Organizations have traditionally leveraged Microsoft® Active Directory® (AD) for managing access to their IT resources, including their on-prem or collocated data centers and server infrastructure. AD has historically been the source of truth when it comes to who has access to what IT resources, including systems, servers, applications, data, and the network. An organization’s server infrastructure was generally “local” to a domain either by sitting within the domain proper via an on-prem data center or via a VPN to a third party data center. With Active Directory, direct local access was a requirement.
As cloud infrastructure – otherwise known as Infrastructure-as-a-Service (IaaS) – has gained tremendous popularity, the dynamics of managing server user access have changed. No longer are servers “local” to the network structure. In fact, these days there may not be any infrastructure on-premises at all. It may be hosted at Amazon Web Services® (AWS), Google Cloud Platform®, Microsoft Azure®, or another cloud provider. This inherently creates significant problems for system administrators and DevOps engineers. They are faced with the decision of choosing to accept a significant security risk or undertaking dramatically more work. Alternatively, they can opt to spend significant money to purchase and manage a secondary enterprise identity management solution.
We’re here to offer a new way forward. The modern ops approach leverages an identity bridge that can extend Active Directory to AWS, while maintaining AD as the authoritative source of truth.
Let's start by taking a look at some of the less than perfect solutions that have traditionally been available to system administrators:
As more organizations shift to cloud infrastructure hosted at providers such as AWS, it is critical to understand the core problems with connecting identities and access to these off-prem, cloud resources. Some of main focal points are:
As IT and DevOps organizations aggressively leverage AWS and other IaaS infrastructure, the previous approaches all have too many drawbacks to be viable solutions. Innovative organizations are smartly and securely extending their on-prem Active Directory identities to their IaaS platforms via a cloud identity bridge.
In this scenario, the on-prem Active Directory instance continues to serve as the directory service of record, with all identities stored within AD and updated there. From this core, authoritative identity provider, an identity bridge is leveraged to federate identities to a cloud-hosted directory service. Subsequently, this cloud identity provider controls user access to the cloud infrastructure. That infrastructure may be at one or a number of different IaaS players. Additionally, this cloud identity bridge can also control access to other non-Windows or AD-bound IT resources, including Macs, web applications, WiFi access, and cloud storage systems.
A diagram of JumpCloud’s AD Bridge is below:
The implementation and management process of a cloud identity bridge is quite simple. Lightweight agents are dropped onto the on-prem domain controllers and the cloud servers. Those agents securely communicate with the cloud-hosted directory service. All changes within AD are automatically replicated within the SaaS-based user management service as well as the cloud server infrastructure. No management and maintenance work is needed. IT admins and DevOps engineers simply assign what users should have access to – and AD Bridge does the rest.
There are a number of benefits to the cloud identity bridge model relative to the other options and approaches that IT and DevOps organizations have.
Identity management is a key part of any IT infrastructure, and when thinking about leveraging cloud infrastructure such as AWS, IAM concerns abound. To address these concerns, innovative organizations are using this cloud identity bridge approach to enable their cloud transformations and shift to the online world. By implementing this method and using an elegant, cloud-based identity bridging approach, your IT organization can easily and safely unlock the cloud too.
Find out what JumpCloud's AD Bridge functionality can do for your company. As a comprehensive cloud directory service and identity bridge, Directory-as-a-Service can help you leap to the cloud.
JumpCloud®, the first Directory-as-a-Service® (DaaS), is Active Directory® and LDAP reimagined. JumpCloud securely manages and connects employee identities to IT resources including devices, applications, data, and networks. Try JumpCloud’s cloud-based directory free at JumpCloud.com or contact us at 855.212.3122.
For additional reading, blog updates, and the latest news, please visit our blog.