IT admins can improve upon and streamline the user lifecycle management process with emerging cloud-based architectures. In this post, we’ll explore how user lifecycle management — provisioning, managing, and eventually deprovisioning user access across an IT environment — was done in a pristine Active Directory environment and how that process fractured with the emergence of new technologies and identity federation services.
The path forward for IT is the domainless enterprise, in which admins can once again centralize identity and access management (IAM) in one system. The domainless enterprise relies on cloud infrastructure to integrate the core directory with virtually all IT resources.
User Lifecycle Management in a Domain Environment
In traditional Active Directory® (AD) domains, the user lifecycle management process was straightforward. Admins created AD users, provisioned them to their Windows® workstations and on-premises resources, and routed user authentication through domain controllers. Users only had to remember one set of credentials to access their workstations, through which they accessed all their other allowed resources.
Admins could easily disable users’ AD accounts and suspend access if they left the organization, and the office’s internal network served as the secure perimeter around organizational data.
However, new technological developments, such as SaaS apps and other cloud resources, complicated this model.
Active Directory & Identity Federation
With the rise of SaaS apps and cloud infrastructure, as well as Apple’s® inroads into the enterprise, AD admins needed federation technologies if they wanted to provision the same core identities to these new resources. Otherwise, they faced the prospect of managing multiple directories — both their core directory and secondary directories in each of these new services — or not controlling user credentials for certain services at all.
Admins could federate AD identities to web application single sign-on (SSO) solutions and provision and deprovision user access to SaaS apps through these SSO solutions. They would then need other solutions to provision users to their Mac machines, Infrastructure-as-a-Service providers, and networks, such as the office WiFi. The number of third-party solutions and vendors required to augment an AD instance ballooned.
Plus, although it was easy to disable an AD user account and suspend access to that user’s domain-bound resources, that wasn’t the case if admins managed more than one directory or faced shadow IT, in which users manage their own credentials for some services. Admins couldn’t easily disable a user’s access to all organizational resources with a single command anymore.
However, there is a solution in the domainless enterprise model, which introduces a new IT architecture to address these challenges.
User Lifecycle Management in a Domainless Enterprise
In the domainless enterprise model, admins use entirely cloud-based infrastructure to provision, manage, and deprovision user access.
They still have a central directory service to manage authoritative user identities, but it’s based in the cloud. Modern cloud directory services are platform-agnostic, which means that they integrate natively with virtually all IT resources, rather than requiring vendors to serve as the go-between.
Because cloud directory services are built to integrate with a wide variety of resources, they can serve far more resources than a web application SSO or other targeted federation solution. Admins can provision and manage users in productivity suites like G SuiteTM and Office 365TM. They can also provision and manage users in AWS® and GCP®, web apps, file servers, LDAP-backed resources, and RADIUS-backed networks.
This means admins can provision a user in the central directory and automatically instantiate that identity most everywhere it’s needed. This new architecture focuses on granular access permissions for each user so they have access only to the resources they need to do their jobs, and they must assert their identity each time they need to access a new resource. User changes, like password updates, populate seamlessly across the environment, and admins can suspend user access in the central directory and rest assured that their access is suspended everywhere.
Benefits of Cloud-Based User Lifecycle Management
In the domainless enterprise, admins can manage all stages of a user’s lifecycle from a web-based admin console. These are the high-level benefits of this approach:
- Centralized IAM: Admins can manage virtually all resources users need access to without add-ons from a central directory service.
- Improved security: Admins eliminate circumstances in which they would need multiple directories and reduce the chance of shadow IT. They can also easily suspend user access across their environment.
- Business continuity/disaster recovery: With cloud infrastructure, admins ensure automatic redundancy and availability regardless of where they’re located. They can manage users even if their organization is forced to move all-remote.
Here at JumpCloud®, we envision a future in which organizations increasingly rely on and benefit from cloud architecture in their day-to-day operations — we built the world’s first Directory-as-a-Service® to help move those organizations’ IAM architecture to the cloud. Learn more about the benefits of going domainless.