Cloud
4/15/2014
07:00 AM
Thomas Pedersen
Thomas Pedersen
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Active Directory Is Dead: 3 Reasons

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

Ninety-five percent of Fortune 500 companies use Active Directory, a 1990s technology, because their infrastructures are based on a 90s network architecture of on-premises PCs, applications, servers, and tools. But look around. Today’s hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr -- just snort, and say, “The 90s called, and they want their infrastructure back.”

Full disclosure: I am the CEO and Founder of OneLogin, a cloud-based identity and access management company. Active Directory integration is one of our focus areas.  And though I have other fond memories of the 90s -- Nirvana, X-Files, Hale-Bopp -- Active Directory isn’t one of them. These days, Active Directory smells gangrenous to innovative companies that were born in the cloud and operate at light speed interconnecting customers, employees, and partners across an array of devices and time zones.

Before laughing off the death of Active Directory, remember we also never imagined that Apple would one day have a bigger market capitalization than IBM, or Google would be nine times more valuable than General Motors. Today’s 30-person company is positioning itself to be tomorrow’s 1,500-person company.

Why am I predicting the death of Active Directory?

Fact 1: Active Directory’s complexity slows IT’s ability to respond to business needs.  Originally crafted when IT owned and dictated everything, including the look, feel, and operation of user applications, Active Directory has failed to keep up. Have you tried to implement Single-Sign-On for your legacy, cloud, and mobile apps with Active Directory? If so, this custom integration likely took you months to complete, and probably lacked advanced functionality like multi-factor authentication and rapid deprovisioning (a must when employees or contractors leave an organization). Rinse and repeat the next time you need to add new apps. In an era where business runs on Red Bull, Active Directory is old and bloated.

Fact 2: Active Directory increases the daily IT workload. IT managers tell me they spend too much time integrating new apps into their aging Active Directory infrastructures. This is especially true because most new apps come from the cloud. Furthermore, different user communities require different security policies, and creating a new Active Directory group for every use case is time consuming. Active Directory’s provisioning complexity, coupled with different authentication procedures and decentralized administration, leads to higher identity management costs and frustrated, overworked IT teams. Getting a short-term contractor access to the right apps with the right entitlements should take minutes, not hours or days. Business is constantly being asked to "do more with less," but with Active Directory we get "less with more."

Fact 3: Active Directory encourages bad behavior and increases security risks. Facts 1 and 2 give rise to Shadow IT. Users have figured out they can easily bypass traditional IT to get the services and capabilities they need.  But this has resulted in raising security risk-levels inside the enterprise. For example, poor password hygiene in Shadow IT is rampant. Our own survey of 200 IT leaders showed that 71 percent admit to using unsanctioned apps like Dropbox and Google Apps to get work done, and 44 percent said employees manage passwords on sticky notes and spreadsheets. It’s an IT security nightmare.   

What has been your experience getting Active Directory into the 21st Century? Have you successfully integrated it with your cloud apps? Was that seamless or seemingly endless? What have been your biggest challenges, and what have been the biggest gaps? Share your success stories as well!

Thomas Pedersen is the CEO and founder of OneLogin, where he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ChrisB093
100%
0%
ChrisB093,
User Rank: Strategist
4/24/2014 | 9:01:40 AM
Re: Unusual article
It's true that using Active Directory in isolation slows IT's ability, increases workload and has security loopholes that many people are not even aware. But with the right software integrated with Active Directory the complexity for IT to manage these issues can be removed, concurrent logins can be restricted, security risks significantly reduced and regulations complied with (which is often not the case with cloud apps).

Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.

Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.

 

 
Thomas B. Pedersen
100%
0%
Thomas B. Pedersen,
User Rank: Author
4/17/2014 | 2:16:40 PM
Re: Unusual article
I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and domains and more than a million users in some cases. Our customers include multi-nationals like Steelcase, Herman Miller, News Corp, Condé Nast and Midas who all have complex directories.

At these companies, Active Directory is not disappearing any time soon, but they are definitely moving in a new direction that reduces the focus on Active Directory. Instead of using ADFS to secure access to their applications, they are using OneLogin and similar solution to connect identities to applications.

The point I am trying to make here is that as applications move into the cloud, there are identity management solutions that solve the problem better than Active Directory. For example, a growing number of applications have user management APIs, which enables us to automate on-boarding and off-boarding of employees. ADFS doesn't do this. We are also able to handle applications that have no federation capabilities and we're integrated with a range of strong authentication solutions.

One of our recent clients has 15,000 employees in more than 2,000 locations. They were about to roll out Office 365, but were overwhelmed by the complexity of using ADFS. We managed to get them fully up and running on a single phone call. And now they have an identity management solution in place that enables them to quickly roll out other apps.

The business environment is very competitive and for many companies the decision is driven by business agility.
kobrien82
100%
0%
kobrien82,
User Rank: Apprentice
4/17/2014 | 1:31:31 PM
Re: Unusual article
@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born of user requirements for increased flexibility and access to data. 

I think you're dead-on here: too much fragmentation makes regulatory and legal compliance difficult, if not impossible. However, the ways of the world have changed; we can either balk at this, or we can find a way to provide a solution to user desires/needs that we can manage, provide governance for, and secure. 

