When Active Directory And LDAP Aren't Enough

Cloud and mobile pose problems to most enterprise's centerpiece identity and access management technology

Dark Reading Staff, Dark Reading

March 22, 2013

6 Min Read
Dark Reading logo in a gray background | Dark Reading

Scalability, tight coupling with Microsoft infrastructure, and ease of management in the on-premise world all contributed to catapulting Active Directory and the associated LDAP protocol into the centerpiece of today's typical enterprise IAM strategy. However, with new mobile platforms diversifying the operating system ecosystem, SaaS applications proliferating by the day, and hybrid cloud approaches fast becoming de riguer, Active Directory and LDAP are starting to show their limitations.

According to Todd McKinnon of IAM start-up Okta, the sustained and pervasive success Active Directory has achieved so far can be largely attributed to Microsoft's tying everything together in such a neat bow.

"Why do people use AD? Because it's your network authentication, because it was the Exchange database for users. If you wanted to do permissions on who can share files on the fileserver, it was the database for that. If it was for printers -- it was the database for printers," he says. "That's why people use it. It's an infrastructure thing. It's behind the applications."

[What IAM gaffes are you making? See 7 Costly IAM Mistakes.]

Even in the cloudless world dominated by the data center, AD had its limits.

"One of the misconceptions is that everything in the old world was integrated from an identity perspective. It really wasn't," says McKinnon, "You have Active Directory that [did] a really good job with Windows clients, Windows servers, Exchange, file and print. Then you have LDAP, and a lot of people use that for big scale e-commerce sites and databases around that. But this concept that in a large company a lot of the identities were integrated is not true."

Just look at the number of enterprise project disasters around bringing internal application under a single AD source for proof, says Nishant Kaushik, chief architect at Identropy.

"IAM is littered with failed attempts at rationalizing all internal application development against [a] single AD source," Kaushik says.

Many organizations looked to kill two birds with one stone by repurposing user identity stores they've managed and curated for their internal environment and applying them to in-house custom applications, Kaushik says. However, most of those deployments ended up going bad.

"The reason is because the model that was put into Active Directory was highly optimized and tuned for AD's primary purposes, which was managing their network infrastructure and Windows environment, Outlook, and stuff like that," he says. "The minute you decide to add in application-specific stuff into that, all of a sudden the performance and the tuning stuff that had happened starts to fall apart."

In today's changing IT environment, relying primarily on AD to do the heavy lifting of identity management is just going to get harder. According to McKinnon, there are a number of challenges standing in the way. No. 1, the alternatives to Windows fileservers is drastically changing the collaboration landscape -- just look at the traction Box and Dropbox have gained in the enterprise for evidence of that. As a corollary, challenge No. 2 is that people are moving their collaborative email infrastructure to the cloud.

"When you move that to the cloud, you by definition are decoupling it from close proximity to AD," McKinnon says. "That's true whether it's something like Gmail or Office 365; if you look at how Office 365 gets connected to AD, it's not tightly coupled."

The loose coupling gets even looser when you consider the rapid addition of mobile devices that are outside of the Microsoft ecosystem.

"Companies are doing fewer big deployments of Windows, and if you're looking at what's happening on the client-side of the network, Microsoft dominance on the client is changing dramatically," McKinnon says. "Eighty percent of the reason people use AD is because they logged on their PC to the domain. And now half the devices on the Internet aren't even Windows devices."

And that's just the pressure on the front end. On the back end, cloud and SaaS applications are also pulling apart the AD coupling that worked so well in the data center-centric world -- this in spite of the fact that so many SaaS and cloud vendors purport to have AD integration.

"Every SaaS vendor of note that's trying to penetrate the enterprise has built-in support to integrate directly with AD. That's a technology-oriented integration that completely leaves out the process that is needed to actually manage AD cleanly," Kaushik says, explaining that the same application-centric problems of yesteryear are just magnified in the SaaS environment.

One big problem in the new cloud and SaaS model is the hierarchical nature of LDAP, says McKinnon.

"There's root and children. What people are realizing now is that it's not strict hierarchy in relationships anymore," McKinnon says. "When you have more of these B2B, cross-application modern relationships, you need more of a graph -- like Facbook's API shows us. It's not like there are your friends and my friends, and my friends are a subset of yours. It's the same in business. There are my partners, and my partners have partners.

According to Phil Lieberman of Lieberman Software, in spite of AD's supreme scalablity, the problems McKinnon identifies contributes to LDAP's lack of viability as an authentication method organizations can use in the cloud.

"That's not necessarily what they might want to use, and so this brings up the question of federation," says Lieberman, pointing to rumblings of using a mechanism like a Facebook log-in to tie together access to enterprise cloud resources.

He says at the moment he has a bet going with Gartner analyst Lawrence Pingree that enterprises won't be able to make that happen.

"I think the big question is authorization," he says. "Facebook or one of the other identity providers can authenticate. The problem is that LDAP provides authorization, too. If you can't provide authorization, what is the point?"

According to McKinnon, Microsoft isn't tone-deaf about the challenges facing AD in the cloud. They're why the company has turned some of its brightest minds toward developing Windows Azure Active Directory. However, there are challenges with its approach so far.

"One thing is that they're not bundling it tightly to the on-premise infrastructure, which is a challenge," he says. "And, two, is that the API isn't LDAP, which is really different. The reason why is that things are more disconnected, and a tightly coupled protocol is too latent and isn't the right level of granularity for what you need in the cloud."

Ultimately, the chaos is breeding a whole new niche in Identity as a Service (IDaaS) that's being tightly contested by vendors like Okta and Identropy and others like Centrifiy and Symplified. It's an exploding market that Gartner says will make up a quarter of all new IAM sales by the end of 2014 and 40 percent by 2015, as compared with just 5 percent last year. But in the interim, McKinnon says some order even among those players needs to be struck.

"We're going to be making more noise about this, but we think there's a new protocol that's needed," McKinnon says. "It's a new API -- a new protocol for directory services in this new world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights