Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Active Directory Is Dead: 3 Reasons
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
haglt
50%
50%
haglt,
User Rank: Apprentice
4/16/2014 | 7:47:22 AM
Re: What's the alternative
@Mr. Pedersen

you said it pretty clrear: you are targeting startups... which is ok but I am afraid at some point the Startup gets serious and that is the point where Clous Services tend to stop been the best soution.

Here´s some questions for you:

- How would you Authenticate while been offline?
- What´s your opinion on Functional Groups vs. single user access rights
- How to grant File Access without deep manipulation on the Server side?

And that does not even take into account the various requirements that different businesses like Banks or Goverments have let a lone the (insane) Data-Security requirements in Europe or High Availabillity szenarios.

Sure, AD has same shortcommings but saying it is not able to be handled efficient means you are not aware of the dramatic improvements in Powershell. People already propose to manage Software Defined Data Centers through Powershell and ystem Center. I agree that this could have been available for much longer but that´s how it is.

What´s the Alternative? 
I don´t think we need one. What we need is an online extension that adapts all kinds of Cloud Service and DOES NOT STOP AT AUTHENTIFICATION. 

What would really be required is a general API to tell Cloud Services how I want them to offer their Services manged by AD... But with Privat Customers and Startups as Target Audience that will barely happen...oh wait... the bigger players in the Market already head that way... and Amazon and MS are some of them...

Don´t get me wrong. I agree with the statement that AD asks for Experts but that is due to the possibility to adapt to custom requirements that you do not have when using Cloud Servies.

Prove me wrong...PLEASE! 
But until you do please stop planting unrealistic Ideas in the Heads of Managers
vremenar
100%
0%
vremenar,
User Rank: Apprentice
4/16/2014 | 2:17:35 AM
Re: What's the alternative
You actually think you can get away with "Active Directory Is Dead. Buy my soulution!"

Oh, let me keep all my employes accounts on OneLogin that one day might have an "Heartbleed-like" bug. Hmm, that does sound like a good idea. Thanks but no thanks.
jrdepriest
100%
0%
jrdepriest,
User Rank: Apprentice
4/15/2014 | 4:40:56 PM
You've been drinking your own Kool Aid
You are out of your mind.

AD isn't dead and will likely be a foundation of access control for smart organizations for a long time.

Why?
  1. AD is extensible. You have an app that needs fields not supported in AD? It can add them with a schema change.
  2. AD is compatible. Tell me an easier way to get Kerberos, LDAP/LDAPS, centralized and distributed access control, all of it with well-dveloped GUI and command-line controls included in the price of the OS.
  3. AD is everywhere. Microsoft servers rule big old enterprises. Ever server plugs right in to it.
  4. AD is useful. AD + GPO + SCCM means you can control just about single aspect of any Windows system in the domain down to what icons show up in the Start menu or whether you can change the system time. And you can keep them fuly patched for Microsoft products and 3rd party apps.

AD may be out of here in 10 years or 20 years, but it's kicking strong right now. Heck, you can fully manage Windows 8.1 tablets with AD now. That's Microsoft moving right in to the spaces you are talking about.

The cloud is great if it can be tied back to AD because that's what your large customers are going to be using.

 

Yes, I remember NetWare being the software everybody used. I remember thinking it would never go away and Mircrosoft's AD would never take off.

They won because they gave it away with every server they sold.

Can you compete with free and competent?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/15/2014 | 3:25:59 PM
Your experience integrating AD with cloud apps?
It's interesting to read the views of all the defenders of AD and the bashers of someone who predicts its demise. But what about the question Thomas put out to the security community in his blog? He asked: 
  • What has been your experience integrating AD successfully with your cloud apps? 
  • What have been your biggest challenges, and
  • What have been the biggest gaps?

Let's hear some success stories in the comments.
boconnor@henryscheinvet.com
100%
0%
[email protected],
User Rank: Apprentice
4/15/2014 | 1:54:26 PM
Don't count Microsoft out yet
Your article has some merit, calling out the aging Active Directory, but you seem to base the premise on the 1990's technology (I will agree the foot in the door was Exchange 5.5 on directory management, but AD was released in 2000, not the 1990s).  I believe Microsoft has updated Active Directory a few times since then.  Even discounting the upgrades, assuming they don't amount to enough, Microsoft has recently shifted their own focus to cloud and services.  If you think major changes in AD, or even a totally new model, are not forth-coming I think that might be a bit short sighted.  And honestly with a start-up today I would rather still use Office 365, with Exchange on-line and OneDrive all connected to my one Microsoft account, than Google.

And Google only has a stock valuation 9 times higher than G.E.  If you look at their balance sheets and income statements I think it might show a different picture, but the stock market is more than 50% perception, and less real business saavy.  I bet if you did a traditional asset minus liability count on Google (not including asset amounts leveraged with debt) people would be surprised at the stock vaule.  I could be wrong I suppose, but Google doesn't seem to 'sell' anything (for a profit anyway), oh, except somehow making bajillions on advertising...somehow...
TerryB
100%
0%
TerryB,
User Rank: Ninja
4/15/2014 | 1:29:35 PM
Re: What's the alternative
I'm waiting to see your answer to @Marilyn, Thomas.

Your use examples talk about new startups, of which 70-90% fail anyway. Cloud does make a lot sense in that case, why would you implement your own Exchange server right out of gate. Then your service makes some sense.

But what about the hundreds or thousands of established businesses with on premise infrastructure in place. You really think we are going to chuck it all and pay rent so we can move to the cloud?

We can run our systems which support our manufacturing under AD when our internet connection is down. Let me know when that can be said of the cloud and your identity service.
MauriceB786
100%
0%
MauriceB786,
User Rank: Apprentice
4/15/2014 | 12:07:20 PM
Re: What's the alternative
I may have worded that poorly.

I meant what value-add is it?

What can it do that I can't?

This is speaking as someone well-versed in automation, AD, and generally making people say "I didn't know it could do that."



I'm generally leery when someone asserts that any one product can solve all problems.

So of course there will be edge cases that aren't within a reasonable scope for spending developer cycles on, but are those cases in that catagory because there wasn't sufficent documentation out there saying, "Hey ADFS can do _____ ".

 

Or the admin didn't know to look for it?
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
User Rank: Author
4/15/2014 | 11:58:27 AM
Re: What's the alternative
Maurice,

You hit the nail on the head right there. A decently resourced IT team can accomplish anything, but do you really want to throw resources at all problems or would you rather leverage commercially available solutions that can automate and streamline your processes?

We talk to a ton of companies about their identity management challenges and a common theme is that they don't want to invest more resources in configuring ADFS (Active Directory Federation Services). Not only is ADFS unreasonably complex, but it also does not solve problems most of the problems they are strugging with, such as:
  • User provisioning
  • Multi-factor authentication
  • Password reset
  • Apps that don't support federation
  • Easy-to-use SSO portals that increase productivity

The conversation is just as much about business agility and focusing on your core competences. It's a hyper competitive business environment and you can't be an identity laggard and stay competitive.

Thomas

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/15/2014 | 11:50:31 AM
Re: What's the alternative
Incidenally I'm putting as an open challenge Mr.Pederson, that your product doesn't do anything that a decently resourced IT team can't. 

@MauriceB786 
What are the specific things that you believe a cloud-based identity management solution can't do that Active Directory does.
Thomas B. Pedersen
50%
50%
Thomas B. Pedersen,
User Rank: Author
4/15/2014 | 11:28:58 AM
Re: What's the alternative
Maurice,

While our stack (Rails, Postgres, Ubuntu) is open-source, OneLogin has been written from the ground up by us. We don't use any larger open-source components for our identity functionality.

Thomas
<<   <   Page 2 / 3   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...