Risk
3/22/2013
04:12 AM
Connect Directly
RSS
E-Mail
50%
50%

When Active Directory And LDAP Aren't Enough

Cloud and mobile pose problems to most enterprise's centerpiece identity and access management technology

Scalability, tight coupling with Microsoft infrastructure, and ease of management in the on-premise world all contributed to catapulting Active Directory and the associated LDAP protocol into the centerpiece of today's typical enterprise IAM strategy. However, with new mobile platforms diversifying the operating system ecosystem, SaaS applications proliferating by the day, and hybrid cloud approaches fast becoming de riguer, Active Directory and LDAP are starting to show their limitations.

According to Todd McKinnon of IAM start-up Okta, the sustained and pervasive success Active Directory has achieved so far can be largely attributed to Microsoft's tying everything together in such a neat bow.

"Why do people use AD? Because it's your network authentication, because it was the Exchange database for users. If you wanted to do permissions on who can share files on the fileserver, it was the database for that. If it was for printers -- it was the database for printers," he says. "That's why people use it. It's an infrastructure thing. It's behind the applications."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Even in the cloudless world dominated by the data center, AD had its limits.

"One of the misconceptions is that everything in the old world was integrated from an identity perspective. It really wasn't," says McKinnon, "You have Active Directory that [did] a really good job with Windows clients, Windows servers, Exchange, file and print. Then you have LDAP, and a lot of people use that for big scale e-commerce sites and databases around that. But this concept that in a large company a lot of the identities were integrated is not true."

Just look at the number of enterprise project disasters around bringing internal application under a single AD source for proof, says Nishant Kaushik, chief architect at Identropy.

"IAM is littered with failed attempts at rationalizing all internal application development against [a] single AD source," Kaushik says.

Many organizations looked to kill two birds with one stone by repurposing user identity stores they've managed and curated for their internal environment and applying them to in-house custom applications, Kaushik says. However, most of those deployments ended up going bad.

"The reason is because the model that was put into Active Directory was highly optimized and tuned for AD's primary purposes, which was managing their network infrastructure and Windows environment, Outlook, and stuff like that," he says. "The minute you decide to add in application-specific stuff into that, all of a sudden the performance and the tuning stuff that had happened starts to fall apart."

In today's changing IT environment, relying primarily on AD to do the heavy lifting of identity management is just going to get harder. According to McKinnon, there are a number of challenges standing in the way. No. 1, the alternatives to Windows fileservers is drastically changing the collaboration landscape -- just look at the traction Box and Dropbox have gained in the enterprise for evidence of that. As a corollary, challenge No. 2 is that people are moving their collaborative email infrastructure to the cloud.

"When you move that to the cloud, you by definition are decoupling it from close proximity to AD," McKinnon says. "That's true whether it's something like Gmail or Office 365; if you look at how Office 365 gets connected to AD, it's not tightly coupled."

The loose coupling gets even looser when you consider the rapid addition of mobile devices that are outside of the Microsoft ecosystem.

"Companies are doing fewer big deployments of Windows, and if you're looking at what's happening on the client-side of the network, Microsoft dominance on the client is changing dramatically," McKinnon says. "Eighty percent of the reason people use AD is because they logged on their PC to the domain. And now half the devices on the Internet aren't even Windows devices."

And that's just the pressure on the front end. On the back end, cloud and SaaS applications are also pulling apart the AD coupling that worked so well in the data center-centric world -- this in spite of the fact that so many SaaS and cloud vendors purport to have AD integration.

"Every SaaS vendor of note that's trying to penetrate the enterprise has built-in support to integrate directly with AD. That's a technology-oriented integration that completely leaves out the process that is needed to actually manage AD cleanly," Kaushik says, explaining that the same application-centric problems of yesteryear are just magnified in the SaaS environment.

One big problem in the new cloud and SaaS model is the hierarchical nature of LDAP, says McKinnon.

