Active Directory is not the best IAM solution for 2022! Here’s Why

    277
    0

    The growing cloud adoption and remote workspaces have made IT security professionals reapproach security. Even foundational concepts are being rethought. Technology evolution and emerging cyber threats are game changers. Identity and access management (IAM) services, such as the ones offered by Thales and other companies, have become the cornerstone of modern security approaches. One question that many IT security teams are asking is: “Should I continue to use Active Directory as an IAM solution?”

    To answer this question, let us first examine the features offered by both, the traditional Active Directory as well as cloud-based Azure AD.

    Active Directory vs Azure AD

    A directory, like Active Directory, is a system that stores information about identities. This information includes user IDs, names, other identity attributes, etc. There may be passwords associated with user objects, but that’s not always the case. How the data is physically stored varies and is not too important.

    When Active Directory was released back in 1999, data centers and computing infrastructure existed only on-premises, and almost all servers and services were dominated by Microsoft. Active Directory provided the sole source for managing the users and systems in a Microsoft-dominated corporate network. Administrators had to leverage this one platform to manage their company’s identities and access to IT resources. Protocols, such as Kerberos and RADIUS, evolved within the Microsoft ecosystem to enable single sign on and remote access within a closed, on-prem network.

    Going forward into the cloud era, many IT departments may be confused by their similar names, believing that Azure Active Directory is the cloud-based directory services replacement for Active Directory, however, this is far from being true. Active Directory is still hosted on-premises, while Azure AD is designed to be the cloud-based user management platform for Azure infrastructure in the cloud. The primary role for Azure AD is to be the identity and access management (IAM) solution for the Azure cloud environment, offering among others, Multi-Factor Authentication (MFA) and Single Sign-On (SSO) services

    Relying on a single service provider

    Azure AD consolidates an organization’s users in one centralized cloud-based directory. There are however considerations that IT teams should take into account when deciding whether to adopt the full range of access management and authentication capabilities offered by Azure AD. 

    First, managing all aspects of access security and authentication on Azure AD will inevitably lead to vendor lock-in. Although you can certainly trust the technologies behind cloud computing, it is always advisable to mitigate risk by separating security from the data and apps it is meant to protect.  This is of huge importance, because risks, vulnerabilities, and threats to hegemonic service providers are traversing the customers, allowing adversaries to move laterally across corporate networks.

    The second consideration is about integration with other, non-Microsoft based apps and services. How do organizations control access to macOS and Linux systems, on-premises legacy applications, on-premises VPN and Wi-Fi networks, and more with solely Azure AD as their IAM solution? Increasingly, it is evident that a ‘one size fits all’ approach to authentication is not suitable to today’s hybrid and complex environments. 

    Where does the Shared Responsibility Model fit in?

    When you migrate your services, applications, workloads, and data to the cloud, it is advisable to adopt a shared security responsibility model. This means that your security team maintains responsibility for access security, while the provider takes responsibility for securing the actual infrastructure.

    No matter what your IT environment is, whether on-premises, public cloud, private cloud, or just hybrid, you are always responsible for securing what’s under your direct control, including identity and access management. You are responsible for all facets of your IAM solution, including authentication and authorization mechanisms, single sign-on (SSO), multi-factor authentication (MFA), access keys, and credentials.

    The shared cloud security model is a concept that helps businesses and organizations adopt industry best practices for separating the protection of their data in the cloud from the other services offered by the cloud provider. In fact, the greater the segmentation of duties, the better the security you can offer your data.

    Opting for a cloud-neutral IAM solution brings some tangible benefits, such as being independent of cloud service providers to mitigate potential breaches, the ability to select the solution that allows you to maintain regulatory compliance, and control of your own security.

    Going forward

    When it comes to defining and managing access control in a modern business environment, organizations need to invest in an access management and authentication solution that can address a variety of login scenarios, user expectations and security needs. Any other approach will leave organizations with big gaps in their security footprint. 

    Several cloud IAM solutions have emerged to address these challenges, and enable secure cloud adoption in the enterprise through several key functionalities:

    • Simplified cloud access with cloud single sign on
    • Optimized security with granular access policies underpinned by modern authentication technologies
    • Scalability enabled by an ability to protect a broad range of apps and services
    • Improved compliance through visibility into cloud access events

    Modern business models require a robust IAM solution. Choose yours wisely and avoid traps.

    Author Bio

          Danna Bethlehem is the Director of Product Marketing in Access Management at Thales. With her strong understanding of the industry, combined with a deep understanding of customer solutions and strategies, she regularly contributes to the Thales blog and produces valuable cybersecurity articles around Identity and Access Management.