Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Active Directory Is Dead: 3 Reasons
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
ChrisB093
100%
0%
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:01:40 AM
Re: Unusual article
It's true that using Active Directory in isolation slows IT's ability, increases workload and has security loopholes that many people are not even aware. But with the right software integrated with Active Directory the complexity for IT to manage these issues can be removed, concurrent logins can be restricted, security risks significantly reduced and regulations complied with (which is often not the case with cloud apps).

Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.

Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.

 

 
Thomas B. Pedersen
100%
0%
Thomas B. Pedersen,
 User Rank: Author
4/17/2014 | 2:16:40 PM
Re: Unusual article
I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and domains and more than a million users in some cases. Our customers include multi-nationals like Steelcase, Herman Miller, News Corp, Condé Nast and Midas who all have complex directories.

At these companies, Active Directory is not disappearing any time soon, but they are definitely moving in a new direction that reduces the focus on Active Directory. Instead of using ADFS to secure access to their applications, they are using OneLogin and similar solution to connect identities to applications.

The point I am trying to make here is that as applications move into the cloud, there are identity management solutions that solve the problem better than Active Directory. For example, a growing number of applications have user management APIs, which enables us to automate on-boarding and off-boarding of employees. ADFS doesn't do this. We are also able to handle applications that have no federation capabilities and we're integrated with a range of strong authentication solutions.

One of our recent clients has 15,000 employees in more than 2,000 locations. They were about to roll out Office 365, but were overwhelmed by the complexity of using ADFS. We managed to get them fully up and running on a single phone call. And now they have an identity management solution in place that enables them to quickly roll out other apps.

The business environment is very competitive and for many companies the decision is driven by business agility.
kobrien82
100%
0%
kobrien82,
 User Rank: Apprentice
4/17/2014 | 1:31:31 PM
Re: Unusual article
@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born of user requirements for increased flexibility and access to data. 

I think you're dead-on here: too much fragmentation makes regulatory and legal compliance difficult, if not impossible. However, the ways of the world have changed; we can either balk at this, or we can find a way to provide a solution to user desires/needs that we can manage, provide governance for, and secure. 

Fragmentation like this typically represents explosive growth in an industry, which consolidates as it matures.
rjthomas01
50%
50%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 5:05:43 AM
Data security
@haglt, not sure if Europe's data security are insane, but definitely odd. One reason to not use DropBox is that DropBox stores it's data on AWS, which is in the US. Which the UK can't use, because the US isn't on the list of approved storage countries. This has nothing to do with the security of AWS, it's simply a you-can-or-you-can't.

However, I'd have thought Heartbleed would have indicated precisely why strong Data Security measures are needed. A lot of very big sites have almost certainly (inadvertently) contravened their own data protection policies because of Heartbleed.
rjthomas01
100%
0%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 4:34:52 AM
Unusual article
"Today's hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr"

These happen to be the same companies that have come a cropper with Heartbleed, whereas- at least this time around- MS's infrastructure is relatively untouched (remember Heartbleed is not a virus, and is therefore far more sinister than any thing like Slammer because the fault is device-independent, passive, and took 2 years to uncover).

Also, a few of other points:

1. AD- technically- was RTM on 15 December 1999- hardly 90's infrastructure;

2. Micorosft current strategy is based entirely around AD, globally. My personal phone logs in with my Microsoft Account (cloud AD) and connects to "Outlook" (cloud Exchange). They've just migrated it to a global stage, and- as mentioned in other posts- it's more than possible to have a hyprid on-premise/ cloud existence.

Fact 1: Business needs or business wants? We get bombarded with requests for the cloud solution du jour (or find out about them afterwards). What possible reason can there be to need dropox, the box, OneDrive, Google Apps, Zoho, ThinkFree... This is not business needs, this is latching on to the next big thing then discarding it a week later for the next next big thing.

Fact 2: Increases daily workload? No... we rarely touch AD. What increases workload is chasing after a myriad cloud solutions that have just started being used with no thought given to business requirements. Example? Internally, instead of using Exchange (perfectly capable) what we see is whenisgood. Or doodle. Or FasterPlan. Or SelectTheDate. Etc.

Fact 3: Active Directory does neither of these things. The BYOD "revolution" has created bad behaviour and increased security risks. It's led to the assumption that you should have what you want, when you want which is fine for a consumer but generally speaking, the working world has to comply with things like the fact that financial records have to be kept for 7 years, data protection etc. To give just one example: if a company experiences indiscriminate use of random cloud solutions, how on earth would they be able to fulfill a complete FOI request? The answer is that they probably couldn't. How can you pull together all the data related to X when that data is spread across disparate locations, half of which aren't even known about? Also, the point about passwords- while having a grain of truth in that passwords are outdated- neatly bypasses mentioning that this is not an AD problem, this is just a problem. People would store passwords on post-its whather the infrastructure was Windows, Linux, Google Apps or ZoHo.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 1:21:25 PM
Re: Your experience integrating AD with cloud apps?
Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage point. 
BryanF287
100%
0%
BryanF287,
 User Rank: Apprentice
4/16/2014 | 1:03:21 PM
Re: Your experience integrating AD with cloud apps?
What has been your experience integrating AD successfully with your cloud apps? 

100% of our employee cloud based apps are integrated with AD.

 

What have been your biggest challenges?

Getting security to approve integration where the SasS provider doesn't support ADFS.

 

What have been the biggest gaps?

Lack of standardization of authentication protocols in the cloud.  Security requirements (from all kinds of systems) that mandate strict password policies which leads to the sticky notes and spreadsheets containing passwords you mentioned (this is not because of AD).  Getting developers to understand the need for security and why storing passwords for their homegrown apps in plaintext a database is a really, really bad idea.

 

Some other information:

Employees ~ 6000 across 55 offices, high turnover in some departments

Automated identity management ~ 98%  (guest/contractor accounts are manual, turnaround time less than 1 hour)

100% audit trail for changes to AD or user accounts  (at least for the last 18 months)  Major changes are reconciled to approved change requests with unauthorized changes being addressed.

 

 

No mention of how to control machine settings without AD in this article either.  NPS is not robust enough yet to protect a network from clients without proper security settings like up to date AV software to eliminate the need for machines to be joined to the domain and controlled by GPOs.



I have to agree with many of the other comments.  This article seems like a sales pitch that is not based on reality unless you're a small company that doesn't need to meet audit requirements.  Considering how many difficulties the author has with AD, I question their ability to integrate with AD.

Will AD be around forever, of course not.  Calling it dead before there is even a viable competitor out there is irresponsible though.
anon1072277770
100%
0%
anon1072277770,
 User Rank: Apprentice
4/16/2014 | 9:05:56 AM
Re: What's the alternative
Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours.

If you combine ADFS with Azure ACS and Azure AD you have very powerfull infrastructure for Cloud and Enterprise authentication.
ScottW834
100%
0%
ScottW834,
 User Rank: Apprentice
4/16/2014 | 8:43:34 AM
If not AD then what?
While everyone is skipping off to the "cloud" there are still the same issues to be dealt with.  Authentication, Access and Accountability.  LDAP and AD have done a good job of this and as companies are learning everyday, security and information assurance are definitely alligned with business needs.  Convenience at the expense of security garners neither.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 7:58:49 AM
Re: What's the alternative
These are great questions @haglt, and I think they get at the heart of the issue with your statement that eventually a startup grows up, at which point "Cloud Services tend to stop being the best soution." The question is when, and you lay the issues out very well in your post. 
Page 1 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/31/2020
Block/Allow: The Changing Face of Hacker Linguistics
Seth Rosenblatt, Contributing Writer,  7/27/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Sandboxing? Ppphhht! I've moved beyond sandboxes to sandcastles.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14310
PUBLISHED: 2020-07-31
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a ma...
CVE-2020-14311
PUBLISHED: 2020-07-31
There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.
CVE-2020-5413
PUBLISHED: 2020-07-31
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains mali...
CVE-2020-5414
PUBLISHED: 2020-07-31
VMware Tanzu Application Service for VMs (2.7.x versions prior to 2.7.19, 2.8.x versions prior to 2.8.13, and 2.9.x versions prior to 2.9.7) contains an App Autoscaler that logs the UAA admin password. This credential is redacted on VMware Tanzu Operations Manager; however, the unredacted logs are a...
CVE-2019-11286
PUBLISHED: 2020-07-31
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the ...