Easily Managing User Accounts on Your Cloud Servers. How modern IT and ops teams leverage their existing LDAP/Active Directory for their IaaS



Similar documents
JumpCloud is your Directory-as-a-Service. A fully managed directory to rule your infrastructure whether on-premise or in the cloud.

Directory-as-a-Service Primer (DaaS)

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Centrify Cloud Connector Deployment Guide

FileDrawer An Enterprise File Sharing and Synchronization (EFSS) solution.

Flexible Identity Federation

Identity and Access Management for the Cloud What You Need to Know About Managing Access to Your Clouds

RemoteApp Publishing on AWS

Capturing the New Frontier:

An Introduction to Cloud Computing Concepts

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Security Overview Enterprise-Class Secure Mobile File Sharing

Integrating Single Sign-on Across the Cloud By David Strom

NCSU SSO. Case Study

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

WINDOWS AZURE NETWORKING

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

USING FEDERATED AUTHENTICATION WITH M-FILES

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Understanding the Microsoft Cloud

WHITE PAPER. Understanding Transporter Concepts

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

THE WINDOWS AZURE PROGRAMMING MODEL

Setting up Microsoft Office 365

Google Identity Services for work

Freedom for Servers, Drives & Desktops

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Speeding Office 365 Implementation Using Identity-as-a-Service

Qlik Sense Enabling the New Enterprise

Authentication as a Service (AaaS): Creating A New Revenue Stream with AuthAnvil

Introduction to the AirWatch Cloud Connector (ACC) Guide

A Web Broker Architecture for Remote Access A simple and cost-effective way to remotely maintain and service industrial machinery worldwide

managing SSO with shared credentials

BUILDING SAAS APPLICATIONS ON WINDOWS AZURE

Introduction to the EIS Guide

ArcGIS for Server in the Amazon Cloud. Michele Lundeen Esri

Secret Server Qualys Integration Guide

White Paper. BD Assurity Linc Software Security. Overview

Setting up Microsoft Office 365

Media Shuttle s Defense-in- Depth Security Strategy

Deploy Remote Desktop Gateway on the AWS Cloud

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Implementing Microsoft Azure Infrastructure Solutions

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

Security Architecture Whitepaper

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

ADDING STRONGER AUTHENTICATION for VPN Access Control

WINDOWS AZURE DATA MANAGEMENT

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Overview. Edvantage Security

Getting Started with Clearlogin A Guide for Administrators V1.01

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Identity & Access Management in the Cloud: Fewer passwords, more productivity

How To Achieve Pca Compliance With Redhat Enterprise Linux

Introduction to Mobile Access Gateway Installation

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Transporter from Connected Data Date: February 2015 Author: Kerry Dolan, Lab Analyst and Vinny Choinski, Sr. Lab Analyst

Preparing for GO!Enterprise MDM On-Demand Service

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Appendix C Pricing Index DIR Contract Number DIR-TSO-2724

An Enterprise Approach to Mobile File Access and Sharing

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Avoid the Hidden Costs of AD FS with Okta

Microsoft SharePoint Architectural Models

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

owncloud Architecture Overview

How Reflection Software Facilitates PCI DSS Compliance

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Setup Guide: Server-side synchronization for CRM Online and Exchange Server

Migration and Building of Data Centers in IBM SoftLayer with the RackWare Management Module

How To Use Egnyte

Deployment Guide: Unidesk and Hyper- V

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Where are Organizations Today? The Cloud. The Current and Future State of IT When, Where, and How To Leverage the Cloud. The Cloud and the Players

W H I T E P A P E R. Best Practices for Building Virtual Appliances

Global Network. Whitepaper. September Page 1 of 9

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

Cloud Computing. Chapter 4 Infrastructure as a Service (IaaS)

Gladinet Cloud Backup V3.0 User Guide

Red Hat Enterprise ipa

AVG Business Secure Sign On Active Directory Quick Start Guide

How cloud computing can transform your business landscape

WHITE PAPER RUN VDI IN THE CLOUD WITH PANZURA SKYBRIDGE

FileCloud Security FAQ


Network device management solution

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

SHAREPOINT CLOUD SOLUTIONS COMPARISON. A Technical Comparison of SharePoint Cloud Approaches

Transcription:

Easily Managing User Accounts on Your Cloud Servers How modern IT and ops teams leverage their existing LDAP/Active Directory for their IaaS

How Did We Get Here? How the move to IaaS has created problems for traditional user management Organizations have traditionally leveraged Microsoft Active Directory (AD) or the Lightweight Directory Access Protocol (LDAP) for managing access to their on-premise server infrastructure. LDAP and AD manage things like who has access to what on an organization s infrastructure. All servers, including file and print servers, would be actual hardware units located on-premise within a server closet, or if the organization was large enough, they d have their own data center. It was generally straightforward to make LDAP and AD talk to their servers since everything was local or within the domain. In recent history, cloud infrastructure or infrastructure-as-a-service (IaaS) has started taking charge. The shift from on-premise servers to cloud-based infrastructures is changing the dynamics of managing user access. No longer are servers local to the network structure. In fact, these days there may not be any infrastructure on-premise at all, instead replaced with web-based hosting services like Amazon Web Services (AWS), Rackspace, SoftLayer or a similar cloud or hosting provider. This inherently creates significant problems for IT administrators. For example, they are faced with the decision to either choose to accept a significant security risk, taking on much more work in order to secure their infrastructure, or opt to spend a significant amount of money to purchase an enterprise identity management solution. 02

Traditional Solutions Don t Fix the Complex Problem Traditionally, IT admins have had some less than perfect solutions to this problem Manually managing cloud server accounts Many IT admins choose perhaps the simplest way out of this predicament manually create, manage, and delete users on their cloud servers. They ll be notified (generally via email) of who requires what access to the cloud servers and they will manually provision and manage those users on the cloud servers. This entails the following: Logging into the servers themselves Managing the user creation Account and user modifications Handling the termination process Communicating with the user (generally insecurely) As the number of servers and users grows, this tedious process presents some significant challenges around tracking access. Also, adding capabilities such as multi-factor authentication become problematic, as those solutions can be painful to configure on a case-by-case basis. Finally, when using AWS many IT admins simply leverage a simple ec2-user account for access largely because it s easier, and thereby lose any on-host auditing capability. 03

Leverage configuration management tools In recent years another user management paradigm has emerged leveraging configuration manage tools, such as Chef, Puppet, Ansible, Salt, CFEngine, or others to add and remove user accounts across servers en masse. With just a few users and very simplistic access rules (for example, all users have access to all servers), this can be a panacea. It s quick, easy, inexpensive, and reasonably maintainable. But smart admins know this isn t the right way to solve the problem. As organizations grow, they quickly hit a barrier and it can become maddeningly complex to manage large numbers of users with complex access rules, IT admins become burdened with the time-consuming task to update code every time access roles change, with no easy way to off-load what should be a purely administrative task to someone with less training. Expose LDAP or AD to the Internet Another option often considered by IT admins is to expose LDAP or AD to the Internet and let the servers talk directly to the user directory. Through additional security and configuration, the LDAP or AD servers can be locked to only talk to certain servers. Depending upon the network architecture and growth of servers this may or may not be an option. If it isn t, then the user directory store is available to be queried by anybody on the Internet. Stand-up an entirely new LDAP or AD instance in the cloud For some organizations, a viable option is to create another directory store. Generally this involves standing up a new instance of AD or LDAP in the cloud. This works well if the cloud setup is logically in a Virtual Local Area Network (VLAN) or equivalent enclave where the directory server can talk to each of the servers. Additionally, 04

the cloud directory store needs to be synchronized with the main user directory or manually updates. This creates an extra layer of work for IT admins, but does give them the ability to manage users for their cloud servers via either LDAP or AD. Stand-up an entirely new LDAP or AD instance in the cloud For some organizations, a viable option is to create another directory store. Generally this involves standing up a new instance of AD or LDAP in the cloud. This works well if the cloud setup is logically in a Virtual Local Area Network (VLAN) or equivalent enclave where the directory server can talk to each of the servers. Additionally, the cloud directory store needs to be synchronized with the main user directory or manually updates. This creates an extra layer of work for IT admins, but does give them the ability to manage users for their cloud servers via either LDAP or AD. Implement an enterprise identity management solution Other organizations choose to either leverage an existing enterprise-class identity management solution or purchase one to manage their cloud servers. Generally, this approach involves installing the solution on-premises, connecting it to the main directory store, and then installing agents on each device that needs management. Often, this is implemented with the help of the vendor s professional services. The benefit of this type of solution is that it can be leveraged for internal desktops and servers. Some solutions also include mobile device management capabilities. For management of cloud servers, agents are installed on those servers and those agents will talk back to the solution s server located on the customer s premises. A central console will let the admin track and manage users across all of the servers. While an excellent solution, this approach is too costly for most organizations leveraging the cloud today. 05

