Cloud Identity Authentication Battle for the Enterprise Heats Up -- Redmondmag.com

Cloud Identity Authentication Battle for the Enterprise Heats Up

Microsoft wants to bring Active Directory users to Azure AD, but rivals vie to manage enterprise user authentication in the cloud age with alternative offerings.

By Jeffrey Schwartz
09/29/2015

Well more than 90 percent of organizations use Microsoft Active Directory as their main store for employee authentication, identity management and to maintain access control polices. But as the growth of cloud-based Software-as-a-Service (SaaS) applications enterprises try to manage continues to grow, IT planners and architects must evaluate how they'll manage user identities. Early adopters are already doing so. With a number of players -- some established and others lesser known -- vying to become your cloud identity management as a services provider, it invariably raises questions over the future role of Active Directory.

Most experts don't believe Active Directory is an endangered species anytime soon and that it'll have an important role even among those who turn to other identity management platforms. But at least some organizations could greatly de-emphasize or even curtail its use in the years ahead. Meanwhile, Microsoft is aggressively promoting and updating Azure Active Directory (Azure AD), which aims to seamlessly bring Active Directory to hybrid and public cloud environments.

A number of factors are driving the shift in how organizations must be thinking about how they manage user authentication and identity management. In addition to the number of externally hosted applications that organizations now need to manage access to, the universe of identities is also growing exponentially. Not only must IT manage employee credentials, but the identities of customers and partners, who naturally have different privileges. This shifting dynamic and the number of high-profile security breaches that have occurred in recent years have created this land grab by Microsoft and a number of established and lesser-known players to provide what many call Identity Management-as-a-Service (IMaaS).

Career-Defining Decisions
As many enterprise IT decision makers conduct these architectural assessments, these could be career-defining decisions for some. Very few say organizations will rip out Active Directory and replace it with something else to manage day-to-day authentication and policies -- certainly it would make no sense to do so for existing systems. But by a number of estimates there are some -- about 10 percent of organizations -- that are looking to either eliminate or vastly reduce the role Active Directory plays for identity management and single sign-on for these vast array of SaaS applications and other resources.

One example of a large enterprise looking to sideline Active Directory is the Planned Parenthood Foundation of America. Overseeing this plan is Franklin Rosado, Planned Parenthood's director of enterprise strategy and system architecture. Rosado is a longtime "‘Softie," as he calls himself -- an MCSE since the 1990s. It's no small effort as Planned Parenthood shifts user identities from Active Directory running on Windows Server machines by its 60 affiliates nationwide to the Okta Identity Platform, which provides single sign-on connectivity to numerous third-party SaaS services, Active Directory, Azure AD and Office 365, as well as other legacy directories. At a recent visit to Planned Parenthood's New York headquarters, Rosado described its current architecture and reasoning for making the move. In addition to the 60 affiliates, Planned Parenthood's IT organization supports some 600 clinics with file, print and key SQL Server-based data running on a traditional Windows Server-based network.

"We're looking to deprecate Active Directory because we're moving extremely heavily into the cloud."

Franklin Rosado, Director of Enterprise Architecture, Planned Parenthood Foundation of America

Cloud-First, Mobile-First
Planned Parenthood is very much on board with Microsoft CEO Satya Nadella's notion that computing is shifting to a "cloud-first, mobile-first" model. But while Microsoft has described identity as one of the keys to the future of security and managing users in the "cloud-first, mobile-first" world, the huge non-profit organization is among the 10 percent who aren't buying into Active Directory and it's cloud-based iteration, Azure AD, to manage employee identities. Over the summer, Planned Parenthood kicked off the first stage of moving away from Active Directory to Okta. Rosado said his team has brought up several affiliate connectors on the system. It's taken longer than he had anticipated, having targeted to have 50 percent connected by now. But Planned Parenthood was in the trenches last month working to bring online four major app connectors.

"We're looking to deprecate Active Directory because we're moving extremely heavily into the cloud," Rosado said. "And we really see a lot of tends in the consumerization of IT and the depreciation of Active Directory sort of fits in the trends in the way we're going in moving to the cloud and moving to mobile-first."

Despite the deprecation of Active Directory, Planned Parenthood is relying on it to establish user identities at all of its major affiliate offices, and then map to the Okta Universal Directory. "It's key for us to have Active Directory connected to Okta so we can then have that master stored at our main Okta domain," he said. "We are extending the capability of Active Directory across the entire federation. We're actually using extension attributes, and defining the use of extension attributes such as job title, affiliate ID and facility IT in Active Directory for all of our affiliates and we're extending the capability so that we can have that infrastructure down the road to really allow for automated provisioning and deprovisioning across the entire federation, and for a richer directory across the entire federation."

The move is an eyebrow-raising rebuke of Microsoft's effort to encourage organizations with ambitious cloud migration efforts such as this to transition enterprises from Active Directory servers -- said to be used by well more than 90 percent of organizations to manage user identities and authentication -- to its new cloud-based alternative, Azure AD Premium. But Planned Parenthood isn't the only organization looking to "deprecate" Active Directory.

Nova Medical Centers, a Houston-based regional conglomerate of occupational medicine clinics, is also moving off Active Directory. Each computer has unique identifiers in order to maintain HIPAA compliance, but because they're connected via VPNs, there were numerous points of failure in its architecture, explains Christopher Southerland, Nova's director of information technology. Asked why he didn't consider Microsoft's new Azure AD Premium, Southerland explains he tried it but was left unimpressed with the support, which he describes as "non-existent," as well as with the offering itself and pricing.

"Basically, their service was a lot more cumbersome to get it to work with Active Directory."

Christopher Southerland, Director of Information Technology, Nova Medical Centers

Southerland opted against it after trying to run Windows Server Active Directory in Azure.

"Basically their service was a lot more cumbersome to get it to work with Active Directory, which is really odd," Southerland explains. "You had to buy different modules, so if you had a server you had to buy storage space, if you had a network -- a specific network -- you had to buy network space. So the cost, when I actually talked to them initially, was $200 a month for 50 locations. That was a lie. First of all they weren't considering how much data we were pushing through, they just kind of made up a number. I actually got one location connected, we were doing some testing and it slowed down the computer considerably. The speed of the computer to actually log in was probably about 2 minutes. At the time I was testing it, you could only have 10 locations on the same network, and then you had to buy more, and then you had to subnet it out."

Southerland had drawn up a plan to put in several new Active Directory servers at various locations, which included the hiring of Active Directory administrators. Though he got approval to do it from the Nova board, Southerland did a last-minute Google search and stumbled upon a little-known company known as JumpCloud, which operates its own suite of Directory-as-a-Service SaaS-based offering. JumpCloud has its own directory and offers support for Active Directory as a service. Southerland says he can continue using Active Directory but doesn't have to.

Another benefit of JumpCloud versus Southerland's earlier plan to deploy new servers is the new service doesn't require VPN connectivity. "They have a management console that you log in to and all you do is create a user account just like you would in Active Directory, and you link the computers to that user or group [and] you can create groups, as well. You can do it all managed to the cloud. What I like about that is I have a technician in Georgia and I have a tech in San Antonio and two in Houston and we can all manage it remotely."

Microsoft Extends into Privileged Identity Management

Microsoft has added a few more tools to its Azure Active Directory (Azure AD) Privileged Identity Management preview.

The Privileged Identity Management preview, updated in August, is an emerging Microsoft service that lets organizations control IT personnel administrative access to Azure AD-managed resources. The preview has been updated with a few new features. For instance, it now has a security wizard that offers recommendations based on an "organization's specific security configuration," according to Microsoft.

Another addition to the preview is an updated security dashboard, plus security alerts regarding privilege changes. There's a "fix button" to roll back any unwanted privilege changes.

Microsoft added a new "workload-specific admin roles" specification that provides greater control over access privileges. Microsoft's example of this capability was granting SharePoint Online administrative access, but not administrative access to other Office 365 workloads.

A multifactor authentication option has been added to the preview. Multifactor authentication is a secondary identity verification process on top of passwords. Organizations can now require multifactor authentication when setting up privileged roles.

Last, Microsoft added a "security review" capability to the preview. It's a process by which IT pros are periodically asked to recertify their access privileges.

Microsoft first unveiled this Privileged Identity Management preview back in May, explaining that it adds control over Azure AD administrator roles for services such as Microsoft Intune, Office 365 services and Azure SaaS apps. It's a feature addition to Azure AD Premium subscriptions, which cost $6 per user per month.

The Privileged Identity Management preview service currently works with the Azure preview portal, which provides a dashboard view. It uses color-coded rankings of security risks, based on things like the number of access privileges assigned (too many is considered to be a bad security practice). Global administrators can set up temporary or "just-in-time" access privileges, if wanted. IT pros, for their part, can request access to resources for approval under the system, but global administrators have control over the access.

Microsoft also has a different service that's free called Azure Role-Based Access Control. The Azure Role-Based Access Control service also works with the Azure preview portal to control user access, but it appears to be a more general tool, whereas the Privileged Identity Management preview is specifically designed to be set up by a global administrator in an IT organization to control administrative access privileges by IT personnel over time.

The idea behind the Privileged Identity Management tool is that IT pros "have become a high-value target for attackers," Microsoft explained back in its May announcement. Microsoft's tool is designed to set up alerts should anything unexpected change regarding access privileges.

The Privileged Identity Management service might be used by larger organizations, perhaps, but the idea that IT pros are targeted isn't paranoia. Even the U.S. National Security Agency is said to target system administrators, according to NSA documents leaked by Edward Snowden.

Will Active Directory Migration Become a Trend?
Given how entrenched Active Directory has become over more than a decade, this has to be somewhat concerning to Microsoft, even if Planned Parenthood and Nova Medical account for a minority of enterprises that ultimately go as far as to deprecate it. "We see 10 [percent] to 15 percent of companies moving away from on-premises AD as their primary user store and moving it to the cloud (Okta, Centrify, OneLogin, Ping and so on)," says Forrester Research analyst Andras Cser. "Microsoft is very concerned about this."

If that's the case, company officials aren't saying so. Alex Simons, Microsoft's senior director for Active Directory, says he's well aware of the competition, but says the company is aggressively adding new features to Azure AD -- on the order of several a week these days and 74 updates over the past year. Azure AD is a core component of the Microsoft Enterprise Mobility Suite (EMS), which also includes the Intune device configuration and management service and Azure Rights Management. Microsoft COO Kevin Turner recently identified EMS as a $1 billion market opportunity and company officials have consistently talked up winning in identity management as a critical goal.

"When you log into a Windows 10 device you can have it automatically enrolled in the Azure Active Directory domain of your company and have the mobile device management enrolled."

Alex Simons, Senior Director, Active Directory, Microsoft

Microsoft recently revealed 14,000 mostly midsize and large enterprise customers are using EMS, where Azure AD has a "rich coupling" to Intune. Simons says most of those are very large enterprises. Because Azure AD also is the directory for Office 365, Simons says 6.5 million organizations totaling 50 million people log in to Azure AD every day. Simons also points to customer-requested additions to Azure AD such as support for multifactor authentication, the ability to turn off SMS in favor of Auth-Code and one that has significant potential -- support for the ability to join Azure AD by logging into Windows 10.

"When you log into a Windows 10 device you can have it automatically enrolled in the Azure Active Directory domain of your company and have the mobile device management enrolled. And then you get nice single sign-on between the device and all of your cloud applications," Simons says. "And then you'll see it gain more and more capability as we go forward."

Among other features added to Azure AD is support for administrative units, "so you can divide up your company into different regions that may be owned by different IT shops," and a Web proxy that lets Azure AD connect into on-premises applications, Simons says.

In a move to further expand Azure AD, Microsoft last month released a Public Preview of a business-to-consumer and business-to-business extension to Azure AD for those who want to create trust-based relationships. This will let organizations give access to supply chain partners, Simons explains. "It's the equivalent of setting up a trust between two tenants in Azure Active Directory, the difference being that it's done at an individual group or user level between the tenants. So you wouldn't just have Microsoft say, ‘I trust Intel,' it would be Microsoft saying, ‘Oh, I want these five people or these three groups that Intel has specified to be able to use my applications.'"

Simons also points to the new Passport feature in Windows 10 that lets users authenticate to systems using biometrics, such as facial recognition with systems that have new sensors or fingerprint scanners, "it works with both Azure AD and with Active Directory on-premises, or if you have a hybrid set up between the two."

Microsoft Identity Manager 2016 Replaces FIM

Microsoft Identity Manager 2016 (MIM), the successor product to Forefront Identity Manager 2010 R2, is now available. The new release, which supports identity and access management for premises-based computing environments, is notable for Windows 10 client support. It also supports Windows 8.1 clients, Windows Server 2012 R2 and the latest System Center Service Manager.

Microsoft is touting MIM 2016 as a "modernized" product. It now has support for using REST-based APIs for certificate management in multiforest environments, for instance.

The company also points to its "hybrid identity management" support (for cloud and premises-based environments) with Azure Active Directory (Azure AD). MIM 2016 can be used to establish end-user single sign-on access privileges to cloud-based apps that are supported by Azure Active Directory. MIM 2016 also works with the Azure Management Portal to generate hybrid reports, but that capability possibly may require having an Azure Active Directory Premium subscription.

Microsoft built "privileged access management" controls into MIM 2016 as a way to fine tune network access privileges by IT personnel. MIM 2016 uses Just Enough Administration, a Microsoft PowerShell scheme, to control administrative rights, for instance. It's also possible to set time limits on IT personnel access privileges.

