Risk
4/5/2013
04:16 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%
Repost This

Don't Count Out Active Directory For Cloudy Future

AD isn't going anywhere anytime soon

Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.

However, plenty of others out there will tell you not to count out AD yet. Not only is Microsoft gaining ground at honing AD's cloud capabilities through Windows Azure Active Directory and further refinements of Active Directory Federation Services (ADFS), but AD also is so completely ingrained within the fiber of just about every big enterprise out there that it's not going anywhere anytime soon.

"It will be a while before the dust settles around these [cloud identity providers], and in the near term it's hard to see any one particular play winning," says Scott Crawford, analyst for Enterprise Management Associates. "But you simply can't count out the value of Active Directory and of extending that from the enterprise to third-party services because it is so well-established."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Active Directory is a good platform for the cloud, says Phil Lieberman, founder of privileged identity management firm Lieberman Software.

"AD can be used in so many ways. Microsoft is already using it for hundreds of millions of users as the basis for all of its cloud-based services, so scalability isn't an issue," Lieberman says. "It's just a place to store stuff about identities and information about what they can do. Out of the box it ties all of the Microsoft stuff together, but there was never a restriction that said you couldn't use it for something else."

For example, you can change the schema and you can plug in another authenticator, he says.

"It just uses Kerberos, but if you want to use something else or federate with something else, you can absolutely do that," Lieberman says.

With respect to federation, Jackson Shaw, senior director of identity management for Quest Software, a Dell company, says that too many cloud IAM providers with a clear agenda have overblown ADFS pain points to make it a bit of a four-letter word. But he believes that there's another four-letter word that IT buyers should use against these vendors: free.

"One of the basic problems with ADFS that is overblown is just the fact that a customer will see that it needs to use some sort of a certificate or PKI and will immediately go 'deer in the headlights,'" he says. "But the fact of the matter is any product that uses federation requires a certificate."

So even though the free product will cost money, the truth is that deployment headaches won't go away altogether. Shaw suggests customers use this fact to their advantage, even if they don't choose to use ADFS.

"Free doesn't necessarily mean 'free,' but it can also be used by customers as a bargaining chip when they're buying software," he says. "A customer who's smart about things and is educated a little bit can have that discussion -- can save themselves some money even when they know that they don't want ADFS or can't use it."

However, organizations should give the technology a chance, Shaw says. Though ADFS did face its share of early-generation roughness, Microsoft has been working the kinks out.

"Microsoft gets things right after the third or fourth try. They've got the staying power to have that runway to perfect things before they take off," he says. "I think you can see that with some of the work they've done around integrating an on-premise directory with Office 365, they're starting to sharpen their pencil."

Besides, Lieberman says, it would be somewhat disingenuous to say slow uptake of ADFS is failing on behalf of Microsoft's part. He believes the question shouldn't be so much about why ADFS has not had tremendous uptake in the years it has been out, but instead why federation itself hasn't taken root in the enterprise.

"Federation is rare in the enterprise today," he says. "ADFS is an enabler for federation. Of course, it's like a gym membership. You can buy it, but it doesn't mean you're going to go there."

In the end, the toughest nuts to crack around IAM deployments in the cloud, around single sign-on, and around federation really have nothing to do with AD or any individual technology. It all boils down to the underlying business processes these technologies are meant to facilitate.

"Deployment to integrate identity management with these services is more than just connecting the dots through federation," Crawford says. "There's user management and provisioning, there's access management on the part of the target service, and then there's the granularity of access management."

But where things go wrong when putting all of these pieces together is that the IT departments don't understand the business processes they'll be built around to set up a successful deployment. And there's just no technology to solve that problem.

"For a long time one of the biggest issues the systems integrators faced is that you have to understand how the organization's business process work to know what privileges would be correct," he says. "A lot of times the customer didn't understand that themselves. So what started out as an identity management deployment often wound up being a business process management consulting engagement."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web