Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:12 AM

When Active Directory And LDAP Aren't Enough

Cloud and mobile pose problems to most enterprise's centerpiece identity and access management technology

Scalability, tight coupling with Microsoft infrastructure, and ease of management in the on-premise world all contributed to catapulting Active Directory and the associated LDAP protocol into the centerpiece of today's typical enterprise IAM strategy. However, with new mobile platforms diversifying the operating system ecosystem, SaaS applications proliferating by the day, and hybrid cloud approaches fast becoming de riguer, Active Directory and LDAP are starting to show their limitations.

According to Todd McKinnon of IAM start-up Okta, the sustained and pervasive success Active Directory has achieved so far can be largely attributed to Microsoft's tying everything together in such a neat bow.

"Why do people use AD? Because it's your network authentication, because it was the Exchange database for users. If you wanted to do permissions on who can share files on the fileserver, it was the database for that. If it was for printers -- it was the database for printers," he says. "That's why people use it. It's an infrastructure thing. It's behind the applications."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Even in the cloudless world dominated by the data center, AD had its limits.

"One of the misconceptions is that everything in the old world was integrated from an identity perspective. It really wasn't," says McKinnon, "You have Active Directory that [did] a really good job with Windows clients, Windows servers, Exchange, file and print. Then you have LDAP, and a lot of people use that for big scale e-commerce sites and databases around that. But this concept that in a large company a lot of the identities were integrated is not true."

Just look at the number of enterprise project disasters around bringing internal application under a single AD source for proof, says Nishant Kaushik, chief architect at Identropy.

"IAM is littered with failed attempts at rationalizing all internal application development against [a] single AD source," Kaushik says.

Many organizations looked to kill two birds with one stone by repurposing user identity stores they've managed and curated for their internal environment and applying them to in-house custom applications, Kaushik says. However, most of those deployments ended up going bad.

"The reason is because the model that was put into Active Directory was highly optimized and tuned for AD's primary purposes, which was managing their network infrastructure and Windows environment, Outlook, and stuff like that," he says. "The minute you decide to add in application-specific stuff into that, all of a sudden the performance and the tuning stuff that had happened starts to fall apart."

In today's changing IT environment, relying primarily on AD to do the heavy lifting of identity management is just going to get harder. According to McKinnon, there are a number of challenges standing in the way. No. 1, the alternatives to Windows fileservers is drastically changing the collaboration landscape -- just look at the traction Box and Dropbox have gained in the enterprise for evidence of that. As a corollary, challenge No. 2 is that people are moving their collaborative email infrastructure to the cloud.

"When you move that to the cloud, you by definition are decoupling it from close proximity to AD," McKinnon says. "That's true whether it's something like Gmail or Office 365; if you look at how Office 365 gets connected to AD, it's not tightly coupled."

The loose coupling gets even looser when you consider the rapid addition of mobile devices that are outside of the Microsoft ecosystem.

"Companies are doing fewer big deployments of Windows, and if you're looking at what's happening on the client-side of the network, Microsoft dominance on the client is changing dramatically," McKinnon says. "Eighty percent of the reason people use AD is because they logged on their PC to the domain. And now half the devices on the Internet aren't even Windows devices."

And that's just the pressure on the front end. On the back end, cloud and SaaS applications are also pulling apart the AD coupling that worked so well in the data center-centric world -- this in spite of the fact that so many SaaS and cloud vendors purport to have AD integration.

"Every SaaS vendor of note that's trying to penetrate the enterprise has built-in support to integrate directly with AD. That's a technology-oriented integration that completely leaves out the process that is needed to actually manage AD cleanly," Kaushik says, explaining that the same application-centric problems of yesteryear are just magnified in the SaaS environment.

One big problem in the new cloud and SaaS model is the hierarchical nature of LDAP, says McKinnon.

"There's root and children. What people are realizing now is that it's not strict hierarchy in relationships anymore," McKinnon says. "When you have more of these B2B, cross-application modern relationships, you need more of a graph -- like Facbook's API shows us. It's not like there are your friends and my friends, and my friends are a subset of yours. It's the same in business. There are my partners, and my partners have partners.

According to Phil Lieberman of Lieberman Software, in spite of AD's supreme scalablity, the problems McKinnon identifies contributes to LDAP's lack of viability as an authentication method organizations can use in the cloud.

"That's not necessarily what they might want to use, and so this brings up the question of federation," says Lieberman, pointing to rumblings of using a mechanism like a Facebook log-in to tie together access to enterprise cloud resources.

He says at the moment he has a bet going with Gartner analyst Lawrence Pingree that enterprises won't be able to make that happen.

"I think the big question is authorization," he says. "Facebook or one of the other identity providers can authenticate. The problem is that LDAP provides authorization, too. If you can't provide authorization, what is the point?"

According to McKinnon, Microsoft isn't tone-deaf about the challenges facing AD in the cloud. They're why the company has turned some of its brightest minds toward developing Windows Azure Active Directory. However, there are challenges with its approach so far.

"One thing is that they're not bundling it tightly to the on-premise infrastructure, which is a challenge," he says. "And, two, is that the API isn't LDAP, which is really different. The reason why is that things are more disconnected, and a tightly coupled protocol is too latent and isn't the right level of granularity for what you need in the cloud."

Ultimately, the chaos is breeding a whole new niche in Identity as a Service (IDaaS) that's being tightly contested by vendors like Okta and Identropy and others like Centrifiy and Symplified. It's an exploding market that Gartner says will make up a quarter of all new IAM sales by the end of 2014 and 40 percent by 2015, as compared with just 5 percent last year. But in the interim, McKinnon says some order even among those players needs to be struck.

"We're going to be making more noise about this, but we think there's a new protocol that's needed," McKinnon says. "It's a new API -- a new protocol for directory services in this new world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/27/2013 | 10:00:07 PM
re: When Active Directory And LDAP Aren't Enough
I must be missing the boat because I don't get how Okta, Symplified or the other companies noted are anything more than cloud-aware IAM products themselves. How are they offering "identity as a service"? Sure, they might be connecting various identity services together but are they offering an API that allows me to create an identity, store the credential in their service and re-use it elsewhere? I don't get the connection.

Yes, LDAP is not the right thing for the cloud. Yes, AD is not the right thing for the cloud otherwise why would MSFT have created Azure? At least there is a set of RESTful APIs for Azure. Where are the RESTful APIs for Okta and other vendors mentioned?

I have to laugh that on one hand LDAP isn't good enough and then on the other McKinnon says the APIs for Azure aren't LDAP. Seriously? It's all about the API economy now. More APIs are needed and at least Microsoft has taken a step in the right direction. (As other vendors like Google have, too).

If any of the companies mentioned can do better than Microsoft - who does offer identity as a service - or Facebook, or Google then I suggest they put their money where their mouth is and build such a service, APIs and all.

Lastly, authorization is something that can be implemented via SAML or via XACML. Both of these are standards. Both of these are Web protocols whereas LDAP isn't. You don't have to look very far to find solutions for cloud-based authorization - like our own (http://www.quest.com/quest-one.... The problem is that most companies are barely starting to tackle federation for cloud authentication let alone cloud-based authorization.

We are at the innovators & early adopter phase of these phenomena. By definition that means its HARD.

Jackson Shaw
User Rank: Strategist
3/22/2013 | 8:04:39 PM
re: When Active Directory And LDAP Aren't Enough
This brings up some really interesting concerns that enterprises are facing. Anyone out there looking for AD alternatives to support mobile and cloud additions?

Kelly Jackson Higgins, Senior Editor, Dark Reading
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.