What is the Future of IT Identity Management Tools?
Like a skyscraper depends on a sturdy foundation and strong girders, so does IT depend on its infrastructure. In the early days of IT, the infrastructure was located entirely on-premises. IT admins had their own data centers, chock full of racks of servers and spidered through with CAT5 cabling, switching, and routers. In an era of desktops and dial-up, having on-prem infrastructure made complete sense, but the ever-changing world of IT demanded improvement.
After about a decade of stasis, new developments began to hit the industry. Salesforce introduced the world to the power of Software-as-a-Service (SaaS). Google Apps (now called G Suite™) took SaaS even further, diving into productivity and email services challenging the incumbent Microsoft® Exchange®, Office®, and Outlook®. Then Amazon® Web Services (AWS®) kickstarted the migration of infrastructure to the cloud. DropBox™ revolutionized file storage with cloud-based storage. All things IT were being improved by the cloud, but one important piece of infrastructure remained on-prem: the directory service.
An early leader in the directory services market was Microsoft® Active Directory® (MAD or AD). Created at a time when the workplace was dominated by Windows® products, such as Outlook, Exchange, and Office, AD quickly gained a monopoly in the directory service market. In an IT environment already dominated by Windows, everything worked together seamlessly. That feeling of seamless integration didn’t last for long, though as IT infrastructure began its shift to the cloud.
Microsoft could now feel the heat. The hold that AD had on the directory services market was at risk of vaporizing into the cloud. To combat this, Microsoft released Azure® Active Directory, which was designed to be AD’s gateway into cloud-based identity management or often referred to as first generation IDaaS. Unfortunately for Microsoft, just as the industry was trending towards the cloud, it was also trending towards other platforms like Mac® and Linux®. So Microsoft’s hold on the market began to slip even further. Not only that, a Microsoft representative came out saying that Azure was not a cloud Active Directory replacement (Spiceworks). Clearly, the future of IT requires a new, cloud-based IAM solution that is platform agnostic.
Read More: The Shift to a Cloud Directory
Identity Security and Control
In a day and age when cyber security breaches are a constant threat to business, it’s paramount to make sure end users are properly authenticated to company IT resources. This is equally about security as it is about efficiency. Identities have proliferated in the last decade and many users have multiple corporate identities. This creates fractured and siloed identity management workflows that are inefficient for IT and introduce security risks. The future of identity management should be one unified identity with one centralized place for the admin to manage it in the cloud, preferably.
In the early days of IT, one of the first big players in identity management was LDAP, the lightweight directory access protocol. LDAP provided an enterprise with a way to manage and provision users, their systems, and requests across a variety of IT resources but only if they used the LDAP protocol. At the time it was generally used inside of OpenLDAP or Active Directory. Since most IT resources at the time were through Microsoft, LDAP worked alongside AD’s Kerberos implementation and logged users into all of their applications and systems.
Cloud Identity Management
But, as we’ve seen time and time again across other IT markets, the identity and access management (IAM) market began to shift to the cloud. Web-based applications with their own required login information began to crop up, providing users with easy-to-use, off-prem resources. One such player was Google. Using Google Cloud Identity, they challenged Microsoft’s corner of the identity management market that Azure AD was designed to hold. From Dropbox® to Evernote®, hundreds of SaaS apps were trying to get their feet into the industry, and they all required their own login identities. The term Single Sign-On (SSO) started getting thrown around as users wanted a straightforward way to authenticate themselves across all platforms.
In response to the rise of web apps and a growing need to access them efficiently, web app SSO providers emerged. These platforms are based in Security Assertion Markup Language, or SAML, which is conceptually similar to the functionality of LDAP as an authentication approach. Web-app SSO solutions piggybacked on Active Directory, thanks to SAML, to provide users with a way to log on to all their various web apps, creating the concept of first generation Identity-as-a-Service (IDaaS). With IDaaS, IT admins could manage their users non-Windows web apps, and still have their users leverage their core credentials registered in a directory service. While AD was now linked to the cloud through an SSO solution, it still maintained one foot firmly on-prem.
Device and User Management
Identity management has been further complicated by the need to manage user identities across operating systems, such as macOS or Linux. An SSO solution enabled a user to have one set of credentials for all of their apps, but that same identity couldn’t be used to access their machine itself.
