Many organizations have opted to forgo paying for directory services.
While many of these organizations are in the small-to-medium size category, others are on the larger side. In this paper, we explore reasons why organizations don’t implement directory services, the drawbacks and consequences of not having one, and how organizations can easily implement a modern cloud directory service.
What is a Directory Service?
Stepping back, what is a directory service? A directory service connects users and employees with the IT resources they need to do their jobs, including systems, servers, cloud and on-prem applications, files, and networks. Historically, the leading directory services (also called identity providers) solutions have included Microsoft® Active Directory® (MAD or AD) and OpenLDAP™ . The identity provider authenticates, authorizes, and in the case of AD, manages users with their Windows devices and applications. More specifically, an identity provider confirms a user is who they say they are (authentication), controls the level of access that person should have (authorization), and then manages their systems for security policies, configurations, and settings. Directory services control who should have access to what resources – enabling users to do their jobs securely.
Why Some Organizations Don’t Have Identity Management
In most organizations, directory services are at the center of the network, making them as critical to the business’s overall success as they are to the underlying network infrastructure itself.
The question, then, is why would any organization forgo implementing an identity management platform?
In reality, there are multiple ways that connecting users to IT resources can be accomplished, and companies have found work-arounds. For instance, companies can use an extra piece of software to help automate the process, or they can even manage the process manually.
In talking with thousands of organizations all across the globe, there are a wide variety of reasons why IT admins don’t have directory services. These include the following:
“The organization is too small.”
Some organizations feel they’re too small to deal with the overhead of implementing a directory service. For these companies, manually managing access control seems easier. It’s less time consuming, cheaper, and offers direct control. Most of these IT admins (or maybe more accurately, a founder or owner) manage the connections in their head because there are just a few users. As an organization grows—even over five users—remembering who has access to what IT resources becomes increasingly difficult as the company scales.
“No on-prem infrastructure.”
Other organizations don’t have an identity provider simply because they have no on-prem infrastructure. These companies are “born in the cloud” or are “all cloud.” They lack the infrastructure to have servers on-prem or the ability to manage on-prem directories. Some companies may utilize outsourced IT management firms. But, directory services historically have been placed on-prem, so without the ability to host and manage the servers and software, an organization bypasses this critical capability.
“Can’t support modern IT infrastructure.”
Many IT organizations have changed their infrastructure in recent years. No longer are they 100% Microsoft based. More and more they are becoming Mac based, or mobile based. Fortune 500 companies like IBM, GE, and Capital One have even deployed thousands of Macs across their workforce. Additionally, with the advent of the cloud, more IT infrastructure is living off-prem. On one side, organizations rely heavily on SaaS-based applications. These can include G Suite™, Office 365™, Salesforce®, GitHubTM , Slack, Box™, and many others. On the other side, IT is leveraging Infrastructure-as-a-Service or cloud server infrastructure such as AWS® or Google Cloud Platform™. Both of these uses of cloud IT infrastructure, unfortunately, are problematic for legacy directory services. Further, as Macs and Linux devices are more prevalent, directories such as AD and LDAP struggle to connect and manage them.
“Too complicated to implement.”
Directory services are complex and complicated. Virtually every IT resource—systems, cloud infrastructure, internal applications, file servers, and web-based applications—needs to be connected to a directory service. While some of these connections are straightforward, others are not because there are complications around OS platforms, protocol support, networking, and security. OpenLDAP, the leading open source LDAP implementation, for instance, requires significant technical knowledge to manage and maintain it. While Active Directory is a bit easier to install, configuring and managing all of the different pieces of functionality is a full-time IT role. For many organizations, the level of effort doesn’t match up with the perceived benefits.
“Too expensive to run.”
As critical as directory services are to an organization, the cost to run the directory often outstrips an organization’s ability to pay for it. Of course there are hardware and software costs, but the real hidden cost of directory services is in the on-going management. Users come and go. Devices are added and decommissioned. Applications are added into the mix. All of this requires IT admins to be engaged with their identity management platform to update the connections. Further, a directory service needs to be up 100% of the time and as a result it takes infrastructure and management. Current directories take time and money to run which is an impediment to a large number of organizations.
How Organizations Operate without a Directory Service
After understanding why organizations don’t leverage a central user directory, the question becomes, “How is this task accomplished, then?” IT admins are creative in solving the problem.
