04:16 AM
Connect Directly

Don't Count Out Active Directory For Cloudy Future

AD isn't going anywhere anytime soon

Because Active Directory (AD) was first developed in an era before SaaS services, some security proponents might make the case that it hasn't adapted well enough and doesn't have the architectural flexibility to future-proof itself within the increasingly cloud- and mobile-centric enterprise.

However, plenty of others out there will tell you not to count out AD yet. Not only is Microsoft gaining ground at honing AD's cloud capabilities through Windows Azure Active Directory and further refinements of Active Directory Federation Services (ADFS), but AD also is so completely ingrained within the fiber of just about every big enterprise out there that it's not going anywhere anytime soon.

"It will be a while before the dust settles around these [cloud identity providers], and in the near term it's hard to see any one particular play winning," says Scott Crawford, analyst for Enterprise Management Associates. "But you simply can't count out the value of Active Directory and of extending that from the enterprise to third-party services because it is so well-established."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Active Directory is a good platform for the cloud, says Phil Lieberman, founder of privileged identity management firm Lieberman Software.

"AD can be used in so many ways. Microsoft is already using it for hundreds of millions of users as the basis for all of its cloud-based services, so scalability isn't an issue," Lieberman says. "It's just a place to store stuff about identities and information about what they can do. Out of the box it ties all of the Microsoft stuff together, but there was never a restriction that said you couldn't use it for something else."

For example, you can change the schema and you can plug in another authenticator, he says.

"It just uses Kerberos, but if you want to use something else or federate with something else, you can absolutely do that," Lieberman says.

With respect to federation, Jackson Shaw, senior director of identity management for Quest Software, a Dell company, says that too many cloud IAM providers with a clear agenda have overblown ADFS pain points to make it a bit of a four-letter word. But he believes that there's another four-letter word that IT buyers should use against these vendors: free.

"One of the basic problems with ADFS that is overblown is just the fact that a customer will see that it needs to use some sort of a certificate or PKI and will immediately go 'deer in the headlights,'" he says. "But the fact of the matter is any product that uses federation requires a certificate."

So even though the free product will cost money, the truth is that deployment headaches won't go away altogether. Shaw suggests customers use this fact to their advantage, even if they don't choose to use ADFS.

"Free doesn't necessarily mean 'free,' but it can also be used by customers as a bargaining chip when they're buying software," he says. "A customer who's smart about things and is educated a little bit can have that discussion -- can save themselves some money even when they know that they don't want ADFS or can't use it."

However, organizations should give the technology a chance, Shaw says. Though ADFS did face its share of early-generation roughness, Microsoft has been working the kinks out.

"Microsoft gets things right after the third or fourth try. They've got the staying power to have that runway to perfect things before they take off," he says. "I think you can see that with some of the work they've done around integrating an on-premise directory with Office 365, they're starting to sharpen their pencil."

Besides, Lieberman says, it would be somewhat disingenuous to say slow uptake of ADFS is failing on behalf of Microsoft's part. He believes the question shouldn't be so much about why ADFS has not had tremendous uptake in the years it has been out, but instead why federation itself hasn't taken root in the enterprise.

"Federation is rare in the enterprise today," he says. "ADFS is an enabler for federation. Of course, it's like a gym membership. You can buy it, but it doesn't mean you're going to go there."

In the end, the toughest nuts to crack around IAM deployments in the cloud, around single sign-on, and around federation really have nothing to do with AD or any individual technology. It all boils down to the underlying business processes these technologies are meant to facilitate.

"Deployment to integrate identity management with these services is more than just connecting the dots through federation," Crawford says. "There's user management and provisioning, there's access management on the part of the target service, and then there's the granularity of access management."

But where things go wrong when putting all of these pieces together is that the IT departments don't understand the business processes they'll be built around to set up a successful deployment. And there's just no technology to solve that problem.

"For a long time one of the biggest issues the systems integrators faced is that you have to understand how the organization's business process work to know what privileges would be correct," he says. "A lot of times the customer didn't understand that themselves. So what started out as an identity management deployment often wound up being a business process management consulting engagement."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-12-25
The Maxthon Cloud Browser application before for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.