With the arrival of cloud-based services, many organizations are moving to the cloud. IaaS-, PaaS-, and SaaS-based services have changed and will continue to change the landscape of IT. For example, no longer do IT admins need to purchase hardware, software, and manage implementations on-premises. Rather, cloud-based services – and microservices – have allowed IT admins to leverage cloud services such as Authentication-as-a-Service.
How Can Authentication-as-a-Service Work?
An authentication microservice can take different forms. There are mainly two different categories to consider:
- For customer’s of an organization that use their mobile or web applications
- For internal authentication services for employees and contractors of an organization
The customer auth category has largely coalesced around the name CIAM or customer/consumer identity and access management. The internal authentication service is sometimes referred to as Directory-as-a-Service or Identity-as-a-Service, Auth-as-a-Service or even Auth-as-a-Microservice, and enables access to a variety of IT resources, including devices, applications, files, and networks.
For the purposes of this article, we will focus on internally focused authentication microservices. We will separately tackle the CIAM approach, as that is quite different from the authentication services required for internal employees and contractors to be productive and access their IT resources.
A Brief History of Authentication
Authentication services have historically been delivered as an internal IT service, generally housed on-prem. IT admins would simply:
- Setup an identity provider or directory services solution such as Microsoft Active Directory or OpenLDAP
- Provision users in those services and grant access rights
End users would then login to their IT resources on-prem, usually, and be authenticated into those systems, servers, applications, file servers, and networks. A core part of the IT job description was to ensure that users could access whatever they needed, so their authentication process needed to be reliable, available, and secure.
Over time, challenges emerged for IT organizations as the types of IT resources expanded. Authenticating to on-prem Windows-based IT resources was largely straightforward, but as end users leveraged Mac and Linux systems, web applications, cloud infrastructure from AWS or GCP, WiFi and VPN networks, and more, the authentication process was not so simple. Many of these types of resources required different protocols, remote authentication methods, and differing levels of security.
Tackling the Challenges of Expanded Authentication Needs
One path for IT organizations was to build on top of their IdP infrastructure with third party add-ons such as web application single sign-on, RADIUS servers, directory extension tools, and more. Each of these different add-ons would enable IT to authenticate a category of IT resource – e.g., RADIUS is wonderful for networking equipment. While this path worked very well for many years there were a number of drawbacks including integration time, cost, and difficulty in leveraging the cloud or remote infrastructure and users.
Over the last several years another path has emerged, which is to outsource authentication services to third parties. These providers are responsible for the infrastructure required to authenticate a user’s access to an IT resource. There are a wide range of providers – some that leverage existing on-prem infrastructure from an organization to others that simply replace the internal authentication process with a cloud-based auth service. Modern IT organizations will have a plethora of options to consider and meet their requirements.
Some of these authentication-as-a-service requirements that admins can consider include:
- Cloud delivered services – with the shift to the cloud, many organizations need an authentication service that can match their modern infrastructure. This includes the ability to manage remote workers, cloud infrastructure, web applications, and more.
- High security – a user’s identity is their gateway to all of their digital assets. Identity compromises are the number one way that organizations are compromised. An authentication service must be foundationally secure, but also add capabilities which can increase end user security including multi-factor authentication / 2FA, SSH keys, and conditional access capabilities based on data and telemetry.
- Protocol support – an authentication microservice must be able to support a wide range of IT resources. Generally that is done through standards-based authentication protocols. Different categories of IT resources leverage different protocols, so a modern auth-as-a-service solution will need support for a broad range of authentication protocols including LDAP, RADIUS, SAML, SSH, OAuth, and more.
- Provider/platform support – some providers and platforms require special integration in order to securely control, manage, and authenticate user access. Often, these are operating systems such as macOS and Windows, but this can also include some modern cloud infrastructure and web applications services as well. Make sure that your core IT systems can be supported by a third party authentication service.
In order for authentication services to be useful, they need to be cross-platform, multi-protocol, mixed provider, location agnostic, and focused on a broad range/types of users. Organizations today have a diverse set of needs due to remote work, cloud transformation, and security and compliance requirements. One central authentication service needs to cover nearly all of what an organization needs, or it won’t provide IT admins with the resource and device management capabilities they need.
How JumpCloud Supports Authentication
At JumpCloud, we deliver authentication services under our directory-as-a-service solution. If you would like to learn more about how JumpCloud can help your organization centrally control and manage authentication as a microservice, drop us a note. We’d be happy to talk with you about whether and how our platform can be helpful in your situation.
Alternatively, try JumpCloud Free which provides our complete authentication-as-a-service platform for 10 users and 10 systems. No credit card required and we will also provide you with 10 days of our Premium 24×7 in-app chat support.