04:16 AM
Connect Directly

Don't Count Out Active Directory For Cloudy Future

AD isn't going anywhere anytime soon

Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.

However, plenty of others out there will tell you not to count out AD yet. Not only is Microsoft gaining ground at honing AD's cloud capabilities through Windows Azure Active Directory and further refinements of Active Directory Federation Services (ADFS), but AD also is so completely ingrained within the fiber of just about every big enterprise out there that it's not going anywhere anytime soon.

"It will be a while before the dust settles around these [cloud identity providers], and in the near term it's hard to see any one particular play winning," says Scott Crawford, analyst for Enterprise Management Associates. "But you simply can't count out the value of Active Directory and of extending that from the enterprise to third-party services because it is so well-established."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Active Directory is a good platform for the cloud, says Phil Lieberman, founder of privileged identity management firm Lieberman Software.

"AD can be used in so many ways. Microsoft is already using it for hundreds of millions of users as the basis for all of its cloud-based services, so scalability isn't an issue," Lieberman says. "It's just a place to store stuff about identities and information about what they can do. Out of the box it ties all of the Microsoft stuff together, but there was never a restriction that said you couldn't use it for something else."

For example, you can change the schema and you can plug in another authenticator, he says.

"It just uses Kerberos, but if you want to use something else or federate with something else, you can absolutely do that," Lieberman says.

With respect to federation, Jackson Shaw, senior director of identity management for Quest Software, a Dell company, says that too many cloud IAM providers with a clear agenda have overblown ADFS pain points to make it a bit of a four-letter word. But he believes that there's another four-letter word that IT buyers should use against these vendors: free.

"One of the basic problems with ADFS that is overblown is just the fact that a customer will see that it needs to use some sort of a certificate or PKI and will immediately go 'deer in the headlights,'" he says. "But the fact of the matter is any product that uses federation requires a certificate."

So even though the free product will cost money, the truth is that deployment headaches won't go away altogether. Shaw suggests customers use this fact to their advantage, even if they don't choose to use ADFS.

"Free doesn't necessarily mean 'free,' but it can also be used by customers as a bargaining chip when they're buying software," he says. "A customer who's smart about things and is educated a little bit can have that discussion -- can save themselves some money even when they know that they don't want ADFS or can't use it."

However, organizations should give the technology a chance, Shaw says. Though ADFS did face its share of early-generation roughness, Microsoft has been working the kinks out.

"Microsoft gets things right after the third or fourth try. They've got the staying power to have that runway to perfect things before they take off," he says. "I think you can see that with some of the work they've done around integrating an on-premise directory with Office 365, they're starting to sharpen their pencil."

Besides, Lieberman says, it would be somewhat disingenuous to say slow uptake of ADFS is failing on behalf of Microsoft's part. He believes the question shouldn't be so much about why ADFS has not had tremendous uptake in the years it has been out, but instead why federation itself hasn't taken root in the enterprise.

"Federation is rare in the enterprise today," he says. "ADFS is an enabler for federation. Of course, it's like a gym membership. You can buy it, but it doesn't mean you're going to go there."

In the end, the toughest nuts to crack around IAM deployments in the cloud, around single sign-on, and around federation really have nothing to do with AD or any individual technology. It all boils down to the underlying business processes these technologies are meant to facilitate.

"Deployment to integrate identity management with these services is more than just connecting the dots through federation," Crawford says. "There's user management and provisioning, there's access management on the part of the target service, and then there's the granularity of access management."

But where things go wrong when putting all of these pieces together is that the IT departments don't understand the business processes they'll be built around to set up a successful deployment. And there's just no technology to solve that problem.

"For a long time one of the biggest issues the systems integrators faced is that you have to understand how the organization's business process work to know what privileges would be correct," he says. "A lot of times the customer didn't understand that themselves. So what started out as an identity management deployment often wound up being a business process management consulting engagement."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.