The Main Problem with Traditional Solutions Understanding the problem is the key to discovering new ideas. Here are 4 important problems: Only one directory of record It is critical for organizations to have only one source of truth for users on the network. As you can imagine, multiple directories or manual management can easily cause conflicts and issues. The manifestations of problems in this category can be catastrophic. Imagine what could happen if a terminated employee still had access to critical servers because there wasn t an in-sync directory of users to server access. The less catastrophic and more mundane consequences of multiple directories is a layer of additional work and complexity. As the organization grows, the complexity will increase. While maintaining multiple disparate directories is never a good idea, the practice has been driven by very real, and in some cases, seemingly insurmountable technical issues. LDAP does not by default share the same schema as AD, so extra efforts must be made to have Windows clients authenticate against LDAP. Making one directory drive an entire organization is not a trivial task, so many organizations opt for two directories, one AD (usually the primary directory, because of its superior management UI) to cover the Windows hosts, and a slave LDAP server to cover everything else. 06

Network configuration/security exposure The move to the cloud for many companies is an acknowledgement that networking and network related configuration aren t an effective use of their time. Unfortunately, exposing your directory store to the Internet or standing up an additional directory store in the cloud each come with network configuration requirements. You ll need to be careful to walk through the right access controls to make sure that all of your machines can talk to each other properly setting up the correct firewall configuration, ensuring proper routing, configuring any necessary VPN connections, and dealing with SSL certificates and configurations. While not impossible, it is an added task that most organizations moving to the cloud would rather avoid. Reliability issues A number of these solutions can have reliability issues. Manually managing user access is subject to human error. Did every person get the access that they needed or did they get too much access? Creating additional directory servers in the cloud starts a whole additional chain of work. Directory servers need to be highly available and downtime can mean your users can t do their work. Exposing your directory server to the Internet can invite attacks or cause it to be subject to Internet connectivity issues between your cloud servers and your directory store. You ll need to address those issues either through load balancing or increased capacity. 07

High Cost Traditional solutions to server directory problems are expensive for organizations, whether it be from a monetary standpoint, or a time and resources perspective. Any way you cut it, managing users across your organization is often not a core competency. It needs to be done well and securely, but the costs of having resources focus on this task versus core tasks can be expensive. 08

A Modern Ops Approach to this Problem Here s how innovative organizations are smartly and securely extending their AD and LDAP users stores to their IaaS The most efficient and complete way to tackle server access, privacy, and security issues is to fix a central user directory with either LDAP or AD internally. The directory store becomes the one directory of record. From this central directory, organizations create a bridge to their cloud server infrastructure. That infrastructure may be at one or a number of different IaaS players. Linux Innovative organizations will leverage a SaaS-based cloud user management service. Windows Because many servers are located remotely, LDAP/AD businesses need a simple way for each server to know who needs to have access to it. Efficient organizations will leverage a SaaS-based cloud user management service. The user management service will sync the users with the internal LDAP or AD directory. From there, a lightweight agent is generally employed on each server. In this way, the right users are provisioned and managed on each server virtually automatically. Bridge Organization prem Extending LDAP/AD to the Cloud SaaS user management service Public Cloud Private Cloud Colo 09

Cloud-based solutions solve the most complex problems No network configuration required Agents installed on each server send feedback securely to the cloud-based, SaaS user management service. The LDAP and AD agents manage all users, keeping them in sync without opening firewall ports or exposing your core directory to the Internet. Increased security With a cloud-based solution you don t have to expose your central directory to the Internet, and all of your users are continuously kept in sync. Additionally, you can be assured that user access to your server infrastructure is tightly controlled. The number one risk for any organization is from compromised user accounts and keeping only the right users on every machine is critical. Little to no additional administration Because your users are kept automatically in sync and your group tags are replicated to your cloud infrastructure, there is very little additional work to be done by IT admins. They are responsible for creating accounts and providing privileges once. From there, the system does the work of securely replicating that information and creating the right access. The cloud-based directory is the approach that modern organizations are employing to manage and secure access to their cloud server infrastructure. It s a vexing problem without the right approach, but by leveraging an elegant cloud-based, SaaS user management bridge, they can make quick work of this problem. 10

Looking for more Information? Find out more about what JumpCloud s Directory-as-a-Service can do for your company. Contact us For additional reading, blog updates, and the latest news please visit our blog. Read more about DaaS Benefits of Saas-Based LDAP Download the Guide Using Gmail? Still Have Active Directory? Learn How to Move AD to the Cloud. Download the Guide About JumpCloud: JumpCloud, the first Directory-as-a-Service (DaaS), is Active Directory and LDAP reimagined. JumpCloud securely connects and manages employees and their devices and IT applications. Try JumpCloud s cloud-based directory free at jumpcloud.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information