When you start to think about how to manage the modern IT environment, it can be a little daunting. As discussed in the previous installment of this series, "Modern IT Infrastructure", not only is there a multitude of solutions out there, but they are exceedingly becoming less and less Microsoft centric. You can find out why in the first part of this series, "How Microsoft Lost Touch with Modern IT."
The good news is that the fundamental shifts that we are seeing in the IT landscape are helping move the industry into a new, open, and vendor-neutral paradigm. Many new management tools have been created that account for this modern heterogeneous infrastructure in just about every way – platforms, protocols, providers, and locations.
Typically, these management tools need to focus on two key items: user access, and the IT resources they can connect users to. Both of these items need to be managed, and often-times they need to be managed in conjunction with each other. Users need to be able to access the IT resources wherever they are in order to do their jobs, and those IT resources need to be available, reliable, and secure. At a very basic level, that is what modern IT organizations are now focusing on and ensuring as their new charter. Previously, IT organizations would focus on the acquisition, installation, and on-going management of solutions directly under their care. A shift has occurred resulting in IT focusing on end-user access and ‘delight’, solution availability, and security. These new focuses are now the key drivers of IT success.
In the following sections, we’ll dive into the approaches and tools that IT organizations can leverage to support a modern, Microsoft-less enterprise. Fundamentally, the approaches that we’ll discuss here are largely cross-platform, driven from the cloud, and are built for on-prem and cloud-based setups.
Living at the epicenter of IT’s architectural landscape is their identity management platform. This system connects users to the IT resources they need by authenticating and then authorizing their access. The result is that the organization can control who has access to what via their identity management system. Today’s networks have applications and data being generated from every part of the organization, and they are living both in the cloud and on-premises (e.g., a MacBook). Much of that data is confidential and proprietary to the business, and the majority of it should not be accessible across the entire user population.
But, Active Directory isn’t excelling at identity management in this modern, cloud-based IT environment.
Reacting to a trend of critical infrastructure moving to the cloud, and a need to solve the heterogeneity IT organizations desire, a new generation of technology defined as “cloud identity management systems” have decided to take the next step. This new category of IAM solutions can be stratified into various subsets of the identity management paradigm, from multi-factor authentication solutions, single-sign on solutions, and password managers. Much like AD is the ‘core’ for legacy identity services in an organization, a modern cloud-based ‘core’ service is known as Directory-as-a-Service® (DaaS). DaaS exists as an authoritative cloud-based identity management solution, securely hosting an organization’s user accounts and credentials in the cloud. These identities can act as the central authentication for their employees, contractors, vendors, partners, and others such as service accounts. The cloud directory is built to securely connect users to the IT resources they need, including systems, applications, data storage, and networks, regardless of whether they exist in the cloud or on-prem (e.g. hybrid environments).
The difference between a modern cloud identity management platform and Active Directory, its legacy counterpart, is really a microcosm of the entire change in the IT industry over the last two decades. Directory-as-a-Service is delivered as a SaaS-based solution, and IT organizations only pay for what they need and use. The cloud directory is designed to be agnostic to any operating system or resource, ensuring flexibility and choice by the IT administrator to select what is best for their organization’s efficiency, security, and productivity. It also doesn’t discriminate between on-prem, cloud, or remotely located IT resources, meaning that there are no VPNs required. Other key benefits for IT organizations include a high-level of security, and the obviation of the IT staff to budget for availability/uptime, scaling, and ongoing maintenance.
For the Microsoft-less Enterprise, the ability to control user access in a similar manner as Active Directory does not change by virtue of their choice to move resources to the cloud. In fact, it can’t. Role Based Access Control (RBAC) – at least in its simplest form – is an immutable fact of life for IT admins, and remains critical to security and employee productivity. In fact, we might argue this is the most critical component to put in place when shifting to an IT environment that is being constructed, or evolved, without Microsoft Windows or Active Directory. Putting a cloud identity management system in place is an enabler for IT organizations to take the next steps in being able to deploy and manage a Microsoft-less environment.
Many have suggested that with the cloud, an end user’s system is not important. In fact, a user’s machine can be treated as a dumb terminal since the only application that is being utilized by the employee is the web browser. What is old is new: welcome back to the 1996 world of thin-client computing.
Modern IT admins know this is hardly the truth. Now more than ever, strong system management tools are needed that can provide utility across all operating systems. As discussed, employees are now leveraging all three major operating systems: engineers are using Linux, sales and marketing are on Mac, and the base of finance personnel are leveraging Windows. More data is being accessed and often downloaded onto machines than ever before with web sites, emails, and attachments all posing significant security risks. Systems are also more mobile than ever. Most users now leverage a laptop that is taken with them and, regardless of IT’s requests for ‘business use only’, these systems are commonly used for both personal and business reasons. Securing those devices and being able to remotely manage them is critical.
Fortunately, a new generation of system management tools has started to emerge aimed at the Microsoft-less enterprise.
One such example of this is Jamf, an Apple-centric systems and device management solution. Jamf enables IT admins to easily manage and control Apple devices including provisioning, securing, and updating them. With many modern organizations being 100% Apple based, Jamf can be an excellent management tool and easily support an organization’s desire to move away from Microsoft.
For those environments that are mixed with Linux, and potentially even Windows, cloud systems management solutions such as Automox can be leveraged. Automox is useful for patching and software management, replacing in most ways Microsoft SMS or SCCM. Lastly, for policy governance and controlling the behavior of these cross-OS system endpoints, Directory-as-a-Service, previously discussed in the cloud identity management section, is an alternative to Microsoft Active Directory’s Windows-centric GPOs.
Efficiently managing systems has been one of the most important reasons why IT organizations have resisted moving away from Microsoft. The belief was with one platform it would be easier to manage. That’s no longer a reality today, and these system management solutions are a key reason why.
iOS and Android devices are a major part of any organization today. Virtually all business professionals have a smartphone where they are doing significant amounts of work. Controlling and securing those devices is critical to any modern IT organization.
Microsoft’s lack of a mobile platform makes it easy to not worry about their solutions having tight integration and benefits. Unfortunately, neither Apple nor Google have made any significant steps in the direction of a full-fledged mobile device management solutions.
Again, there are a number of excellent third party management tools available to IT admins. Jamf has spent a great deal of time perfecting their mobile device technology for iOS devices. For those that also have Android devices to manage, a number of other MDM platforms are available including Airwatch and MobileIron. Many of the MDM solutions have been on-prem pieces of software, but there are cloud providers emerging as well. As mobile devices become more critical to professionals, they are a key IT resource to be managed and controlled.
With so many different types of systems and platforms in use today, a key concept that has emerged is True Single Sign-On™. The historical context of Single Sign-On (SSO) was intertwined with one specific resource: a web-based application. Now, end users have a variety of different IT resources that they need to access including the system, their wireless access, on-prem applications, and more. When each of these resources have separate logins for each one, it can add a great deal of friction and frustration, along with security concerns.
The Microsoft domain controller concept had solved this issue with a single sign-on approach, but only because virtually all of the IT resources were Windows-based and on-prem. A user could simply log into their Windows machine, and that would authenticate them into whatever IT resources on the network they needed to access. This was largely accomplished by the Kerberos protocol, which is inherent to the Windows OS when connected to its domain. Although today’s IT networks aren’t the same, end users prefer the same front end experience, and savvy IT admins are interested in providing them that.
The trick, of course, is that with a wide variety of platforms created by disparate vendors, as well as disparate locations of the IT resources themselves, creating the concept of True Single Sign-On isn’t easy. First generation Identity-as-a-Service providers tried with web applications and the widely leveraged “SAML” protocol, but that left out a great deal of IT resources including systems, cloud servers, storage systems, legacy applications, WiFi networks, and more. These early SSO innovators instead focused on the growing number of web apps users required access to, and provided SAML to give them one set of credentials to all of their apps. However, the result of all of these web apps emerging was that their solutions ended up being a layer on top of an organization’s primary directory, most often Active Directory. Therefore even SSO became predicated on Microsoft - an unfortunate change when companies were attempting to be ‘Microsoft-less’.
Fortunately, next generation cloud identity management solutions have picked up where these first generation IDaaS solutions left off, and they have extended the concept of single sign-on to all of the other IT resources. In fact, Directory-as-a-Service can even leverage credentials from productivity solutions such as G Suite or Office 365, and federate those identities to the other IT resources that those users need access to including their laptop or desktop, cloud servers hosted at providers such as AWS, legacy on-prem applications, NAS appliances and file servers, WiFi, and more. Securely leveraging True Single Sign-On capabilities can be a significant productivity enhancement for end users, and at the same time mean greater control for IT.
In a Microsoft-less Enterprise, creating True Single Sign-On picks up where the Microsoft domain controller left off and extends that capability to other platforms and providers.
Managing the modern network is also an interesting challenge. No longer is the network full of equipment, but rather it primarily includes two commoditized and simple to manage devices: a wireless access point and a switch. It’s far simpler to manage architecture when the overhead of the various networking equipment is removed from the equation.
One of the leaders in the network management space has historically been Cisco. Even though initially less of their switches and routers were being purchased by modern organizations, through the acquisition of Meraki they now sell a great deal to the modern enterprise. As a result, a key piece of the next generation of network management has been the ability to manage these WAPs remotely from the cloud through progressive web-based consoles. In response, a number of networking providers are shifting the ability to manage networks from cloud-based tools as well, in reaction to Meraki’s success in blazing this trail.
This shift has resulted in open source solutions popping up as well. There are many open source network monitoring solutions out there, and they are built for the organizations with a desire for the software but without the budget. With tools like Icinga 2, Nagios Core, and Zabbix to name a few, there are plenty of options for those looking to pay less and have more customizables.
Historically, a number of the tools to build and manage the network came from Microsoft. Today though, many of these solutions are open sourced or available from a new generation of providers like Cisco Meraki.
The modern IT environment is changing. What used to be delivered by Microsoft and was localized to the organization’s facility, is now a mixed environment with both cloud and on-prem resources. Interestingly, many organizations are moving away from Microsoft technology altogether.
The challenge for IT admins in this environment is figuring out how they can manage these resources. As mentioned, in the past management tools were based around the Microsoft Windows platform, but as Mac and Linux devices make inroads, data centers shift to AWS, and the productivity platform moves to G Suite or Office 365, a new wave of solutions for management becomes necessary.
The management of modern IT environments needs to focus on two areas: users and the IT resources those users need to access. Users need to be provided seamless and easy mechanisms to access IT resources, and IT admins need to be assured of their security. For IT resources such as systems, applications, data storage, and networks, being able to ensure their availability, reliability, and security is of paramount concern.
To control user access, Directory-as-a-Service is replacing the legacy Microsoft solution, Active Directory. As a cloud identity management platform, Directory-as-a-Service securely manages and connects user identities to those IT resources users need, regardless of platform, protocol, provider, or location. Check it out by signing up for one of our demos, where you can see the product in action and ask questions along the way. Alternatively, you can sign up for a free account and try it out for yourself. We offer your first 10 users free forever, with no credit card required, so there’s no reason not to give it a shot. Check the cloud-based directory out, and see why the future of directory services is Microsoft-less and in the cloud.
Find out what JumpCloud’s Directory-as-a-Service can do for your company’s IT infrastructure. DaaS enables IT organizations to employ the full extent of the cloud. Drop us a note at [email protected] to learn more.
JumpCloud®, the first Directory-as-a-Service® (DaaS), is Active Directory® and LDAP reimagined. JumpCloud securely manages and connects employee identities to IT resources including devices, applications, data, and networks. Try JumpCloud’s cloud-based directory free at JumpCloud.com or contact us at 855.212.3122.