Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Active Directory Is Dead: 3 Reasons
Threaded  |  Newest First  |  Oldest First
Lorna Garey
100%
0%
Lorna Garey,
 User Rank: Ninja
4/15/2014 | 9:28:32 AM
What's the alternative
This is all well and good, but do you really thing there's a better choice right now? Everyone knows how to use AD. Maybe it takes time to integrate new services, but it's doable. Yes, "different user communities require different security policies, and creating a new Active Directory group for every use case is time consuming." But IT has to manage roles, not individuals. The other way leads to anarchy. 

What would you suggest for a company that doesn't have 30 employees, lives on Red Bull and is all cloud all the time?

 
Thomas B. Pedersen
0%
100%
Thomas B. Pedersen,
 User Rank: Author
4/15/2014 | 10:39:58 AM
Re: What's the alternative
The first application a startup needs is email. But when you start a company today, your first inclination is probably not to drive down to your local computer store and purchase Microsoft Exchange and Office. More likely, you will sign up your team for Google Apps and get email and productivity suite all-in-one.

And then you work your way from there. You'll quickly be adding more applications so you can build, market and sell your product or service. Soon you will realize that the number of passwords your company is managing is out of control and that you need some way to control access and relieve your busy employees of their password fatigue. At this stage of your company, Active Directory will do nothing to propell your company forward. It will only limit your agility and make things more complicated for everyone.

Your company will be best served by deploying a cloud-based identity provider, such as OneLogin. The advantage of this approach is that it becomes very easy to onboard new employees and applications. You centralize user management and access control and have a much better view of your identity footprint. And it was just as easy to get in place as that Google Apps account your company started out with.

 

 

 
MauriceB786
50%
50%
MauriceB786,
 User Rank: Apprentice
4/15/2014 | 11:15:42 AM
Re: What's the alternative
If we go with your assertion of what a startup needs, then Google would be the dead last place I'd go as they usually need secrecy and Google doesn't go in for that very much.  It's also a lot of fun migrating off as well. 

Most orgs when they're mature enough to need something like AD are ready to hire an EXPERT to do it for them.  You're neglecting to mention the fact that you're freqently going to run into systems where the password complexity requirements are incompatable.


This isn't taking into consideration audit and compliance issues.


One last thing, while you don't say it, I'd be willing to bet your service is largely open source.  What do you use fo your login services?
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
 User Rank: Author
4/15/2014 | 11:28:58 AM
Re: What's the alternative
Maurice,

While our stack (Rails, Postgres, Ubuntu) is open-source, OneLogin has been written from the ground up by us. We don't use any larger open-source components for our identity functionality.

Thomas
haglt
50%
50%
haglt,
 User Rank: Apprentice
4/16/2014 | 7:47:22 AM
Re: What's the alternative
@Mr. Pedersen

you said it pretty clrear: you are targeting startups... which is ok but I am afraid at some point the Startup gets serious and that is the point where Clous Services tend to stop been the best soution.

Here´s some questions for you:

- How would you Authenticate while been offline?
- What´s your opinion on Functional Groups vs. single user access rights
- How to grant File Access without deep manipulation on the Server side?

And that does not even take into account the various requirements that different businesses like Banks or Goverments have let a lone the (insane) Data-Security requirements in Europe or High Availabillity szenarios.

Sure, AD has same shortcommings but saying it is not able to be handled efficient means you are not aware of the dramatic improvements in Powershell. People already propose to manage Software Defined Data Centers through Powershell and ystem Center. I agree that this could have been available for much longer but that´s how it is.

What´s the Alternative? 
I don´t think we need one. What we need is an online extension that adapts all kinds of Cloud Service and DOES NOT STOP AT AUTHENTIFICATION. 

What would really be required is a general API to tell Cloud Services how I want them to offer their Services manged by AD... But with Privat Customers and Startups as Target Audience that will barely happen...oh wait... the bigger players in the Market already head that way... and Amazon and MS are some of them...

Don´t get me wrong. I agree with the statement that AD asks for Experts but that is due to the possibility to adapt to custom requirements that you do not have when using Cloud Servies.

Prove me wrong...PLEASE! 
But until you do please stop planting unrealistic Ideas in the Heads of Managers
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 7:58:49 AM
Re: What's the alternative
These are great questions @haglt, and I think they get at the heart of the issue with your statement that eventually a startup grows up, at which point "Cloud Services tend to stop being the best soution." The question is when, and you lay the issues out very well in your post. 
MauriceB786
67%
33%
MauriceB786,
 User Rank: Apprentice
4/15/2014 | 10:48:40 AM
Re: What's the alternative
I came to point out that this is a thinly veiled ad for a service that's targeted at people who have no business touching a domain controller. Instead I will point out that everything this product does and I do mean EVERYTHING you can already do with Windows.  You just have to find an admin who's willing to step away from the GUI and get their hands dirty with a small bit of PowerShell.  That's just for the sync'ing everything with the same password stuff.

Delegated rights have been in AD from day one.

When properly configured (read: AD Sites and Services setup along with proper connectors) replication isn't an issue.

What's irritating is that this is being peddled like it's real news and I fear some poor IT Manager is going to be forced to sit in a three hour meeting justifying some headcount.

Incidenally I'm putting as an open challenge Mr.Pederson, that your product doesn't do anything that a decently resourced IT team can't. 

In fact I'd go as far to argue that your product hurts IT departments by giving a false sense of security , hiding people from the complexity of their decisions.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/15/2014 | 11:50:31 AM
Re: What's the alternative
Incidenally I'm putting as an open challenge Mr.Pederson, that your product doesn't do anything that a decently resourced IT team can't. 

@MauriceB786 
What are the specific things that you believe a cloud-based identity management solution can't do that Active Directory does.
MauriceB786
100%
0%
MauriceB786,
 User Rank: Apprentice
4/15/2014 | 12:07:20 PM
Re: What's the alternative
I may have worded that poorly.

I meant what value-add is it?

What can it do that I can't?

This is speaking as someone well-versed in automation, AD, and generally making people say "I didn't know it could do that."



I'm generally leery when someone asserts that any one product can solve all problems.

So of course there will be edge cases that aren't within a reasonable scope for spending developer cycles on, but are those cases in that catagory because there wasn't sufficent documentation out there saying, "Hey ADFS can do _____ ".

 

Or the admin didn't know to look for it?
TerryB
100%
0%
TerryB,
 User Rank: Ninja
4/15/2014 | 1:29:35 PM
Re: What's the alternative
I'm waiting to see your answer to @Marilyn, Thomas.

Your use examples talk about new startups, of which 70-90% fail anyway. Cloud does make a lot sense in that case, why would you implement your own Exchange server right out of gate. Then your service makes some sense.

But what about the hundreds or thousands of established businesses with on premise infrastructure in place. You really think we are going to chuck it all and pay rent so we can move to the cloud?

We can run our systems which support our manufacturing under AD when our internet connection is down. Let me know when that can be said of the cloud and your identity service.
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
 User Rank: Author
4/15/2014 | 11:58:27 AM
Re: What's the alternative
Maurice,

You hit the nail on the head right there. A decently resourced IT team can accomplish anything, but do you really want to throw resources at all problems or would you rather leverage commercially available solutions that can automate and streamline your processes?

We talk to a ton of companies about their identity management challenges and a common theme is that they don't want to invest more resources in configuring ADFS (Active Directory Federation Services). Not only is ADFS unreasonably complex, but it also does not solve problems most of the problems they are strugging with, such as:
  • User provisioning
  • Multi-factor authentication
  • Password reset
  • Apps that don't support federation
  • Easy-to-use SSO portals that increase productivity

The conversation is just as much about business agility and focusing on your core competences. It's a hyper competitive business environment and you can't be an identity laggard and stay competitive.

Thomas

 
anon1072277770
100%
0%
anon1072277770,
 User Rank: Apprentice
4/16/2014 | 9:05:56 AM
Re: What's the alternative
Microsoft ADFS is not complicated, it is really simple technology. Aynome with basic understanding of authentication protocols can setup ADFS in few hours.

If you combine ADFS with Azure ACS and Azure AD you have very powerfull infrastructure for Cloud and Enterprise authentication.
vremenar
100%
0%
vremenar,
 User Rank: Apprentice
4/16/2014 | 2:17:35 AM
Re: What's the alternative
You actually think you can get away with "Active Directory Is Dead. Buy my soulution!"

