By Eric Avigdor, Senior Director of Product Management, JumpCloud, finalist of Best Security Innovation in a SaaS Product (B2B, Small Business / SMB) at 2022 SaaS Awards
Organizations have relied on directories to manage identity for decades. From the early days of computing up until the mid-2000s, workplaces revolved around a heavy Microsoft environment. In response, Microsoft created Active Directory (AD) for managed user identity and access in IT landscapes where users were logging into Windows-managed computers and accessing programs like Office and Windows File Server. Given the monopoly Microsoft had across office IT environments, it made sense to adopt AD and its on-premises approach to identity which integrated so easily.
The IT world shifted
In the last 15 years, organizations have pulled away from anachronistic, on-prem environments in favor of the cloud. In terms of devices, businesses moved beyond Windows and increased their use of Mac and Linux-based systems. Cloud servers became the go-to for data processing and storage. Companies adopted web applications like GitHub, Salesforce, and Slack. They started to use Samba file servers and NAS appliances, and created wireless networks unattached to any physical domain through protocols like RADIUS. GSuite became as popular as Office in the enterprise space.
Microsoft’s AD can’t meet the demands of modern workloads. It simply wasn’t built to work in cloud-forward environments or for organizations with globally distributed workforces. IT admins added in identity and access management (IAM) solutions like identity bridges, single sign-on (SSO) solutions for web applications, privileged access management (PAM) for endpoint devices, and other bandaids to make AD work in an environment it wasn’t created for. But doing so created complications and added significant costs. Instead of positioning organizations for success in cloud-forward environments, it shackled their identity infrastructure on-prem. This is especially challenging for small and medium-sized enterprises (SMEs) that lack the staff and budget necessary when adding point solutions.
The era of on-prem Microsoft dominance ended and the era of SaaS environments—and cloud-based deployments—is here. In fact, Gartner predicts that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025, an increase from 30% in 2021. The future is in the cloud. Shouldn’t the systems used to manage users and their devices and identity keep pace?
Making the Shift to an Open Directory
Today’s IT teams are evaluating how to break the connection to AD, especially in the SME space. They’re focused on introducing the flexibility, innovation, simplicity, and cost-savings of cloud-forward solutions to secure organizations and manage their users.
If you’re an IT admin considering the best way to retool operations it’s time to evaluate your approach. An open directory approach improves end user experience, improving worker productivity and satisfaction. And in the face of rising threats, an open directory can be a critical tool in helping organizations establish a Zero Trust security approach across mixed devices, in remote and hybrid environments, when accessing virtually any IT resource. Consider how an open directory could better secure and streamline your IT operations. Here are three tips to get you started.
Centralize user identity to make work easier for everyone
Housing on-prem technical infrastructure made sense when employees logged in from an office location daily. But the new workplace model, which includes permanent remote workers, must function efficiently—no matter the location of individual employees.
At the heart of the initiative to modernize IT stacks: making sure that remote work happens well. Employees don’t particularly care about sparkling new devices or the latest applications. They simply want to do their job and have easy access to the resources they need. At the same time, IT teams managing those employees want a similarly streamlined experience, and an overall improved approach to keeping company data secure that maintains productivity and security. Ideally, they want in through a centralized platform: in JumpCloud’s biannual survey of SME IT admins, 75% reported they would prefer a single solution to manage employee identities, access, and devices rather than having to manage a number of different solutions.
Cloud computing has allowed for the creation of such tools that can improve identity management by unifying disparate parts of identity, device, and access management. An open directory platform approach incorporates a cloud-hosted “virtual” domain that offers the flexibility and security necessary to support modern workplaces. Instead of relying on an internal network or physical infrastructure for security, a cloud directory approach is tailored to each user or group of users, device, network, and role-based authorization. An open directory streamlines IT management for admins, while creating a single source of user identity that can be propagated out, eliminating friction and reducing vulnerabilities caused by vendor sprawl.
