A directory service is a database that maps users, IT resources, and the relationship and access between the two, in one central location. IT resources could include computers, smartphones, tablets, applications, Web-sites, file stores, or printers. The database is queried in the form of LDAP, Kerberos, SAML, OAuth, or a wide variety of other authentication protocols. The directory service then responds to the queries with information confirming a user’s attributes and access rights or denying them.
Why it’s important?
Directory services are at the core of every IT organization, and are important because they map user access to the specific applications and devices they need. Without a directory, there are a number of potential issues that arise. First, users won’t necessarily have access to the IT resources they need to be productive. Second, IT admins will have significant amounts of work manually provisioning and deprovisioning access from the various computers, applications, and other IT systems. Third, and perhaps as important as the others, are issues of security. Directory services—while not necessarily a security solution—help ensure that only the right users have the right access to IT resources. For instance, entry-level staff might not have access to financial applications. In an era where compromises of user credentials is commonplace, this is a critical facet of directory services.
Organizations that leverage a strong directory service have greater control, visibility, and security over their infrastructure. This results in the ability to leverage new technologies with confidence in their control and security.
History of directory services
Directory services started decades ago when telecommunications companies invented the X.500 protocol. The X.500 protocol is an open standard that includes directory services. Over time, the original standards evolved into a number of implementations, the most notable of which is the open source standard Lightweight Directory Access Protocol (LDAP), which was introduced in 1993. The primary driver for very early directory services was developing and managing telephone directories which ultimately morphed into managing IT assets. LDAP helped make implementing directory services simpler, and easier, and a number of LDAP-based directories emerged.
LDAP became a standard, and companies like Novell and Microsoft introduced directories. Microsoft’s Active Directory emerged over the last two decades as the market leader due to the widespread adoption of Windows. On the Unix / Linux side, OpenLDAP became the directory of choice for the more technical platforms. However, directory services such as AD and LDAP have struggled to keep up with new innovations in the IT market including the shift to cloud infrastructure, Web-based applications, and alternate platforms to Windows.
Modern directory services
Modern directory services still leverage standard protocols such as LDAP, but operate within the cloud and across platforms. As businesses shift to cloud-based services, directories are required to connect users to an increasing variety of IT resources—many of which are not on-premises.
Realistically, a bulk of IT resources are now hosted “elsewhere.” For instance, servers are hosted in the cloud at AWS, Google Compute Engine, SoftLayer, or other Infrastructure-as-a-Service providers, and file storage is provided by G Suite and Dropbox. Connecting users to these online services is a critical part of modern directory services.
Authenticating individual users to each of the services they need, is an important role of the modern directory. IT admins—using a variety of different protocols and standards, including LDAP, SAML, Kerberos, or OAuth—must communicate seamlessly with service providers. All the while, communications must remain secure. The role of access security, like multi-factor authentication, has become more important as companies diversify the number of cloud-based services they use. IT admins must be able to easily leverage the specific protocols they need at varying levels.
Authorizing users to varying levels of access is critical as well. Not all users will need the same levels of access to certain services. This has already been addressed to a certain degree. Regulatory bodies have been developed to ensure that organizations can use concepts such as “least privilege accounts” to ensure each user has an appropriate level of access.
Modern directories are one of the only options that solve the increasingly complicated landscape of authentication, authorization, and user management—in one spot. Modern directories incorporate important factors such as multi-factor authentication, independent and varying user access to services, and can even manage a plethora of devices.
No longer is the modern enterprise just a homogenous Windows network. Today, Apple Mac laptops and desktops are a significant part of a modern enterprise as is Linux. iOS and Android devices are perhaps over 50% of the device count in any organization. Controlling and managing these devices to ensure that they are secure, up-to-date, and performing well is the duty of a modern directory.
Directory services are arguably the most critical service that an IT service can run outside of the network itself. Their start decades ago have culminated in a modern directory that can securely connect and manage users, their devices and IT applications.