"There's root and children. What people are realizing now is that it's not strict hierarchy in relationships anymore," McKinnon says. "When you have more of these B2B, cross-application modern relationships, you need more of a graph -- like Facbook's API shows us. It's not like there are your friends and my friends, and my friends are a subset of yours. It's the same in business. There are my partners, and my partners have partners.

According to Phil Lieberman of Lieberman Software, in spite of AD's supreme scalablity, the problems McKinnon identifies contributes to LDAP's lack of viability as an authentication method organizations can use in the cloud.

"That's not necessarily what they might want to use, and so this brings up the question of federation," says Lieberman, pointing to rumblings of using a mechanism like a Facebook log-in to tie together access to enterprise cloud resources.

He says at the moment he has a bet going with Gartner analyst Lawrence Pingree that enterprises won't be able to make that happen.

"I think the big question is authorization," he says. "Facebook or one of the other identity providers can authenticate. The problem is that LDAP provides authorization, too. If you can't provide authorization, what is the point?"

According to McKinnon, Microsoft isn't tone-deaf about the challenges facing AD in the cloud. They're why the company has turned some of its brightest minds toward developing Windows Azure Active Directory. However, there are challenges with its approach so far.

"One thing is that they're not bundling it tightly to the on-premise infrastructure, which is a challenge," he says. "And, two, is that the API isn't LDAP, which is really different. The reason why is that things are more disconnected, and a tightly coupled protocol is too latent and isn't the right level of granularity for what you need in the cloud."

Ultimately, the chaos is breeding a whole new niche in Identity as a Service (IDaaS) that's being tightly contested by vendors like Okta and Identropy and others like Centrifiy and Symplified. It's an exploding market that Gartner says will make up a quarter of all new IAM sales by the end of 2014 and 40 percent by 2015, as compared with just 5 percent last year. But in the interim, McKinnon says some order even among those players needs to be struck.

"We're going to be making more noise about this, but we think there's a new protocol that's needed," McKinnon says. "It's a new API -- a new protocol for directory services in this new world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JacksonShaw
50%
50%
JacksonShaw,
User Rank: Apprentice
3/27/2013 | 10:00:07 PM
re: When Active Directory And LDAP Aren't Enough
I must be missing the boat because I don't get how Okta, Symplified or the other companies noted are anything more than cloud-aware IAM products themselves. How are they offering "identity as a service"? Sure, they might be connecting various identity services together but are they offering an API that allows me to create an identity, store the credential in their service and re-use it elsewhere? I don't get the connection.

Yes, LDAP is not the right thing for the cloud. Yes, AD is not the right thing for the cloud otherwise why would MSFT have created Azure? At least there is a set of RESTful APIs for Azure. Where are the RESTful APIs for Okta and other vendors mentioned?

I have to laugh that on one hand LDAP isn't good enough and then on the other McKinnon says the APIs for Azure aren't LDAP. Seriously? It's all about the API economy now. More APIs are needed and at least Microsoft has taken a step in the right direction. (As other vendors like Google have, too).

If any of the companies mentioned can do better than Microsoft - who does offer identity as a service - or Facebook, or Google then I suggest they put their money where their mouth is and build such a service, APIs and all.

Lastly, authorization is something that can be implemented via SAML or via XACML. Both of these are standards. Both of these are Web protocols whereas LDAP isn't. You don't have to look very far to find solutions for cloud-based authorization - like our own (http://www.quest.com/quest-one.... The problem is that most companies are barely starting to tackle federation for cloud authentication let alone cloud-based authorization.

We are at the innovators & early adopter phase of these phenomena. By definition that means its HARD.

Jackson Shaw
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/22/2013 | 8:04:39 PM
re: When Active Directory And LDAP Aren't Enough
This brings up some really interesting concerns that enterprises are facing. Anyone out there looking for AD alternatives to support mobile and cloud additions?

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.