Why Domains Can Be Insecure

Written by Zach DeMeyer on August 16, 2020

Share This Article

For years, IT organizations relied on perimeter-based security models to keep data and end users secure. By establishing a domain through a core, on-premises identity provider, tying it into local resources, and surrounding it with defenses like firewalls, administrators could rest assured that their environments were somewhat safe from external attack.

Although a hallmark of an earlier era of IT, perimeter-based defenses prove less effective in modern IT operations thanks to the rise of resources that exist outside of the domain. As today’s IT admins examine the concept of domainless, some initially imagine it to be less secure than other methods. Let’s discuss why that is, and how organizations can safely adopt a domainless model.

The Rise and Fall of the Domain

Within the four walls of the office, IT admins hold the keys to the kingdom and control nearly every aspect of an organization’s technology stack and who has access to it. This was usually carried out by Microsoft® Active Directory® (AD), the premier on-premises directory service and domain controller. AD consolidated user identities as a core identity provider, enabling seamless access to many on-prem and Windows®-based IT resources through a single password.

With AD at the helm controlling who had access to what and how, IT admins simply needed to build firewalls around the AD domain-bound network, wire everything together, and voila: a seemingly impermeable IT castle where only the right users can access critical information and tools.

Enter, the Cloud

This approach worked soundly for a while, but as the industry evolved, the model started to break down. End users started to work outside of the physical office, needing VPN connections to get back into the network to gain access to resources.

Then, everything changed when IT resources shifted to the cloud. Now, end users get the same functionality as their traditional work tools like email, file storage, and other applications from a browser window. Of course, WiFi plays a large role in this paradigm shift as well, allowing anyone — even a person in the parking lot — to access the network with the right credentials. 

With these and other advancements, end users can be anywhere in the world on various types of networks. They can use macOS® and Linux® systems to access G Suite™ and Microsoft 365™, plus web applications like Salesforce, Github, Slack, etc., and servers hosted in AWS®, GCP™, or others. Data resides in both cloud and on-prem environments. 

Domain Insecurity

In short, the “network” is now everywhere. The domain, on the other hand, is not. IT admins’ ability to secure access to non-resources with just AD alone is limited. Some IT admins resort to manually creating and managing user identities outside of AD. Some users take the process upon themselves without IT’s knowledge, leading to shadow IT.

Ultimately, this lack of control yields a lack of security. Without the ability to control user identities using just AD, IT admins need to complement their domain controller with additional solutions like web application single sign-on (SSO) or identity bridges. Although these tools help bolster the abilities of AD, their inclusion makes IT architecture much more complex, with more moving parts and increased costs.

This approach puts IT admins in a tough spot: Add-on tools promote security where AD’s abilities fail, but also add costs to the IT budget that are hard to foot when times are tight. This lesser of two evils situation means IT admins have to either work in an insecure fashion, or spend increasing amounts of time and money implementing tools to make up for AD’s drawbacks. Fortunately, however, there is another option.

Improving Security with a Domainless Approach

As IT admins search for a different approach to manage remote workers, some realize that the domainless enterprise is the next-generation answer to securely connecting users to and managing their IT resources — regardless of where they or their resources reside. This domainless approach to IT leverages cloud directory service infrastructure to forego the fallbacks of traditional implementations, ensuring IT admins can secure their environments, even when users work remotely. With a domainless model, IT admins can also build a zero trust approach to security, eliminating the need for extensive perimeter security with a more dynamic strategy.

To learn more about what a domainless approach to IT entails, check out this webinar featuring JumpCloud CEO Rajat Bhargava and MediaOps Founder, CEO, and Editor-in-Chief Alan Shimel.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter