Skip to main content

How admins can maintain control (even during Covid-19): Domainless architecture

(Image credit: Image source: Shutterstock/Toria)

When people start working from home (WFH)—working from here, there and everywhere, truly—IT admins often feel like they’ll lose control of their environment. Admins like to maintain oversight of applications, devices, directories like Active Directory, G Suite, Azure AD, the network, and how people connect to it. The recent mandatory shift to remote work emphasises that traditional perimeter security and on-prem infrastructure are no longer sufficient to protect an organisation’s user identities and confidential data in the cloud.

Active Directory (AD) was used for decades as part of an on-premises domain, but today’s cloud usage demands—and enables—fundamental changes to security, device management, and access control. To better manage modern work environments, Admins have reimagined the individual functions of directory services and separated those functions from the dated concept of the hardwired, castle-and-moat domain.

What matters most today? Ensuring secure access, no matter where in the world they are. Additionally securing the conduits of access with other security standards such as multi-factor authentication (MFA) can assist in fortifying a company’s compliance and assets. The future of directory services, then, is domainless. Consider how we got here, what the domainless enterprise looks like in practice, and steps organisations can take to modernise their identity and access management (IAM) infrastructure.

Rethink directory services

Even before the Covid-19 crisis forced a mass shift to remote work, IT was enabling increased work outside of the office. Cloud technology and widely available high-speed wireless internet facilitated this, allowing staff to connect their laptops and fully portable, web-enabled devices to the internet from nearly anywhere. This flexibility outside the office is the domainless enterprise in a nutshell—and our current reality.

In this world where so much work happens outside the domain, IT departments must reassess challenges that Active Directory once handled on its own. Businesses are assessing cloud-based models that provide secure access for all employees to their applications, files, and networks from anywhere, on any system (Mac, Windows, or Linux).

Establish tight perimeters

In a domainless enterprise, the focus shifts from an internal network to each connected resource, with granular access permissions for each user. In today’s WFH environment, this approach offers more control and security than a traditional domain setup. It treats resources & assets as untrusted. The organisation’s security posture wraps around each individual user; their Mac, Windows, or Linux system; and the apps and resources they need to access, wherever each of those components is located.

With domainless, each IT resource has its own tight perimeter. Identities and access rights are constantly checked and verified, rather than authenticating once then allowing resources to function essentially unsecured within the confines of a hardened larger perimeter. Users access resources directly over a standard internet connection, rather than routing through a domain for authentication. In place of a domain controller, a cloud directory service handles access management, user authentication, and security enforcement.

Go beyond AD

A worthwhile cloud directory service should go beyond AD’s original scope by managing access to third-party applications and non-Windows operating systems all from one platform, regardless of location. A web app single sign-on (SSO) gives users one identity to access SaaS applications, but may not be able to manage device access, security baselines, or authenticate users to legacy or on-prem resources using their preferred authN protocols.

Instead of creating a one-to-one translation of the established AD domain model in the cloud, a proper cloud directory service breaks AD’s functions into their component parts and reimagines each of those parts. Separating the individual problems from the solution can yield new ways to solve them.

Mandates for a cloud directory service built for the domainless enterprise begin with single, secure user identities to access devices, applications, WiFi/VPNs, servers, and dev infrastructure, both on-prem and in the cloud and regardless of vendor.

  • Integrate and consolidate user identities from other services (i.e., G Suite, Office 365, AWS, AD/Azure, and HR/payroll systems).
  • Automate user provisioning and deprovisioning capability.
  • Manage the system remotely with GPO-like policy control over Mac, Windows, and Linux systems and deep reporting on system status and attributes.
  • Use Multi-factor authentication at Mac, Windows, and Linux system login and for access to virtually all other IT resources, plus SSH key management capability.
  • Provide flexible, automated administration through scripting, API, or PowerShell.
  • Maintain detailed data and event logging to support auditing and compliance needs.

Set up zero-trust security practices

Now is the perfect time to aspire to a zero-trust environment. The directory service charged with authentication never takes the legitimacy of a user, device, application, or other IT resource for granted. It’s achieved by securing the following four areas:

  • Applications: Only the right people, on trusted systems, can access applications. Verify that the user and machine have rights to the app, to the network that the app is on, and the network’s security. A VPN can still play a crucial role in the domainless enterprise, as a secure tunnel to an application or resource.
  • Employees: Verify that individuals are really who they say. Confirm their password (something they know) and their MFA token (something they have) against the directory database, an authoritative source of truth.
  • Network: Whatever network the user is on should be as secure as possible. If it isn't completely secure, the user can create a secure enclave within that network by using a VPN. Additionally, networks can be secured through additional means such as MFA and even VLAN segmentation.
  • Systems: The system that a validated person uses to access IT resources must be clean; the person must rightfully have access to it. This requires a mechanism to ensure that the machine is known, policies and settings enforce security standards, and a high degree of certainty that the user is who they say they are. Security software is checked and updated. System telemetry helps ensure visibility that the machine itself is not compromised.

Change the systems in a changed world

The initial shock of Covid-19 has worn off. Admins must rethink approaches for the rest of the crisis and for this changed world.

Today, IT teams are implementing domainless architectures enabled by a cloud directory service and zero-trust security, either completely or in a step-by-step approach suited to their existing infrastructure. In organisations committed to a functioning AD domain, a cloud directory service can envelop the AD instance, delivering many of the benefits of the domainless model and serving as a stepping stone to the all-cloud model. A strong cloud directory service will have the ability to stand on its own as a core identity provider, facilitating the ability to move seamlessly off AD when the time is right.

Jim Matthews,. JumpCloud