Active Directory Needs an Update: Here's Why
AD is still the single point of authentication for most companies that use Windows. But it has some shortcomings that should be addressed.
Tried and true, Active Directory has been managing permissions and access to networked resources for decades. It's a system that has weathered storms — cyber, organizational, and competitive — and has remained the backbone of most IT environments.
AD remains the single point of authentication and authorization for most companies that use Windows networking products or operating systems. It controls access to all critical resources, and it's the linchpin for any major project or initiative. And that remains true even in an era when more companies are leveraging the cloud and supporting a mobile-first approach.
The Cloud, On-Premises, and the AD Identity Crisis
One of the secrets of AD's longevity has been its ability to evolve in response to new needs and challenges. As such, the topic of "the need for Active Directory modernization" has become a major point of IT industry discussion in recent years. AD has been accused by some of having an identity crisis (pun intended), although there are almost as many opinions on how to solve that crisis as there are users of AD.
With that, there are three issues that need to be addressed for AD to serve the next generation of computing:
Issue 1: User management in multiple environments. IT systems today are made up of a combination of environments and platforms, both on-premises and cloud-based, and users access them using a variety of methods, from desktops and laptops to mobile devices and virtual desktop infrastructure (VDI). To manage authentication across environments, organizations use the Azure Active Directory (AD) Connect management tool that connects on-premises identity infrastructure to Microsoft Azure Active Directory.
However, the security controls on Azure Active Directory are different from those of on-premises AD deployments; Azure AD, for example, supports multifactor authentication (MFA), while AD does not natively support MFA. So why not just switch to Azure AD? Because, as Microsoft says, "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD." Clearly, an update to AD is needed.
Issue 2: Security. Azure AD has the right idea; MFA is more secure than the Kerberos-based single sign-on (SSO) authentication used by AD. AD users have the option to implement MFA — but not in hybrid environments, where SSO is in control and gives users access to online resources. With the threat landscape so vast — and increasingly lethal — today, the need for multiple authentication factors is a must both for cloud-based systems and on-premises systems.
Issue 3: Regulations. One major factor that demands an AD update is the increasing security requirements of regulatory bodies. Increasingly, regulators are requiring that online services utilize MFA. Previously, customers would ask about Active Directory modernization when they needed help with AD migration, consolidation, or restructuring. Today, with data breaches wreaking havoc, the push for AD modernization is converging with the need for strong cybersecurity.
The Drive for Digital Transformation Makes AD More Important
All these factors play into the need for AD modernization. The popularity of AD has become its own Achilles' heel; because companies relied so strongly on it during the on-premises computing era, they built their entire IT infrastructure around it. Now, as data, services, and activity move to the cloud, there is a "disconnect" between the authentication methods used by organizations and the authentication requirements for online services, whether they're required for the security of the service or by regulators.
Many AD infrastructures are 10 to15 years old and have grown significantly over time. Those relying on AD have learned that these early deployments are often ill-equipped to meet the needs of today's technologies and business demands; this is especially true for large organizations with complex infrastructures. Without proper cleanup and consolidation, organizations could face security and compliance risks once they get to the cloud.
Identity Management with Identity Crisis
The key to AD security is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse.
But AD authentication is limited to either passwords or smart cards, which carry respective drawbacks. Passwords, of course, can be lost, forgotten, and of course, hacked. [Editor's note: The author's company is one of a number that offer passwordless MFA.] If AD relies on a username and password for its efficient SSO that allows authenticated users access to everything, a hacker who steals, guesses, or tricks a user into giving up their credentials will be able to access systems, with AD as an active accomplice. The philosophy of AD authentication was based on simpler times — before there was a plethora of malware to steal user credentials, and before hackers were able to use social engineering techniques to extract credential information from users.
AD also allows logins using smart cards, eliminating the possibility that imposters will be able to log in to systems with compromised authentication information. But card management has its own issues; it's more expensive than username/password authentication — the company has to buy the cards, which can be lost, meaning more costs for new cards. Presumably, employees will report immediately if they lose their cards, but since card authentication is based on trusting certificate authority certificates, which can be hacked, simply not losing one's card doesn't necessarily guarantee anything.
MFA for All
Cognizant of the problems and sensing a market opportunity, vendors by the dozen offer MFA solution add-ons for AD. Second factors can include one-time passwords sent via text message, biometric authentications (thumbprints, etc.), smart cards, tokens, and even voice authentication.
While these are certainly more secure than username/password authentication, there are no guarantees; second factors can be hackable, some more than others. And if the username/password is already compromised, we're back where we started. For a more secure user experience, it would be best to do away with that first factor altogether, and implement more secure authentication methods. This, of course, would significantly impact AD, which is so strongly associated with credential-based SSO, speaking to the need for a major update.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."
About the Author
You May Also Like