Perhaps the most common alternative to a user directory is manual user management. IT admins hand-provision users on devices (laptops, desktops, and servers) and applications. When users leave, they manually delete them from IT resources. Admins often will create spreadsheets to manage the details of user access or some will script the process of provisioning and deprovisioning users to create some automation. With a limited number of users, platforms, and applications, manual management is a reasonable approach to controlling access. Business continuity and security, of course, can be compromised in this scenario. There are often only a few IT admins at an organization, and the job can become bigger than they can manage, especially when you consider that the average business ends up using 50+ web-based applications (and that’s just one type of resource). Further, security takes a back seat as admins in this scenario struggle to find the time to apply best practices like enforcing complex passwords.
Configuration Management Tools
For organizations that have grown up in the cloud, or who have embraced DevOps, tools like Puppet, Chef, Salt, or Ansible (among many others) offer a centralized management tool that can provide user management on servers in small organizations. These tools allow IT admins to provision users, primarily on production systems (as they are not often used in development, test, or desktop environments), via a central set of scripts. The downside to these tools is that they achieve this through the use of scripting, and each change requires a code change. Further, these scripts become very complex when exceptions are needed.
By the time an organization reaches twenty to thirty users, these exceptions become common, as do third-party audits, which require fine-grained access control. Configuration management tools do not handle these types of requirements well and nor do they generally support strict compliance activities. In addition, configuration management tools do not satisfy the user management needs of IT for their desktops, laptops, and applications.
G Suite Directory
Google services have become a standard for small to medium-sized enterprises. Organizations manage a directory of sorts by placing their users in G Suite. The users then have access to a number of Google services and they can also use their Google credentials with a select, few other web-based applications and services. Unfortunately, G Suite Directory does not extend to devices such as a user’s desktop or laptop, servers hosted at AWS or Azure, on-prem applications, WiFi, file servers, and more. The result is that an organization’s core infrastructure – whether on-prem or in the cloud needs to be managed in a different way outside of G Suite’s “directory.”
JumpCloud Directory-as-a-Service, the Solution for No Directory Situations
Innovative organizations don’t settle for these issues with directory services. IT admins at these companies know that a central user directory is absolutely imperative. It’s arguably the most critical piece of infrastructure within an IT organization. Manually managing users, trying to script the process, or leveraging vendor specific solutions is not good enough. SSO solutions, while valuable, don’t give IT admins the level of control that they desire. Microsoft’s Azure AD is a complement to the on-prem AD, not a replacement. As a result, while most organizations go without a central directory, modern, innovative companies opt for a cloud directory service—JumpCloud Directory-as-a-Service.
JumpCloud eliminates many of the roadblocks that organizations face with an identity provider.
As a hosted directory service, there is no infrastructure for IT admins to implement or manage. That means that things like backups, upgrades, security, networking, and maintenance are all handled for you. As a result, a cloud directory takes less time and expertise, making it ideal for mixed platform, cloud-forward environments.
Comprehensive Identity Provider
Perhaps the most critical aspect of JumpCloud Directory-as-a-Service is the ability for it to function as the central identity management platform for virtually all IT resources including devices, applications, file servers, networks, and cloud/Web infrastructure. JumpCloud leverages multiple authentication protocols including a device’s native authentication, LDAP, RADIUS, SSH, TOTP, and SAML. This enables the SaaS-based central directory service to control desktops, laptops, and servers whether on-prem or in the cloud. Further, LDAP and SAML authentication enables JumpCloud Directory-as-a-Service to control access over applications both internal and web-based. RADIUS connects users to networks, including WiFi. SSH and TOTP, while not exactly authentication protocols, can be leveraged to securely access systems and applications. A cloud directory services solution supports the modern IT infrastructure that companies are using and moving to.
Another critical aspect of JumpCloud Directory-as-a-Service is that it is cost-effective. Because of its SaaS-based approach, organizations only pay for what they use, so the solution becomes scalable. Further, there are no separate hardware, software, and implementation / professional services costs. A simple, monthly or annual subscription model covers what organizations need for their identity management needs.
For organizations that don’t have a formal user directory solution, JumpCloud Directory-as-a-Service is an ideal approach.