Practice edit on JumpCloud's white paper re: Domainless Enterprise
In which I learn a boatload about Active Directory
Roadmap to Active Directory®'s Domainless Enterprise Model
Most IT organizations use Active Directory® to navigate their company’s seismic technological developments. The traditional Active Directory (AD) establishes an internal network, or domain, to secure on-premises resources and data.
IT admins must incorporate their AD instances with more add-ons and identity bridges as new technology emerges. Admins also need more add-ons as they transition to remote offices to secure remote users. However, AD's total cost of ownership (TOC) increases with each new add-on and identity bridge, meaning that the TOC is more than AD’s traditional upfront server and licensing fees.
Now AD integrates with cloud-based architecture, which may reduce its TOC. The cloud-based architecture extends AD identities to on-premise and remote resources. This architecture also allows for a domainless enterprise.
AD’s domainless enterprise model is as seamless and secure as its internal network model.
What does this mean? Armed with this innovative cloud directory architecture, organizations can realize faster time to market, reduce labor-intensive deployment, and achieve flexibility and fluidity in responding to external pressures and market forces.
Organizations primed for the use of this architecture include:
Remote/distributed users or multiple offices
A cheap approach to their IT stack
Both agility and security prioritized
Choosing Active Directory's domainless enterprise model may ease your users’ transition to remote work. It can also position your organization for a more significant IT transformation without disrupting your current directory environment.
AD's Domainless Enterprise Model Roadmap in 7 + 3 Steps
We will go over the roadmap for what it takes to consider, decide, and move to the domainless enterprise model.
1. Take Stock of Your Existing Environment
With AD's internal network system, you can choose Windows® systems, Azure®, or AWS® for cloud infrastructure. You can also use Office 365TM as your productivity suite. Vendors combine these solutions for web application single sign-on (SSO), to manage Mac and Linux systems, and to connect on-premise or remote users to the network with a VPN solution.
Although this option works, it could be cheaper with the domainless enterprise model. These questions help you assess your existing stack’s TOC and identify ways to reduce costs:
How many vendors do you currently manage?
How much do they cost each month?
Can you merge the vendors?
What AD maintenance costs have you budgeted for?
What expenses are on the horizon for server upgrades, maintenance, and licensing?
Can you achieve remote work and secure provision access with your existing combination?
AD’s domainless enterprise provides existing comprehensive identity bridge solutions that allow you to: maintain AD as the source of truth, merge vendors, secure all users, and introduce deep system management capabilities for all operating systems.
2. Stand Up a Cloud-Based Directory Integration
The next step in moving toward the domainless enterprise model is to stand up a cloud-based directory integration. This integration runs parallel with AD, allowing you to import AD users into the cloud directory service and sync changes between the two.
You might find you only need AD combined with the cloud directory solution. Or you might find you don’t need to rely on other vendors for more management or federation functionality. You might be able to cut vendors and add-on solutions by federating core AD identities to all the resources AD struggles to manage.
Vendor consolidation helps:
Reduce the risk of incompatibilities between software
Increases flexibility in responding to new challenges like distributed workforces
Reduces the number of solutions required to authenticate users securely
A comprehensive cloud directory solution enables you to manage many AD tasks from a web-based console. You will not need to be on-premise or use a VPN to connect to AD.
3. Identify Strategies to Track, Secure, & Troubleshoot Remote Systems
Now you can track, secure, and troubleshoot on-premise or remote computers. Because systems give users access to all their allowed IT resources, you’ll need to ensure they’re configured and monitored. This is particularly true with remote users, which will be useful if remote work becomes a standard.
An OS-agnostic cloud solution extends AD identities to operating systems like Windows, Mac, and Linux. It takes on remote system management tasks that AD cannot. You can use this cloud directory solution for security configurations like enforcing full disk encryption or requiring multi-factor authentication (MFA) at login across a fleet of machines. AD’s cloud solution can also return critical telemetry about machine health and status.
AD’s additional domainless network tools can assist you in managing machines, wherever they are:
IT asset management system: Log laptops and other hardware, such as monitors sent home with users to equip their home offices.
Remote computer access connection software: Provides remote support and management of user systems. Enables users to access their office computers from outside the office
Mobile device management (MDM) solution: Secure and manage mobile devices in tandem with the cloud directory system management capabilities.
