Managing user accounts is perhaps one of the most critical and basic building blocks in any IT organization. User management is an operational function of connecting users to the IT resources they need, and incorporates two significant roles: authentication and authorization.
Managing users is a critical challenge for IT organizations for two reasons: operational efficiency and security. Let’s look at how operational efficiency and security are bolstered with DaaS.
Populating the User Directory
In a business, user management starts with populating users, or employees, in a directory. In today’s cloud-focused era, this can happen within a Directory-as-a-Service® solution. After building the user database, IT admins then connect users to the IT resources they’ll need or require. In order to connect IT resources to the core user directory, there may be some configuration settings required. If the organization is using LDAP, the LDAP client needs to point to the directory. In the case of DaaS solutions, an agent will often be installed on a device to connect back to the cloud-based directory. Applications can often leverage LDAP, Kerberos, SAML, or OAuth among others to connect back to the directory.
Varying Degrees of Access
It should be noted that employees can be granted varying degrees of access via the authorization component of user management. For example, devices such as laptops and desktops will generally have an admin user created on them and a system user. The admin accounts help ensure that IT has the ability to manage the device. Fine grained user management is especially critical for servers both on-premise and in the cloud. Linux servers will often have root users, although in general that should be avoided. Instead, using sudo helps ensure that users can have administrative privileges, but their actions are auditable. Windows servers can also have differing levels of access with admin users and general users.
Another key part of the user management process is for the IT organization to choose how authentication occurs. For most situations, username and password are selected. While this method may not be the most secure, it is often the most convenient for users. Many Infrastructure-as-a-Service providers require SSH key-based access to cloud servers and cloud infrastructure services. Multi-factor authentication—another factor of authenticating a user—is often becoming more common. The second factor generally involves validating with something a user has, a cell phone for instance. Organizations can choose how to authenticate their users to the IT resources they need with a variety of options.
Ongoing User Management and Self-Service
The administrative side of managing users doesn’t stop there. There is a constant stream of changes in any organization. There are new users, users leaving, and users changing roles. Each of these could require IT involvement. DaaS off-loads many of these user management tasks. For instance, a new user is automatically notified and can enter their password or SSH keys directly into the system. This avoids the IT admin having to handle keys or passwords. Password or SSH key rotation can also be pushed to the users to do through the portal. Not only does this reduce the IT workload, it increases security.
Managing who has access to what IT resources may be one of the most important tasks for an IT organization. Connecting each user to what they need and doing so securely while keeping IT admins efficient is a central tenant of Directory-as-a-Service® user management capabilities.