Oh, let me keep all my employes accounts on OneLogin that one day might have an "Heartbleed-like" bug. Hmm, that does sound like a good idea. Thanks but no thanks.
snake oil antedote
67%
33%
snake oil antedote,
 User Rank: Apprentice
4/15/2014 | 10:19:55 AM
Horrible AD Assessment
This is truly a sensationalistic piece at best. To headline AD is dead then to fall back and say its a predictive analysis, shows the true intent of a marketing veiled security article with bad analysis.  Any RBAC, MAC, DAC based model has overhead, in fact good security will require it. It's important to temper the cloud-fare with a balanced approach. As long as there are brick-mortar establishments, its not sound security to have a multi-tenant auth solution authenticate your every app. Even for apps interfacing with AD, you have ADFS as a recourse which the author excludes. An article that only critiques a technology w/o proposing viable solutions should be received w/ caution.
orinthomas
67%
33%
orinthomas,
 User Rank: Apprentice
4/15/2014 | 10:26:21 AM
Marketing rather than technical argument
"Why am I predicting the death of Active Directory?"

Because you're running a company that's trying to compete with it and you are trying to look relevant?
boconnor@henryscheinvet.com
100%
0%
[email protected],
 User Rank: Apprentice
4/15/2014 | 1:54:26 PM
Don't count Microsoft out yet
Your article has some merit, calling out the aging Active Directory, but you seem to base the premise on the 1990's technology (I will agree the foot in the door was Exchange 5.5 on directory management, but AD was released in 2000, not the 1990s).  I believe Microsoft has updated Active Directory a few times since then.  Even discounting the upgrades, assuming they don't amount to enough, Microsoft has recently shifted their own focus to cloud and services.  If you think major changes in AD, or even a totally new model, are not forth-coming I think that might be a bit short sighted.  And honestly with a start-up today I would rather still use Office 365, with Exchange on-line and OneDrive all connected to my one Microsoft account, than Google.

And Google only has a stock valuation 9 times higher than G.E.  If you look at their balance sheets and income statements I think it might show a different picture, but the stock market is more than 50% perception, and less real business saavy.  I bet if you did a traditional asset minus liability count on Google (not including asset amounts leveraged with debt) people would be surprised at the stock vaule.  I could be wrong I suppose, but Google doesn't seem to 'sell' anything (for a profit anyway), oh, except somehow making bajillions on advertising...somehow...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/15/2014 | 3:25:59 PM
Your experience integrating AD with cloud apps?
It's interesting to read the views of all the defenders of AD and the bashers of someone who predicts its demise. But what about the question Thomas put out to the security community in his blog? He asked: 
  • What has been your experience integrating AD successfully with your cloud apps? 
  • What have been your biggest challenges, and
  • What have been the biggest gaps?

Let's hear some success stories in the comments.
BryanF287
100%
0%
BryanF287,
 User Rank: Apprentice
4/16/2014 | 1:03:21 PM
Re: Your experience integrating AD with cloud apps?
What has been your experience integrating AD successfully with your cloud apps? 

100% of our employee cloud based apps are integrated with AD.

 

What have been your biggest challenges?

Getting security to approve integration where the SasS provider doesn't support ADFS.

 

What have been the biggest gaps?

Lack of standardization of authentication protocols in the cloud.  Security requirements (from all kinds of systems) that mandate strict password policies which leads to the sticky notes and spreadsheets containing passwords you mentioned (this is not because of AD).  Getting developers to understand the need for security and why storing passwords for their homegrown apps in plaintext a database is a really, really bad idea.

 

Some other information:

Employees ~ 6000 across 55 offices, high turnover in some departments

Automated identity management ~ 98%  (guest/contractor accounts are manual, turnaround time less than 1 hour)

100% audit trail for changes to AD or user accounts  (at least for the last 18 months)  Major changes are reconciled to approved change requests with unauthorized changes being addressed.

 

 

No mention of how to control machine settings without AD in this article either.  NPS is not robust enough yet to protect a network from clients without proper security settings like up to date AV software to eliminate the need for machines to be joined to the domain and controlled by GPOs.



I have to agree with many of the other comments.  This article seems like a sales pitch that is not based on reality unless you're a small company that doesn't need to meet audit requirements.  Considering how many difficulties the author has with AD, I question their ability to integrate with AD.

