By Nick Scheidies Posted May 6, 2019
The domain has been a staple in IT organizations. At its best, the domain has provided a secure perimeter and centralized access to IT resources. But increasingly, sysadmins are asking, “Do I really need a domain controller?” This question is especially common at modern organizations that leverage a variety of resources outside of the Microsoft® ecosystem, including Macs, Linux, G Suite™, and AWS®. Many are choosing to eschew the domain altogether. Below, we’ll explain why you may benefit from going domainless and how that’s possible using cloud-based directory services.
When Domains Ruled The World
The idea of the domain is to log in once to your Windows machine when you are connected to the network and then to be able to access whatever you have rights to access. This concept works great for on-prem Windows-based environments.
While Microsoft didn’t create the concept of the domain, they perfected it with Active Directory® Domain Services (AD DS). There was a golden period shortly following the release of Active Directory in 1999 where users at Windows-based IT organizations were able to use a single set of credentials to securely access virtually everything that they needed to do their jobs. In other words, it was SSO before the term Single Sign-On even existed.
One Foot In The Domain, One Foot Out
But those were different times. That was back when applications came on CD-ROM and Mac machines were relegated to universities and design firms. That was before the proliferation of web applications, cloud infrastructure, non-Windows file servers, Linux® machines, and more. Everything didn’t fit neatly in an on-prem, Windows-centric box anymore.
But course, IT organizations that had an established domain didn’t ditch it overnight just because some Macs and apps started popping up in their environment. Instead, they looked for ways to extend their domain or allow some resources to securely exist outside of it. Solutions like SSO, VPNs, and identity federation all helped bolster existing domains. To varying extents, these solutions worked, but also introduced additional layers of complexity and cost.
At the end of the day, admins who used to be able to say, “I know everything is secure because everything is within the walls of the domain,” no longer had such a cut-and-dry answer. Users who had been able to log in once and access everything they needed were now hopping through a variety of access portals as part of their day-to-day workflows. The domain wasn’t dead, but it wasn’t nearly as effective as it once had been either.
Thriving in a Domainless World
Old school sysadmins may argue that we should go back to the domain-based model. That may work in certain cases. But there’s no turning the clock back to the way the world was in 1999.
When forward-thinking IT pros look at the current state of IT, they see more opportunity than crisis. Instead of building a wall around their resources, they envision an inherently secure identity. This approach is exemplified by Zero Trust Security and BeyondCorp, Google’s relatively theoretical implementation of Zero Trust.
Both of these security models advocate for moving away from the domain. There is no perimeter to defend. Instead, each person and IT resource is uniquely authorized at the point of access. The end result: more sophisticated security with streamlined access.
Here are some of the core principles at play:
- No Trust: assume that there are attackers both within and outside of the network.
- IAM: establish a framework of control over identities and their access to resources.
- Least-Privilege Access: grant users only the minimum degree of privilege.
- Event Logging: ensure visibility and reporting on what is happening on your network.
- Multi-Factor Authentication: enforce MFA wherever possible.
Of course, talking about these concepts is easy. Implementing them isn’t. When you look at the list above, you can start to imagine the multitude of tools required to achieve these goals: SSO, MDM, MFA, antivirus, network segmentation, and IDaaS. While it’s possible to cobble together a domainless solution in this way, it’s better to centralize as much of this functionality as possible with a single platform. JumpCloud’s Directory-as-a-Service® has been designed from the ground up to do just that.
Go Domainless with Cloud Directory Services
JumpCloud is the world’s first cloud-based directory service, reimagining Active Directory and LDAP for modern IT. JumpCloud offers a browser-based admin console from which you can manage your users and their access to systems, apps, files, and networks.
Here’s the rundown on JumpCloud’s core functionalities:
- User Directory: Import identities from existing directories (AD, Office 365®, G Suite) or create new ones from scratch. Customize users, set password requirements, and provision access to resources – either from the GUI or from the command line.
- System Management: Centralize control of your Windows, Mac, and Linux systems. Enforce security policies (see full list) and execute scripts across groups of laptops, desktops, and servers.
- LDAP-as-a-Service: Leverage JumpCloud’s highly available, global LDAP servers to manage access to legacy apps, file servers, and more.
- Server Management: Configure and secure your Windows and Linux servers using SSH keys, multi-factor authentication (MFA), and RESTful APIs.
- Single Sign-On: Streamline access to web apps using the SAML 2.0 protocol. See full list of apps.
- RADIUS-as-a-Service: Secure your WiFi networks with JumpCloud’s pre-configured, scalable, and fully managed RADIUS servers. Authentication via EAP-TTLS, PAP, or PEAP. Support for WPA2 Enterprise and RADIUS encryption modes.
Want to hear from a JumpCloud customer who has “gone domainless” with our cloud directory? Click here to read how Augeo FI replaced Active Directory with Directory-as-a-Service.