Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

4/15/2014
07:00 AM
Thomas Pedersen
Thomas Pedersen
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Active Directory Is Dead: 3 Reasons

These days, Active Directory smells gangrenous to innovative companies born in the cloud and connecting customers, employees, and partners across devices at light speed.

Ninety-five percent of Fortune 500 companies use Active Directory, a 1990s technology, because their infrastructures are based on a 90s network architecture of on-premises PCs, applications, servers, and tools. But look around. Today’s hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr -- just snort, and say, “The 90s called, and they want their infrastructure back.”

Full disclosure: I am the CEO and Founder of OneLogin, a cloud-based identity and access management company. Active Directory integration is one of our focus areas.  And though I have other fond memories of the 90s -- Nirvana, X-Files, Hale-Bopp -- Active Directory isn’t one of them. These days, Active Directory smells gangrenous to innovative companies that were born in the cloud and operate at light speed interconnecting customers, employees, and partners across an array of devices and time zones.

Before laughing off the death of Active Directory, remember we also never imagined that Apple would one day have a bigger market capitalization than IBM, or Google would be nine times more valuable than General Motors. Today’s 30-person company is positioning itself to be tomorrow’s 1,500-person company.

Why am I predicting the death of Active Directory?

Fact 1: Active Directory’s complexity slows IT’s ability to respond to business needs.  Originally crafted when IT owned and dictated everything, including the look, feel, and operation of user applications, Active Directory has failed to keep up. Have you tried to implement Single-Sign-On for your legacy, cloud, and mobile apps with Active Directory? If so, this custom integration likely took you months to complete, and probably lacked advanced functionality like multi-factor authentication and rapid deprovisioning (a must when employees or contractors leave an organization). Rinse and repeat the next time you need to add new apps. In an era where business runs on Red Bull, Active Directory is old and bloated.

Fact 2: Active Directory increases the daily IT workload. IT managers tell me they spend too much time integrating new apps into their aging Active Directory infrastructures. This is especially true because most new apps come from the cloud. Furthermore, different user communities require different security policies, and creating a new Active Directory group for every use case is time consuming. Active Directory’s provisioning complexity, coupled with different authentication procedures and decentralized administration, leads to higher identity management costs and frustrated, overworked IT teams. Getting a short-term contractor access to the right apps with the right entitlements should take minutes, not hours or days. Business is constantly being asked to "do more with less," but with Active Directory we get "less with more."

Fact 3: Active Directory encourages bad behavior and increases security risks. Facts 1 and 2 give rise to Shadow IT. Users have figured out they can easily bypass traditional IT to get the services and capabilities they need.  But this has resulted in raising security risk-levels inside the enterprise. For example, poor password hygiene in Shadow IT is rampant. Our own survey of 200 IT leaders showed that 71 percent admit to using unsanctioned apps like Dropbox and Google Apps to get work done, and 44 percent said employees manage passwords on sticky notes and spreadsheets. It’s an IT security nightmare.   

What has been your experience getting Active Directory into the 21st Century? Have you successfully integrated it with your cloud apps? Was that seamless or seemingly endless? What have been your biggest challenges, and what have been the biggest gaps? Share your success stories as well!

Thomas Pedersen is the CEO and founder of OneLogin, where he is now laser-focused on making OneLogin the most widely deployed identity management solution in the cloud. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
haglt
50%
50%
haglt,
User Rank: Apprentice
4/16/2014 | 7:47:22 AM
Re: What's the alternative
@Mr. Pedersen

you said it pretty clrear: you are targeting startups... which is ok but I am afraid at some point the Startup gets serious and that is the point where Clous Services tend to stop been the best soution.

Here´s some questions for you:

- How would you Authenticate while been offline?
- What´s your opinion on Functional Groups vs. single user access rights
- How to grant File Access without deep manipulation on the Server side?

And that does not even take into account the various requirements that different businesses like Banks or Goverments have let a lone the (insane) Data-Security requirements in Europe or High Availabillity szenarios.

Sure, AD has same shortcommings but saying it is not able to be handled efficient means you are not aware of the dramatic improvements in Powershell. People already propose to manage Software Defined Data Centers through Powershell and ystem Center. I agree that this could have been available for much longer but that´s how it is.

What´s the Alternative? 
I don´t think we need one. What we need is an online extension that adapts all kinds of Cloud Service and DOES NOT STOP AT AUTHENTIFICATION. 

What would really be required is a general API to tell Cloud Services how I want them to offer their Services manged by AD... But with Privat Customers and Startups as Target Audience that will barely happen...oh wait... the bigger players in the Market already head that way... and Amazon and MS are some of them...

Don´t get me wrong. I agree with the statement that AD asks for Experts but that is due to the possibility to adapt to custom requirements that you do not have when using Cloud Servies.

Prove me wrong...PLEASE! 
But until you do please stop planting unrealistic Ideas in the Heads of Managers
vremenar
100%
0%
vremenar,
User Rank: Apprentice
4/16/2014 | 2:17:35 AM
Re: What's the alternative
You actually think you can get away with "Active Directory Is Dead. Buy my soulution!"

Oh, let me keep all my employes accounts on OneLogin that one day might have an "Heartbleed-like" bug. Hmm, that does sound like a good idea. Thanks but no thanks.
jrdepriest
100%
0%
jrdepriest,
User Rank: Apprentice
4/15/2014 | 4:40:56 PM
You've been drinking your own Kool Aid
You are out of your mind.

AD isn't dead and will likely be a foundation of access control for smart organizations for a long time.

Why?
  1. AD is extensible. You have an app that needs fields not supported in AD? It can add them with a schema change.
  2. AD is compatible. Tell me an easier way to get Kerberos, LDAP/LDAPS, centralized and distributed access control, all of it with well-dveloped GUI and command-line controls included in the price of the OS.
  3. AD is everywhere. Microsoft servers rule big old enterprises. Ever server plugs right in to it.
  4. AD is useful. AD + GPO + SCCM means you can control just about single aspect of any Windows system in the domain down to what icons show up in the Start menu or whether you can change the system time. And you can keep them fuly patched for Microsoft products and 3rd party apps.

AD may be out of here in 10 years or 20 years, but it's kicking strong right now. Heck, you can fully manage Windows 8.1 tablets with AD now. That's Microsoft moving right in to the spaces you are talking about.

The cloud is great if it can be tied back to AD because that's what your large customers are going to be using.

 

Yes, I remember NetWare being the software everybody used. I remember thinking it would never go away and Mircrosoft's AD would never take off.

They won because they gave it away with every server they sold.

Can you compete with free and competent?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/15/2014 | 3:25:59 PM
Your experience integrating AD with cloud apps?
It's interesting to read the views of all the defenders of AD and the bashers of someone who predicts its demise. But what about the question Thomas put out to the security community in his blog? He asked: 
  • What has been your experience integrating AD successfully with your cloud apps? 
  • What have been your biggest challenges, and
  • What have been the biggest gaps?

Let's hear some success stories in the comments.
boconnor@henryscheinvet.com
100%
0%
[email protected],
User Rank: Apprentice
4/15/2014 | 1:54:26 PM
Don't count Microsoft out yet
Your article has some merit, calling out the aging Active Directory, but you seem to base the premise on the 1990's technology (I will agree the foot in the door was Exchange 5.5 on directory management, but AD was released in 2000, not the 1990s).  I believe Microsoft has updated Active Directory a few times since then.  Even discounting the upgrades, assuming they don't amount to enough, Microsoft has recently shifted their own focus to cloud and services.  If you think major changes in AD, or even a totally new model, are not forth-coming I think that might be a bit short sighted.  And honestly with a start-up today I would rather still use Office 365, with Exchange on-line and OneDrive all connected to my one Microsoft account, than Google.

And Google only has a stock valuation 9 times higher than G.E.  If you look at their balance sheets and income statements I think it might show a different picture, but the stock market is more than 50% perception, and less real business saavy.  I bet if you did a traditional asset minus liability count on Google (not including asset amounts leveraged with debt) people would be surprised at the stock vaule.  I could be wrong I suppose, but Google doesn't seem to 'sell' anything (for a profit anyway), oh, except somehow making bajillions on advertising...somehow...
TerryB
100%
0%
TerryB,
User Rank: Ninja
4/15/2014 | 1:29:35 PM
Re: What's the alternative
I'm waiting to see your answer to @Marilyn, Thomas.

Your use examples talk about new startups, of which 70-90% fail anyway. Cloud does make a lot sense in that case, why would you implement your own Exchange server right out of gate. Then your service makes some sense.

But what about the hundreds or thousands of established businesses with on premise infrastructure in place. You really think we are going to chuck it all and pay rent so we can move to the cloud?

We can run our systems which support our manufacturing under AD when our internet connection is down. Let me know when that can be said of the cloud and your identity service.
MauriceB786
100%
0%
MauriceB786,
User Rank: Apprentice
4/15/2014 | 12:07:20 PM
Re: What's the alternative
I may have worded that poorly.

I meant what value-add is it?

What can it do that I can't?

This is speaking as someone well-versed in automation, AD, and generally making people say "I didn't know it could do that."



I'm generally leery when someone asserts that any one product can solve all problems.

So of course there will be edge cases that aren't within a reasonable scope for spending developer cycles on, but are those cases in that catagory because there wasn't sufficent documentation out there saying, "Hey ADFS can do _____ ".

 

Or the admin didn't know to look for it?
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
User Rank: Author
4/15/2014 | 11:58:27 AM
Re: What's the alternative
Maurice,

You hit the nail on the head right there. A decently resourced IT team can accomplish anything, but do you really want to throw resources at all problems or would you rather leverage commercially available solutions that can automate and streamline your processes?

We talk to a ton of companies about their identity management challenges and a common theme is that they don't want to invest more resources in configuring ADFS (Active Directory Federation Services). Not only is ADFS unreasonably complex, but it also does not solve problems most of the problems they are strugging with, such as:
  • User provisioning
  • Multi-factor authentication
  • Password reset
  • Apps that don't support federation
  • Easy-to-use SSO portals that increase productivity

The conversation is just as much about business agility and focusing on your core competences. It's a hyper competitive business environment and you can't be an identity laggard and stay competitive.

Thomas

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/15/2014 | 11:50:31 AM
Re: What's the alternative
Incidenally I'm putting as an open challenge Mr.Pederson, that your product doesn't do anything that a decently resourced IT team can't. 

@MauriceB786 
What are the specific things that you believe a cloud-based identity management solution can't do that Active Directory does.
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
User Rank: Author
4/15/2014 | 11:28:58 AM
Re: What's the alternative
Maurice,

While our stack (Rails, Postgres, Ubuntu) is open-source, OneLogin has been written from the ground up by us. We don't use any larger open-source components for our identity functionality.

Thomas
<<   <   Page 2 / 3   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.