Will AD be around forever, of course not.  Calling it dead before there is even a viable competitor out there is irresponsible though.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
 User Rank: Strategist
4/16/2014 | 1:21:25 PM
Re: Your experience integrating AD with cloud apps?
Thanks for sharing those details about your experience with AD in cloud, BryanF287. To paraphrase Mark Twain, it would appear that the Death of Active Directory has been greatly exaggerated -- at least from your vantage point. 
jrdepriest
100%
0%
jrdepriest,
 User Rank: Apprentice
4/15/2014 | 4:40:56 PM
You've been drinking your own Kool Aid
You are out of your mind.

AD isn't dead and will likely be a foundation of access control for smart organizations for a long time.

Why?
  1. AD is extensible. You have an app that needs fields not supported in AD? It can add them with a schema change.
  2. AD is compatible. Tell me an easier way to get Kerberos, LDAP/LDAPS, centralized and distributed access control, all of it with well-dveloped GUI and command-line controls included in the price of the OS.
  3. AD is everywhere. Microsoft servers rule big old enterprises. Ever server plugs right in to it.
  4. AD is useful. AD + GPO + SCCM means you can control just about single aspect of any Windows system in the domain down to what icons show up in the Start menu or whether you can change the system time. And you can keep them fuly patched for Microsoft products and 3rd party apps.

AD may be out of here in 10 years or 20 years, but it's kicking strong right now. Heck, you can fully manage Windows 8.1 tablets with AD now. That's Microsoft moving right in to the spaces you are talking about.

The cloud is great if it can be tied back to AD because that's what your large customers are going to be using.

 

Yes, I remember NetWare being the software everybody used. I remember thinking it would never go away and Mircrosoft's AD would never take off.

They won because they gave it away with every server they sold.

Can you compete with free and competent?

 
ScottW834
100%
0%
ScottW834,
 User Rank: Apprentice
4/16/2014 | 8:43:34 AM
If not AD then what?
While everyone is skipping off to the "cloud" there are still the same issues to be dealt with.  Authentication, Access and Accountability.  LDAP and AD have done a good job of this and as companies are learning everyday, security and information assurance are definitely alligned with business needs.  Convenience at the expense of security garners neither.
rjthomas01
100%
0%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 4:34:52 AM
Unusual article
"Today's hottest startups –- companies like Dropbox, Uber, Pinterest, and Tumblr"

These happen to be the same companies that have come a cropper with Heartbleed, whereas- at least this time around- MS's infrastructure is relatively untouched (remember Heartbleed is not a virus, and is therefore far more sinister than any thing like Slammer because the fault is device-independent, passive, and took 2 years to uncover).

Also, a few of other points:

1. AD- technically- was RTM on 15 December 1999- hardly 90's infrastructure;

2. Micorosft current strategy is based entirely around AD, globally. My personal phone logs in with my Microsoft Account (cloud AD) and connects to "Outlook" (cloud Exchange). They've just migrated it to a global stage, and- as mentioned in other posts- it's more than possible to have a hyprid on-premise/ cloud existence.

Fact 1: Business needs or business wants? We get bombarded with requests for the cloud solution du jour (or find out about them afterwards). What possible reason can there be to need dropox, the box, OneDrive, Google Apps, Zoho, ThinkFree... This is not business needs, this is latching on to the next big thing then discarding it a week later for the next next big thing.

Fact 2: Increases daily workload? No... we rarely touch AD. What increases workload is chasing after a myriad cloud solutions that have just started being used with no thought given to business requirements. Example? Internally, instead of using Exchange (perfectly capable) what we see is whenisgood. Or doodle. Or FasterPlan. Or SelectTheDate. Etc.

Fact 3: Active Directory does neither of these things. The BYOD "revolution" has created bad behaviour and increased security risks. It's led to the assumption that you should have what you want, when you want which is fine for a consumer but generally speaking, the working world has to comply with things like the fact that financial records have to be kept for 7 years, data protection etc. To give just one example: if a company experiences indiscriminate use of random cloud solutions, how on earth would they be able to fulfill a complete FOI request? The answer is that they probably couldn't. How can you pull together all the data related to X when that data is spread across disparate locations, half of which aren't even known about? Also, the point about passwords- while having a grain of truth in that passwords are outdated- neatly bypasses mentioning that this is not an AD problem, this is just a problem. People would store passwords on post-its whather the infrastructure was Windows, Linux, Google Apps or ZoHo.
kobrien82
100%
0%
kobrien82,
 User Rank: Apprentice
4/17/2014 | 1:31:31 PM
Re: Unusual article
@rjthomas01: The drive to cloud is largely about mobility, speed, and collaboration. The apps you mention are being adopted by users directly; whether that's good or not is certainly debatable, but their popularity is born of user requirements for increased flexibility and access to data. 