Fragmentation like this typically represents explosive growth in an industry, which consolidates as it matures.
rjthomas01
50%
50%
rjthomas01,
User Rank: Apprentice
4/17/2014 | 5:05:43 AM
Data security
@haglt, not sure if Europe's data security are insane, but definitely odd. One reason to not use DropBox is that DropBox stores it's data on AWS, which is in the US. Which the UK can't use, because the US isn't on the list of approved storage countries. This has nothing to do with the security of AWS, it's simply a you-can-or-you-can't.

However, I'd have thought Heartbleed would have indicated precisely why strong Data Security measures are needed. A lot of very big sites have almost certainly (inadvertently) contravened their own data protection policies because of Heartbleed.
rjthomas01
100%
0%
rjthomas01,
User Rank: Apprentice
4/17/2014 | 4:34:52 AM
Unusual article
"Today's hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr"

These happen to be the same companies that have come a cropper with Heartbleed, whereas- at least this time around- MS's infrastructure is relatively untouched (remember Heartbleed is not a virus, and is therefore far more sinister than any thing like Slammer because the fault is device-independent, passive, and took 2 years to uncover).

Also, a few of other points:

1. AD- technically- was RTM on 15 December 1999- hardly 90's infrastructure;

2. Micorosft current strategy is based entirely around AD, globally. My personal phone logs in with my Microsoft Account (cloud AD) and connects to "Outlook" (cloud Exchange). They've just migrated it to a global stage, and- as mentioned in other posts- it's more than possible to have a hyprid on-premise/ cloud existence.

Fact 1: Business needs or business wants? We get bombarded with requests for the cloud solution du jour (or find out about them afterwards). What possible reason can there be to need dropox, the box, OneDrive, Google Apps, Zoho, ThinkFree... This is not business needs, this is latching on to the next big thing then discarding it a week later for the next next big thing.

Fact 2: Increases daily workload? No... we rarely touch AD. What increases workload is chasing after a myriad cloud solutions that have just started being used with no thought given to business requirements. Example? Internally, instead of using Exchange (perfectly capable) what we see is whenisgood. Or doodle. Or FasterPlan. Or SelectTheDate. Etc.

Fact 3: Active Directory does neither of these things. The BYOD "revolution" has created bad behaviour and increased security risks. It's led to the assumption that you should have what you want, when you want which is fine for a consumer but generally speaking, the working world has to comply with things like the fact that financial records have to be kept for 7 years, data protection etc. To give just one example: if a company experiences indiscriminate use of random cloud solutions, how on earth would they be able to fulfill a complete FOI request? The answer is that they probably couldn't. How can you pull together all the data related to X when that data is spread across disparate locations, half of which aren't even known about? Also, the point about passwords- while having a grain of truth in that passwords are outdated- neatly bypasses mentioning that this is not an AD problem, this is just a problem. People would store passwords on post-its whather the infrastructure was Windows, Linux, Google Apps or ZoHo.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 1:21:25 PM
Re: Your experience integrating AD with cloud apps?
Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage point. 
BryanF287
100%
0%
BryanF287,
User Rank: Apprentice
4/16/2014 | 1:03:21 PM
Re: Your experience integrating AD with cloud apps?
What has been your experience integrating AD successfully with your cloud apps? 

100% of our employee cloud based apps are integrated with AD.

 

What have been your biggest challenges?

Getting security to approve integration where the SasS provider doesn't support ADFS.

 

What have been the biggest gaps?

Lack of standardization of authentication protocols in the cloud.  Security requirements (from all kinds of systems) that mandate strict password policies which leads to the sticky notes and spreadsheets containing passwords you mentioned (this is not because of AD).  Getting developers to understand the need for security and why storing passwords for their homegrown apps in plaintext a database is a really, really bad idea.

 

Some other information:

Employees ~ 6000 across 55 offices, high turnover in some departments

Automated identity management ~ 98%  (guest/contractor accounts are manual, turnaround time less than 1 hour)

100% audit trail for changes to AD or user accounts  (at least for the last 18 months)  Major changes are reconciled to approved change requests with unauthorized changes being addressed.

 

 

No mention of how to control machine settings without AD in this article either.  NPS is not robust enough yet to protect a network from clients without proper security settings like up to date AV software to eliminate the need for machines to be joined to the domain and controlled by GPOs.



I have to agree with many of the other comments.  This article seems like a sales pitch that is not based on reality unless you're a small company that doesn't need to meet audit requirements.  Considering how many difficulties the author has with AD, I question their ability to integrate with AD.

Will AD be around forever, of course not.  Calling it dead before there is even a viable competitor out there is irresponsible though.
anon1072277770
100%
0%
anon1072277770,
User Rank: Apprentice
4/16/2014 | 9:05:56 AM
Re: What's the alternative
Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours.

If you combine ADFS with Azure ACS and Azure AD you have very powerfull infrastructure for Cloud and Enterprise authentication.
ScottW834
100%
0%
ScottW834,
User Rank: Apprentice
4/16/2014 | 8:43:34 AM
If not AD then what?
While everyone is skipping off to the "cloud" there are still the same issues to be dealt with.  Authentication, Access and Accountability.  LDAP and AD have done a good job of this and as companies are learning everyday, security and information assurance are definitely alligned with business needs.  Convenience at the expense of security garners neither.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/16/2014 | 7:58:49 AM
Re: What's the alternative
These are great questions @haglt, and I think they get at the heart of the issue with your statement that eventually a startup grows up, at which point "Cloud Services tend to stop being the best soution." The question is when, and you lay the issues out very well in your post. 
Page 1 / 3   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.