Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Active Directory Is Dead: 3 Reasons
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ChrisB093
100%
0%
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:01:40 AM
Re: Unusual article
It's true that using Active Directory in isolation slows IT's ability, increases workload and has security loopholes that many people are not even aware. But with the right software integrated with Active Directory the complexity for IT to manage these issues can be removed, concurrent logins can be restricted, security risks significantly reduced and regulations complied with (which is often not the case with cloud apps).

Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.

Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.

 

 
Thomas B. Pedersen
100%
0%
Thomas B. Pedersen,
 User Rank: Author
4/17/2014 | 2:16:40 PM
Re: Unusual article
I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and domains and more than a million users in some cases. Our customers include multi-nationals like Steelcase, Herman Miller, News Corp, Condé Nast and Midas who all have complex directories.

At these companies, Active Directory is not disappearing any time soon, but they are definitely moving in a new direction that reduces the focus on Active Directory. Instead of using ADFS to secure access to their applications, they are using OneLogin and similar solution to connect identities to applications.

The point I am trying to make here is that as applications move into the cloud, there are identity management solutions that solve the problem better than Active Directory. For example, a growing number of applications have user management APIs, which enables us to automate on-boarding and off-boarding of employees. ADFS doesn't do this. We are also able to handle applications that have no federation capabilities and we're integrated with a range of strong authentication solutions.

One of our recent clients has 15,000 employees in more than 2,000 locations. They were about to roll out Office 365, but were overwhelmed by the complexity of using ADFS. We managed to get them fully up and running on a single phone call. And now they have an identity management solution in place that enables them to quickly roll out other apps.

The business environment is very competitive and for many companies the decision is driven by business agility.
kobrien82
100%
0%
kobrien82,
 User Rank: Apprentice
4/17/2014 | 1:31:31 PM
Re: Unusual article
@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born of user requirements for increased flexibility and access to data. 

I think you're dead-on here: too much fragmentation makes regulatory and legal compliance difficult, if not impossible. However, the ways of the world have changed; we can either balk at this, or we can find a way to provide a solution to user desires/needs that we can manage, provide governance for, and secure. 

Fragmentation like this typically represents explosive growth in an industry, which consolidates as it matures.
rjthomas01
50%
50%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 5:05:43 AM
Data security
@haglt, not sure if Europe's data security are insane, but definitely odd. One reason to not use DropBox is that DropBox stores it's data on AWS, which is in the US. Which the UK can't use, because the US isn't on the list of approved storage countries. This has nothing to do with the security of AWS, it's simply a you-can-or-you-can't.

However, I'd have thought Heartbleed would have indicated precisely why strong Data Security measures are needed. A lot of very big sites have almost certainly (inadvertently) contravened their own data protection policies because of Heartbleed.
rjthomas01
100%
0%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 4:34:52 AM
Unusual article
"Today's hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr"

These happen to be the same companies that have come a cropper with Heartbleed, whereas- at least this time around- MS's infrastructure is relatively untouched (remember Heartbleed is not a virus, and is therefore far more sinister than any thing like Slammer because the fault is device-independent, passive, and took 2 years to uncover).

Also, a few of other points:

1. AD- technically- was RTM on 15 December 1999- hardly 90's infrastructure;

2. Micorosft current strategy is based entirely around AD, globally. My personal phone logs in with my Microsoft Account (cloud AD) and connects to "Outlook" (cloud Exchange). They've just migrated it to a global stage, and- as mentioned in other posts- it's more than possible to have a hyprid on-premise/ cloud existence.

Fact 1: Business needs or business wants? We get bombarded with requests for the cloud solution du jour (or find out about them afterwards). What possible reason can there be to need dropox, the box, OneDrive, Google Apps, Zoho, ThinkFree... This is not business needs, this is latching on to the next big thing then discarding it a week later for the next next big thing.

Fact 2: Increases daily workload? No... we rarely touch AD. What increases workload is chasing after a myriad cloud solutions that have just started being used with no thought given to business requirements. Example? Internally, instead of using Exchange (perfectly capable) what we see is whenisgood. Or doodle. Or FasterPlan. Or SelectTheDate. Etc.

Fact 3: Active Directory does neither of these things. The BYOD "revolution" has created bad behaviour and increased security risks. It's led to the assumption that you should have what you want, when you want which is fine for a consumer but generally speaking, the working world has to comply with things like the fact that financial records have to be kept for 7 years, data protection etc. To give just one example: if a company experiences indiscriminate use of random cloud solutions, how on earth would they be able to fulfill a complete FOI request? The answer is that they probably couldn't. How can you pull together all the data related to X when that data is spread across disparate locations, half of which aren't even known about? Also, the point about passwords- while having a grain of truth in that passwords are outdated- neatly bypasses mentioning that this is not an AD problem, this is just a problem. People would store passwords on post-its whather the infrastructure was Windows, Linux, Google Apps or ZoHo.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 1:21:25 PM
Re: Your experience integrating AD with cloud apps?
Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage point. 
BryanF287
100%
0%
BryanF287,
 User Rank: Apprentice
4/16/2014 | 1:03:21 PM
Re: Your experience integrating AD with cloud apps?
What has been your experience integrating AD successfully with your cloud apps? 

100% of our employee cloud based apps are integrated with AD.

 

What have been your biggest challenges?

Getting security to approve integration where the SasS provider doesn't support ADFS.

 

What have been the biggest gaps?

Lack of standardization of authentication protocols in the cloud.  Security requirements (from all kinds of systems) that mandate strict password policies which leads to the sticky notes and spreadsheets containing passwords you mentioned (this is not because of AD).  Getting developers to understand the need for security and why storing passwords for their homegrown apps in plaintext a database is a really, really bad idea.

 

Some other information:

Employees ~ 6000 across 55 offices, high turnover in some departments

Automated identity management ~ 98%  (guest/contractor accounts are manual, turnaround time less than 1 hour)

100% audit trail for changes to AD or user accounts  (at least for the last 18 months)  Major changes are reconciled to approved change requests with unauthorized changes being addressed.

 

 

No mention of how to control machine settings without AD in this article either.  NPS is not robust enough yet to protect a network from clients without proper security settings like up to date AV software to eliminate the need for machines to be joined to the domain and controlled by GPOs.



I have to agree with many of the other comments.  This article seems like a sales pitch that is not based on reality unless you're a small company that doesn't need to meet audit requirements.  Considering how many difficulties the author has with AD, I question their ability to integrate with AD.

Will AD be around forever, of course not.  Calling it dead before there is even a viable competitor out there is irresponsible though.
anon1072277770
100%
0%
anon1072277770,
 User Rank: Apprentice
4/16/2014 | 9:05:56 AM
Re: What's the alternative
Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours.

If you combine ADFS with Azure ACS and Azure AD you have very powerfull infrastructure for Cloud and Enterprise authentication.
ScottW834
100%
0%
ScottW834,
 User Rank: Apprentice
4/16/2014 | 8:43:34 AM
If not AD then what?
While everyone is skipping off to the "cloud" there are still the same issues to be dealt with.  Authentication, Access and Accountability.  LDAP and AD have done a good job of this and as companies are learning everyday, security and information assurance are definitely alligned with business needs.  Convenience at the expense of security garners neither.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 7:58:49 AM
Re: What's the alternative
These are great questions @haglt, and I think they get at the heart of the issue with your statement that eventually a startup grows up, at which point "Cloud Services tend to stop being the best soution." The question is when, and you lay the issues out very well in your post. 
Page 1 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
CVE-2019-20903
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
CVE-2020-25288
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
CVE-2020-25781
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
CVE-2020-25830
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.