense) becomes the standard. In order to have a single directory for all the people and all the resources it must be open and able to support all resource types new, old and unknown: Microsoft, Apple, AWS, LDAP, RADIUS, Salesforce, GCP, etc.
- Standards based. Being open without using standard protocols is sort of like peanut butter without jelly. Common standards must be supported and the solution must be architected in a way that allows new and emerging standards to easily and seamlessly integrate.
- Cloud native. The on-premise architecture has gone the way of the TV cable box. And trying to bolt together an on-premise offering with a cloud native one isn’t the solution (Azure is actively proving that). Your solution needs to be cloud native.
- Platform approach. The proliferation of bespoke identity and device management systems has underscored the need for a single directory that supports one identity for each user and securely connects them to whatever IT resource they need. A platform gives IT a single pane of glass to simplify the administration of those identities.
The Domainless Enterprise is a model that is designed to support work today and tomorrow. It provides an easier-to-manage and more elegant approach to constructing an IT environment that is vastly more secure and scalable.