4. Secure Network Access
It’s critical to ensure that the users' networks are secure. With cloud RADIUS functionality, you can provisional user access to the office WIFI and the VPN client with users’ core AD credentials.
It heads off challenges that exist in syncing a VPN with AD. AD’s cloud directory solution will also enable MFA. MFA prompts users for another form of authentication, like a TOTP token, when they log into the VPN. MFA is a critical line of defense for organizational access points. Studies show it is effective against bulk phishing, bots, and even targeted attacks.
A secure VPN connection enables users to connect to the internal AD network while protecting their traffic if they work on an unsecured home or public WIFI network.
5. Secure SSO Authentication to LDAP & SaaS Apps
It’s essential that you have secure authentication mechanisms for each of your portfolio's applications. While that will look different for legacy and LDAP apps than for SaaS apps, a cloud directory solution can accommodate both.
A cloud directory integration capable of cloud LDAP, SAML, and other application authentication mechanisms allows you to provision app access using the same core AD identities. This way, users can access their LDAP apps and an SSO portfolio of SaaS apps with the same credentials they can access their other resources.
This approach replaces a targeted web application SSO solution because the SSO capability is baked into the cloud directory solution. Users will be able to access their web applications through a familiar and convenient portal.
MFA is critical to protect application access, too, so the cloud directory solution should enable you to require it at login.
6. Secure File Access Cloud
Cloud LDAP functionality helps you provide user access to network-attached storage (NAS) appliances, Samba file servers, and other resources that require a backing LDAP directory. Users can access organizational data with the same core credentials this way, even if they’re working outside the office.
If you want to take steps to move more of your stack to the cloud, you can put in place cloud NAS solutions. Employees can also share files without the need to maintain on-premise infrastructure.
7. Automate & Streamline Provisioning Processes
Once you've implemented a cloud directory solution and secure authentication mechanisms for your IT resources, you can create automated workflows to provision users and zero-touch deployments.
You can even integrate the human capital management (HCM) system. HR can create user identities in the HCM that translate into directory objects in the cloud directory service. Those directory objects will flow onward to AD and the other IT resources where they're needed.
The workflow looks like this: <HR System → Cloud Directory Service → AD & All Other IT Resources>
You can similarly automate de-provisioning if a user leaves the organization. You can suspend their access to the entire cloud directory service environment, including in AD.
Automated cloud provisioning and de-provisioning allow you to reduce manual data entry. It also manages the user lifecycle stages from any location.
+3 More Considerations
These considerations will help guide your process towards the domainless enterprise model:
1. Keep Security Front-of-Mind
If you plan to trust core services to cloud service providers, first you outline how you’ll vet them. Best practices include:
Independent audits & assessments: Cloud service providers should have documented third-party assessments and penetration tests to bear out their security practices.
Strong encryption: Encrypt at-rest and in-flight organizational data, like through TLS communication.
Salt & hash passwords: Store passwords in a secure manner.
These practices help ensure that you maintain the same tight security as on-premise environments as you extend into the cloud.
2. Implement Security Procedures & End User Training
Especially if you have a more mobile and remote workforce, including users with laptops, you can establish clear organizational security procedures. Use regular security training to teach users, mostly remote and mobile users, about organizational security. This includes:
How and when to use the VPN
How to secure their home WIFI networks
Use good password hygiene
Limit their work to managed devices (and keep personal browsing on personal devices)
These practices help users work securely no matter their work location.
3. Plan for the Future
The above steps will help you respond in the short-term to urgent public health concerns in your community while maintaining business continuity and security. In the long-term, these steps can prepare you to move beyond the in-network domain. With a cloud directory integration running parallel to AD, you can begin to shift your organization's workflows to the cloud.
Circumstances might prompt a move away from AD, like a failed domain controller or a merger, and you can be more prepared if it happens. In an actual domainless enterprise, admins can secure every user and device from the cloud.
At JumpCloud®, we help organizations navigate the current transition to remote work and strategize about becoming more cloud-forward in the future. Our cloud directory platform is built just for those purposes, and we want to share that vision with you. Learn more here about moving off-premise in the domainless enterprise.