Since Active Directory was designed to manage Windows-centric environments, the advent of other platforms in the workplace heavily challenged AD’s ability to manage devices and users on non-Windows systems. For example, since Macs use competing programs to Microsoft, they required additional third-party solutions known as directory extensions or identity bridges and completely different identity management solutions.
Further, Microsoft changed the industry with GPOs for Windows machines which enable IT admins to remotely manage their Windows fleet. However, that same approach doesn’t work with macOS and Linux systems. Next generation cloud identity management is changing that with cross-platform GPO-like system management for Windows, Mac, and Linux.
What the future of IT identity management tools demands is the ability to sign on to anything be it a resource, a machine, or a platform. This sort of True Single Sign-on™ would provide ease of access to both IT admins and their end users alike. Many think juggernauts like Google or Amazon will bring about this shift, but in their current state, their solutions just don’t cut the mustard.
Read More: Leveraging Identity Management for Modern IT
As an IT admin, once you’ve organized your users and then authenticated and secured their identities, there is still one overarching necessity: a way to link all of your users and their machines together. This data link connection between device nodes is known in general as the network. The network all of your users operate on dictates their ability to access company data and connect them to the resources they need, whether on-prem or online. Not only that, the network must be able to provide access to employees both in the office and out in the world.
Networks began with servers, desktops, laptops, on-prem databases, and lots of other IT resources that user’s systems were connected to via Ethernet. On these servers, users could use drives to access and share data across a corporation or run applications. With these drives, a user’s identity would come into play, not only limiting what data could be accessed, but also requiring that the desktop is only used by an authorized party. Client-server applications would be leveraged to run the business.
Eventually, specialized servers (or more specifically, routers and switches) could grant a user access to the Internet. Servers needed the ability to limit which sites could be visited according to company policy, as well as monitor activity. The Internet was essentially a virtual Wild West, with a whole host of unknown users and bad actors that could present threats to company information. Something had to be done to ensure security.
To do so, a protocol was developed called the Remote Access Dial-In User Service, or RADIUS. With RADIUS, an organization could authenticate and manage users on a network, as well as monitor access to data. It became a go-to for Internet access for a wide range of organizations. Many, however, have yet to use the RADIUS protocol, the lack of which contributing to vulnerabilities that were exploited in, for instance, the 2017 KRACK attack. In the future, organizations must implement RADIUS in order to protect themselves from unwanted intrusions of their network resources.
With the advent of WiFi and devices like laptops, changes ensued. Users could work wherever they needed to, but these mobile users still needed access to company data. In response, the virtual private network (VPN) was developed to extend the accessibility of an organization’s network to anywhere with an Internet connection. Unfortunately, VPN wasn’t nearly as easy to use as on-prem connections, and created hassles for end users. Now, with the advent of quicker, more efficient network options like fiber connections and 5G, IT needs a cloud-based network protocol that could keep up with the rapid exchange of the data of the future, while making sure that said data is safe and secure.
The Future of IT Identity Management Tools
By looking at the evolution of each of these three trends: directory services, identity management, and networking, we can start to paint a picture of what the future of IT identity management tools demands. To optimize the IT admin experience, a new solution is necessary. This solution needs to offer a cloud-based directory service that offers a simple, straightforward way to register and maintain a user base. It needs to have secure, platform-agnostic identity and access management to ensure that only authenticated users are able to reach confidential company materials, but without having to worry about their device or location. On top of that, this solution needs to have a RADIUS-like service based in the cloud, so that only authorized users can access the corporate network and data, while keeping out any bad actors.
The future isn’t just about providing this functionality, but about centralizing and streamlining it. JumpCloud® Directory-as-a-Service® gives IT admins a single console to gain control over their infrastructure, identities, networks, and more. It’s all in one package. JumpCloud Directory-as-a-Service offers a feature-rich, hyper-secure directory service, with True Single Sign-On™ for IT resources, on-prem or otherwise. Our multi-protocol approach means that LDAP, SAML, and RADIUS authentication are all covered – as well as multi-factor authentication and other important security features.
Seem to good to be true? See for yourself, and request a demo or jump right in and try JumpCloud for free. With the free trial, you can use all that JumpCloud has to offer for up to ten users, forever. Still not convinced? Contact us with questions, comments, or concerned – or visit our Resources page to find our supporting materials. We’d be happy to help.