Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Active Directory Is Dead: 3 Reasons
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ChrisB093
100%
0%
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:01:40 AM
Re: Unusual article
It's true that using Active Directory in isolation slows IT's ability, increases workload and has security loopholes that many people are not even aware. But with the right software integrated with Active Directory the complexity for IT to manage these issues can be removed, concurrent logins can be restricted, security risks significantly reduced and regulations complied with (which is often not the case with cloud apps).

Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.

Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.

 

 
Thomas B. Pedersen
100%
0%
Thomas B. Pedersen,
 User Rank: Author
4/17/2014 | 2:16:40 PM
Re: Unusual article
I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and domains and more than a million users in some cases. Our customers include multi-nationals like Steelcase, Herman Miller, News Corp, Condé Nast and Midas who all have complex directories.

At these companies, Active Directory is not disappearing any time soon, but they are definitely moving in a new direction that reduces the focus on Active Directory. Instead of using ADFS to secure access to their applications, they are using OneLogin and similar solution to connect identities to applications.

The point I am trying to make here is that as applications move into the cloud, there are identity management solutions that solve the problem better than Active Directory. For example, a growing number of applications have user management APIs, which enables us to automate on-boarding and off-boarding of employees. ADFS doesn't do this. We are also able to handle applications that have no federation capabilities and we're integrated with a range of strong authentication solutions.

One of our recent clients has 15,000 employees in more than 2,000 locations. They were about to roll out Office 365, but were overwhelmed by the complexity of using ADFS. We managed to get them fully up and running on a single phone call. And now they have an identity management solution in place that enables them to quickly roll out other apps.

The business environment is very competitive and for many companies the decision is driven by business agility.
kobrien82
100%
0%
kobrien82,
 User Rank: Apprentice
4/17/2014 | 1:31:31 PM
Re: Unusual article
@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born of user requirements for increased flexibility and access to data. 

I think you're dead-on here: too much fragmentation makes regulatory and legal compliance difficult, if not impossible. However, the ways of the world have changed; we can either balk at this, or we can find a way to provide a solution to user desires/needs that we can manage, provide governance for, and secure. 

Fragmentation like this typically represents explosive growth in an industry, which consolidates as it matures.
rjthomas01
50%
50%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 5:05:43 AM
Data security
@haglt, not sure if Europe's data security are insane, but definitely odd. One reason to not use DropBox is that DropBox stores it's data on AWS, which is in the US. Which the UK can't use, because the US isn't on the list of approved storage countries. This has nothing to do with the security of AWS, it's simply a you-can-or-you-can't.

However, I'd have thought Heartbleed would have indicated precisely why strong Data Security measures are needed. A lot of very big sites have almost certainly (inadvertently) contravened their own data protection policies because of Heartbleed.
rjthomas01
100%
0%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 4:34:52 AM
Unusual article
"Today's hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr"

These happen to be the same companies that have come a cropper with Heartbleed, whereas- at least this time around- MS's infrastructure is relatively untouched (remember Heartbleed is not a virus, and is therefore far more sinister than any thing like Slammer because the fault is device-independent, passive, and took 2 years to uncover).

Also, a few of other points:

1. AD- technically- was RTM on 15 December 1999- hardly 90's infrastructure;

2. Micorosft current strategy is based entirely around AD, globally. My personal phone logs in with my Microsoft Account (cloud AD) and connects to "Outlook" (cloud Exchange). They've just migrated it to a global stage, and- as mentioned in other posts- it's more than possible to have a hyprid on-premise/ cloud existence.

Fact 1: Business needs or business wants? We get bombarded with requests for the cloud solution du jour (or find out about them afterwards). What possible reason can there be to need dropox, the box, OneDrive, Google Apps, Zoho, ThinkFree... This is not business needs, this is latching on to the next big thing then discarding it a week later for the next next big thing.

Fact 2: Increases daily workload? No... we rarely touch AD. What increases workload is chasing after a myriad cloud solutions that have just started being used with no thought given to business requirements. Example? Internally, instead of using Exchange (perfectly capable) what we see is whenisgood. Or doodle. Or FasterPlan. Or SelectTheDate. Etc.

Fact 3: Active Directory does neither of these things. The BYOD "revolution" has created bad behaviour and increased security risks. It's led to the assumption that you should have what you want, when you want which is fine for a consumer but generally speaking, the working world has to comply with things like the fact that financial records have to be kept for 7 years, data protection etc. To give just one example: if a company experiences indiscriminate use of random cloud solutions, how on earth would they be able to fulfill a complete FOI request? The answer is that they probably couldn't. How can you pull together all the data related to X when that data is spread across disparate locations, half of which aren't even known about? Also, the point about passwords- while having a grain of truth in that passwords are outdated- neatly bypasses mentioning that this is not an AD problem, this is just a problem. People would store passwords on post-its whather the infrastructure was Windows, Linux, Google Apps or ZoHo.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 1:21:25 PM
Re: Your experience integrating AD with cloud apps?
Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage point. 
BryanF287
100%
0%
BryanF287,
 User Rank: Apprentice
4/16/2014 | 1:03:21 PM
Re: Your experience integrating AD with cloud apps?
What has been your experience integrating AD successfully with your cloud apps? 

100% of our employee cloud based apps are integrated with AD.

 

What have been your biggest challenges?

Getting security to approve integration where the SasS provider doesn't support ADFS.

 

What have been the biggest gaps?

Lack of standardization of authentication protocols in the cloud.  Security requirements (from all kinds of systems) that mandate strict password policies which leads to the sticky notes and spreadsheets containing passwords you mentioned (this is not because of AD).  Getting developers to understand the need for security and why storing passwords for their homegrown apps in plaintext a database is a really, really bad idea.

 

Some other information:

Employees ~ 6000 across 55 offices, high turnover in some departments

Automated identity management ~ 98%  (guest/contractor accounts are manual, turnaround time less than 1 hour)

100% audit trail for changes to AD or user accounts  (at least for the last 18 months)  Major changes are reconciled to approved change requests with unauthorized changes being addressed.

 

 

No mention of how to control machine settings without AD in this article either.  NPS is not robust enough yet to protect a network from clients without proper security settings like up to date AV software to eliminate the need for machines to be joined to the domain and controlled by GPOs.



I have to agree with many of the other comments.  This article seems like a sales pitch that is not based on reality unless you're a small company that doesn't need to meet audit requirements.  Considering how many difficulties the author has with AD, I question their ability to integrate with AD.

Will AD be around forever, of course not.  Calling it dead before there is even a viable competitor out there is irresponsible though.
anon1072277770
100%
0%
anon1072277770,
 User Rank: Apprentice
4/16/2014 | 9:05:56 AM
Re: What's the alternative
Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours.

If you combine ADFS with Azure ACS and Azure AD you have very powerfull infrastructure for Cloud and Enterprise authentication.
ScottW834
100%
0%
ScottW834,
 User Rank: Apprentice
4/16/2014 | 8:43:34 AM
If not AD then what?
While everyone is skipping off to the "cloud" there are still the same issues to be dealt with.  Authentication, Access and Accountability.  LDAP and AD have done a good job of this and as companies are learning everyday, security and information assurance are definitely alligned with business needs.  Convenience at the expense of security garners neither.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 7:58:49 AM
Re: What's the alternative
These are great questions @haglt, and I think they get at the heart of the issue with your statement that eventually a startup grows up, at which point "Cloud Services tend to stop being the best soution." The question is when, and you lay the issues out very well in your post. 
Page 1 / 3   >   >>


News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.