2. Let go of physical domains in favor of mini-perimeters
Remote workplaces require a re-imagining of office-based security in favor of creating virtual offices and security perimeters around each employee – and whatever devices they use. Each time an employee accesses a resource, that transaction needs to be secure, swift, and tracked for compliance and overall visibility.
A layered approach through a cloud directory offers robust security and 360-degree visibility into your IT landscape.
- Identity layer: At its core, identity sits at the center of efficient and secure IT operations. For very small companies, a Google Sheet might be sufficient for a directory to manage resource and user information. But as the number of employees and IT resources grows, many SMEs adopt a cloud directory, which houses employee identity and whatever resources employees need. A cloud directory houses authentication credentials and establishes centralized access control across user identity, admin access, service accounts, and machines. Centering identity within a cloud directory allows SME teams to scale easily, to maintain updates without disrupting users or introducing security vulnerabilities, and to give users access to both on-prem and cloud-based resources.
- Device layer: Once identity is centralized, the next layer is to extend those identities to devices. Most IT environments operate within an ever-evolving state of company-issued, personal, and mobile devices running some combination of Mac, Windows, or Linux systems. In this complicated device ecosystem, organizations should extend user identity to establish device trust, which ensures that the device is known and its user is verified. One option for this is to employ a mobile device management solution (MDM). On the lighter-touch side, that could include installing a remote agent on a device that handles basic device security, requires multi-factor authentication (MFA), establishes permissions, and grants access for company-specific resources without disruption or violating users’ privacy. For more robust options on company devices, an MDM can be activated on a device before it’s even unboxed, establishing security controls from the very first touch to final offboarding. Such solutions allow for remote control of the device; in the case of device loss or theft, it can remotely lock, restart, or even wipe a device’s content. Evaluate options that can support your device environment, such as whether to support bring-your-own device (BYOD) or honor employee device choice, then adjust as necessary in response to company policy changes.
- IT resource layer. Once you’ve established centralized identity and created a device strategy, ensure quick and easy access to SaaS apps, networks, infrastructure, and files. Single sign-on (SSO) eliminates user friction and allows a single set of credentials to serve as the key to an employee’s IT kingdom. When in-person offices were the norm, employees had a similar kind of seamless experience by logging into their desktop at their designated workstation, then getting access to applications and shared files and servers. Now that the cloud has eliminated the connection tethering access to a physical domain, today’s SSO gives users a single set of credentials to use on any device, to access virtually any IT resource, from cloud apps like Salesforce and Slack to systems, files, and networks. Some organizations use SSO solely for web-based applications, while those adopting an open directory approach are able to centralize identity and extend it to any virtually any IT resource through authentication protocols like LDAP, SAML, OpenID Connect, SSH, RADIUS, and REST.
3. Establish visibility that goes beyond log capture
IT admins require visibility across their organization’s identities, devices, and resource access controls for security, ongoing monitoring, and compliance needs. Given the breadth of access transactions, businesses should look for a holistic solution with broad coverage.
Event logging data is great, but given today’s complex IT environments, any solution should include a method for capturing discrete and unique log formats. For cloud-forward companies, that means capturing logs from SSO, from cloud RADIUS for network connection, LDAP and MDM connections—any log format for resources deployed in your stack. Integration requirements can make log analysis and management solutions expensive, challenging to implement, and time-intensive for the admins tasked with managing custom feeds for authentication protocols. Look for solutions that offer a wide range of analysis by enriching raw data with a number of other data points, sessionizing the data through post-processing. Such information allows admins to have visibility not just into a particular service or user, but a broader depth of understanding over their entire IT environment.
Go easy on yourself—and your IT admins
It’s no hyperbole to say that cloud computing has truly revolutionized the world. The efficiencies it offers can reduce the burden on IT admins while improving the user experience for employees. Relying on a cloud-based open directory offers essential benefits; it centralizes IT for improved user access control, cross-OS device management, secure network paths, while improving monitoring and data analysis. If your organization hasn’t fully committed to a cloud-forward approach, now’s the time to make the move.