I think you're dead-on here: too much fragmentation makes regulatory and legal compliance difficult, if not impossible. However, the ways of the world have changed; we can either balk at this, or we can find a way to provide a solution to user desires/needs that we can manage, provide governance for, and secure. 

Fragmentation like this typically represents explosive growth in an industry, which consolidates as it matures.
Thomas B. Pedersen
100%
0%
Thomas B. Pedersen,
 User Rank: Author
4/17/2014 | 2:16:40 PM
Re: Unusual article
I should clarify that OneLogin doesn't focus particularly on start-ups, but that's where we are seeing this trend. 90% of our customers are not startups and have Active Directory, some of them with dozens of forests and domains and more than a million users in some cases. Our customers include multi-nationals like Steelcase, Herman Miller, News Corp, Condé Nast and Midas who all have complex directories.

At these companies, Active Directory is not disappearing any time soon, but they are definitely moving in a new direction that reduces the focus on Active Directory. Instead of using ADFS to secure access to their applications, they are using OneLogin and similar solution to connect identities to applications.

The point I am trying to make here is that as applications move into the cloud, there are identity management solutions that solve the problem better than Active Directory. For example, a growing number of applications have user management APIs, which enables us to automate on-boarding and off-boarding of employees. ADFS doesn't do this. We are also able to handle applications that have no federation capabilities and we're integrated with a range of strong authentication solutions.

One of our recent clients has 15,000 employees in more than 2,000 locations. They were about to roll out Office 365, but were overwhelmed by the complexity of using ADFS. We managed to get them fully up and running on a single phone call. And now they have an identity management solution in place that enables them to quickly roll out other apps.

The business environment is very competitive and for many companies the decision is driven by business agility.
ChrisB093
100%
0%
ChrisB093,
 User Rank: Strategist
4/24/2014 | 9:01:40 AM
Re: Unusual article
It's true that using Active Directory in isolation slows IT's ability, increases workload and has security loopholes that many people are not even aware. But with the right software integrated with Active Directory the complexity for IT to manage these issues can be removed, concurrent logins can be restricted, security risks significantly reduced and regulations complied with (which is often not the case with cloud apps).

Our own (IS Decisions) research has shown that password sharing in business using Active Directory is indeed rampant. But with further restrictions on user access (limiting concurrent logins, location/time restrictions) users are significantly less likely to share passwords as it impacts their own ability to access the network. Such restrictions also help stop attacks from legitimate but stolen credentials.

Active Directory provides basic security, but it's vital to build on this with further restrictions and real time monitoring to what authenticated users can do. Software is available to do this in a way that is easy and user friendly.

 

 
rjthomas01
50%
50%
rjthomas01,
 User Rank: Apprentice
4/17/2014 | 5:05:43 AM
Data security
@haglt, not sure if Europe's data security are insane, but definitely odd. One reason to not use DropBox is that DropBox stores it's data on AWS, which is in the US. Which the UK can't use, because the US isn't on the list of approved storage countries. This has nothing to do with the security of AWS, it's simply a you-can-or-you-can't.

However, I'd have thought Heartbleed would have indicated precisely why strong Data Security measures are needed. A lot of very big sites have almost certainly (inadvertently) contravened their own data protection policies because of Heartbleed.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29128
PUBLISHED: 2020-11-26
petl before 1.68, in some configurations, allows resolution of entities in an XML document.
CVE-2020-27251
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVE-2020-27253
PUBLISHED: 2020-11-26
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVE-2020-27255
PUBLISHED: 2020-11-26
A heap overflow vulnerability exists within FactoryTalk Linx Version 6.11 and prior. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the b...
CVE-2020-25651
PUBLISHED: 2020-11-26
A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest...