For IT pros, Microsoft Active Directory is an old friend. After all, it’s been with us since the early 2000s and (just like many Microsoft products before it) it has, over time, become the backbone of many enterprises IT operations.
Originally developed to manage network resources, AD’s functionality has expanded over the years to embrace many aspects of authentication and identity management. In a way, Active Directory rules the IT realm, as it controls access to all critical resources and crown jewels of the enterprise.
Many enterprise Active Directory infrastructures are way over a decade old and have grown significantly out of date since the original setup. Over time, managing those bloated AD architectures is becoming increasingly costly and resource-intensive.
Active Directory is still the backbone of most IT environments
Today, Active Directory represents a collection of services for managing identity and access for and to network resources. AD is still at the core of many enterprise IT environments and represents the single point of authentication and authorization, controlling enterprise-wide access to all critical resources.
The need for active Directory on-premise is still alive and kicking. Modernization is key for on-premise and hybrid cloud typologies, especially when faced with the constantly evolving threat levels. With many critical systems and business users relying on Active Directory, even a minor breach, vulnerability, or downtime can have devastating effects on the entire organization.
The cloud, on-premise and the AD identity crisis
Today, it seems that there is a new high-profile breach on the news every single day, and we can no longer put the push for Active Directory modernization on the backburner.
Active Directory modernization has been a hot topic for several years now, but it has always meant something different for each organization. Most organizations today have an AD environment that is hybrid and represents some combination of:
- On-premises AD infrastructure that remains to be the primary source of authentication and authorization
- That on-premises AD is synchronized with cloud-based services. As a result, on-premises credentials authenticate users to Office 365, custom cloud applications, and common SaaS apps and services.
Every enterprise IT architecture is unique, with its particular set of business requirements for security, compliance and authentication. That is why there is no single best way to go about AD modernization.
A good framework to tackle the Active Directory modernization is to look at your Active Directory from the viewpoint of supporting the evolving demands of your particular business. A good starting point is to start with the following criteria:
- User management in multiple environments – managing access to cloud and on-premise resources, mobile devices and Virtual Desktop Infrastructures (VDI).
- Security – The threat landscape has changed, and regardless of the nature of your business or the size of your organization, the need to deploy multiple authentication factors is a must. This must be reconciled with a decade (or two) old AD architectures.
- Cloud-Native Apps – Office365, Salesforce, Google Drive, and other commonly used business applications require cloud identity access and must be synchronized with on-prem AD.
- Regulations and Compliance – As cloud adoption grows, the complexity of securing, managing, and ensuring compliance for your hybrid AD environment becomes a pressing issue. A big drive towards modernization is regulatory bodies demanding Multi-Factor Authentication (MFA) Enterprises must conform or pay dearly in fines and lawsuits.
The drive for digital transformation makes AD more important than ever
AD infrastructures often fail to meet the requirements of today’s realities, leaving organizations exposed to security and compliance risks. In the new era of hybrid, cloud, and multi-cloud IT, organizations are faced with the constantly evolving threat and risk landscape.
These fundamental shifts are necessitating a whole new way of thinking about identity management, and AD needs to catch up with the times. Without proper cleanup and consolidation of outdated AD architectures, organizations could face security and compliance risks.
Multi-Factor Authentication for all
The key to Active Directory (AD) security lies is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems.
The solution that most MFA vendors add to Active Directory relies either on user-managed passwords as the first factor or a certificate in the form of a smartcard. As we will show below, both approaches have significant drawbacks.
Identity Management with an Identity crisis
Passwords are fundamentally insecure. As high-profile credential dumps demonstrate, password hygiene and awareness of business users leave much to be desired. Users stubbornly create easy to guess passwords and reuse them across multiple services. Moreover, social engineering and phishing attacks render password-based security virtually obsolete – as the users give them away without even knowing that they do so.
When it comes to smartcards, they have security advantages over password-only access. But the security provided by the smart card comes at the expense of the user experience and they remain very expensive to maintain.
To really modernize Active Directory, one must think outside the box, removing the human factor from your network architecture altogether.
Bring Your Own Device (BYOD) + Password Rotation
Certificate-based authentication is another solution often offered as a way to modernize AD architectures. The main issue with the certificate authentication option of AD that many modernization projects rely on is that password-based systems (which legacy systems often are,) do not accept certificates at all. So even when multi-factor authentication is enforced, a password stays at the center of it all.
That password needs to be maintained according to the company policy; certificates need to be managed with ADCS (Active Directory Certificate Services).
Secret Double Octopus’ solution takes into account the complexity of Active Directory governing and management tools and leverages them to provide a modern solution that understands that on-premise application requires authentication modernization and that legacy on-premise applications are mostly password-based systems.
The new Octopus Domain Authentication replaces the passwords of the AD altogether, removing password-based attacks out of the equation. At the same time, it improves user experience by eliminating cumbersome authentication tools such as passwords and tokens.
Now organizations can achieve the highest levels of protection for their Active Directory network, without any of the security pitfalls of password-based systems.