MIM 2016 also enables self-service capabilities for requesting access privileges, based on "group, profile, certificate and role management" categories. Self-service requests can be verified by multifactor authentication, which typically entails sending a text message or an automated phone call to a device to secondarily verify the user's identity.

Although the product is commercially released, a deployment pack for MIM 2016 will be arriving later this year Microsoft's announcement indicated. This deployment pack seems rather crucial. It will help automate "the preparation of the privileged identity management environment" and it will help harden that environment by "setting up the privileged AD forest security principals," among other such details.

In addition to the various IDMaaS providers vying to be your identity services provider, Simons knows new entrants will continue to offer identity and mobility management including one of the latest entrants, VMware Inc. The virtualization giant, which last year acquired enterprise mobility management vendor AirWatch, recently launched VMware Identity Manager. Describing the launch of VMware Identity Manager "as the sincerest form of flattery," Simons says: "There are certainly other competitors in the marketplace who we spend more time worrying about and thinking about because they have more innovative solutions."

Gartner Inc. analyst Mark Diodati predicts while Azure AD will be a widely deployed IDMaaS offering, VMware could, over time, emerge as a formidable competitor. "VMware differentiates with its virtualization and mobile device management from its AirWatch acquisition, Diodati says. "Those are strong capabilities, plus VMware has a large customer base to sell to."

But all of these IDMaaS providers have to ask themselves how they will compete with Azure AD, Diodati says. Azure AD has strong pull-through from Windows 10 and Office 365 and the existing installed base of Active Directory. Still, many third parties offer value-add with more simplified implementation and richer connectivity tools.

On the single sign-on side of things, Diodati says there are a number of considerations customers must weigh such as whether to use a solution that offers standard SAML 2.0 federation technology (which Azure AD supports) or one that favors a password-vaulting approach. Another issue is not all software and SaaS services providers have APIs for user management. "It's a maturity thing that's evolving," he says.

So why would an organization move to a third-party IDMaaS from VMware, Okta Inc., Ping Identity Corp., OneLogin Inc. or Centrify Corp., among others, or a password-vaulting platform from the likes of BeyondTrust Inc. or CyberArk Software Ltd.?

"Right now you have to be about being neutral and connecting to thousands of applications, not just Exchange, and not just file and print and not just the Windows client," says Okta CEO Todd McKinnon. "The heterogeneity is much different this time, our mindset is all about it, we're not the Azure Active Directory team that is so tightly coupled with Office 365 that they don't do a good job on other things."

"If you look at Microsoft's architecture for Azure AD and what they deliver, there's a lot of software required."

Todd McKinnon, CEO, Okta Inc.

McKinnon argues Azure AD for hybrid implementations still requires connectivity tools that are much more complex. "If you look at Microsoft's architecture for Azure AD and what they deliver, there's a lot of software required," he says. "You have to have DirSync, it's now called AD Connect, but it's DirSync, which is an on-premises script. The logic is on-premises, the failover is all on-premises. You have to have parts of Federated Identity Manager [now Microsoft Identity Manager (see "Microsoft Identity Manager Replaces FIM")]. There's a technology legacy. It's clear they haven't started with a clean sheet of paper and said, 'This thing should run in the cloud but it should connect, of course, to on-premises.' But all the management, all the failover, all the robustness should be in the cloud, not require a customer to put up a bunch of load balancers and a bunch of server farms, so I think there's just a technology legacy that is apparent in the solution they are delivering today."

Microsoft's Simons disagrees with that assessment. "We are the only company making advances on-premises and in the cloud to move your whole hybrid strategy ahead," he says, arguing Microsoft is more invested in the security of those systems and in building out security capabilities than anybody else. "Some of that is because we have this advantage because we have signals from Office 365, and we have signals coming in from Microsoft account system and we just have this very large aperture of watching what's going on in the hacker world, and we can use all of that data to protect people's accounts."

Bill Mann, senior VP of products at Centrify, believes there's another variable: "I think Azure Active Directory will be one of the players providing a directory service in the cloud, but I also think other vendors like Google and Amazon will be providing those directory stores," Mann says.

One company that offers a number of Active Directory management tools isn't betting against Microsoft or Azure AD: Dell. Jackson Shaw, a senior product manager for Dell Software, was at Microsoft in 1999 on the Active Directory launch team, when it was first released in Windows 2000 Server and saw it go from an installed base of 0 to 85 percent when he left Microsoft in 2005.

"There's probably not a week that goes by where Microsoft isn't adding something new to Azure Active Directory or Azure Active Directory Premium, and they are going to be releasing a lot more capability around threat management," Shaw says. "I think what you'll see is that gravitational field increases and increases. If I thought there was a real market for an alternative, it's something I'd be pushing Dell to get into."

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.