Manage Learn to apply best practices and optimize your operations.

Reassessing identity management systems for cloud-based workforces

Cloud-based workforces force enterprise IT to rethink identity management systems. Learn what's changed and how Active Directory can help.

In the wake of federal regulations and the rise of new security threats, it's become increasingly important for companies to ensure the security and integrity of their data. Identity access management software establishes policies that govern which users have access to different kinds of information, ultimately helping organizations secure data.

Identity management establishes consistent user identities that can span multiple systems. By automating tactical IT tasks, it allows employees to access only those resources they should be able to view, by associating user rights and restrictions with user identities. The goal is to maintain organizational security by ensuring that assets are not compromised. And, as cloud computing becomes more integral to data center management, marrying cloud-based and on-premises systems presents new challenges.

Federal regulations require companies to audit a user's identity to ensure it matches his actions. But recently, identity management has gained importance for other reasons as well. Over the past several years, the use of mobile devices have proliferated, and it has become common for users to work from several different devices, often using cloud-based resources. Identity management systems allow a user's identity to follow him from one device to another.

Comprehensive identity management systems can also address scalability issues. In a small organization, it might not be challenging to keep track of each user's accounts. As the number of devices and users increases, however, tracking account usage becomes more difficult.

The cloud complicates identity management

Technology trends are cyclical, and identity management is a perfect example that everything old is new again.

Many years ago, I worked for a large insurance company. When I first started, we had a single server that stored everything. As our end-user count increased, however, we quickly outgrew the server and had to move resources to new servers.

At that time, each server had its own authentication mechanism; each user needed multiple user accounts -- one for each server. If a user had to reset a password, it would have to be changed on each server. This separation of user accounts was a tremendous administrative burden.

Ultimately, technologies such as Microsoft's Active Directory and Novell Directory Services helped to solve these problems. Even today, Active Directory allows a user to have a single set of credentials that are valid throughout the organization.

The problem is organizations routinely use a combination of on-premises and cloud resources, which revives the issues of multiple accounts. Although there are exceptions (such as Microsoft Office 365), most cloud applications do not synchronize with an organization's on-premises Active Directory. For example, my cloud-based backups have no knowledge of my on-premises Active Directory. The same holds true for some cloud-based billing applications. As such, it's common for end users to have an Active Directory account that provides access to on-premises resources while also having separate accounts for cloud applications.

This creates a few problems. First, as an organization uses an increasing number of cloud applications, the number of usernames and passwords that users are forced to remember multiplies as well. Although some argue that this separation of accounts improves overall security, real-world experience has shown that users accumulating such a large collection of account credentials may have to remember them by writing all of them down, thus creating a security risk.

Another problem with the separation of accounts is that it tends to increase the administrative burden. Setting up new user accounts can become a time-consuming process because each of the user's cloud applications must be separately provisioned. Likewise, password resets can become complicated -- for example, when the user does not clearly indicate to the help desk staff exactly which password needs to be reset.

Identity management seeks to resolve these problems by providing users with a single set of credentials that can be universally used. While reducing the number of credentials a user is forced to remember can certainly address annoying identify management situations, it is important to remember there is more to identity management than just providing end users with single sign-on capabilities.

Active Directory limitations

Many organizations use Active Directory as their primary mechanism to authenticate users, so it makes sense to consider what Active Directory is capable of in regard to identity management systems.

Generally, Active Directory can provide user authentication and access control for resources that are domain-joined (e.g., resources that have been enrolled in Active Directory and to which Group Policy security can be applied). Active Directory accounts can grant access to things like network file shares or on-premises applications.

Active Directory authentication can also provide access control for external resources. Windows Server allows for the creation of federated trusts, which allow one Active Directory forest to trust another. If no trust relationship exists between an Active Directory and another resource, such as a cloud application, then AD has no authority to perform authentication for that resource. This type of trust relationship is useful when end users in one organization need to access resources on another organization's network, after a merger or acquisition, for example. These types of features can authenticate users without making changes to multiple systems. This centralized authentication is a boon for administrators as it eliminates duplicative manual tasks.

This is the first part in a two-part series. Stay tuned for part two.

About the author
Brien Posey is an eight-time Microsoft MVP for his work with Windows Server, IIS, Exchange Server and file system storage technologies. Brien has served as CIO for a nationwide chain of hospitals and health care facilities, and was once responsible for IT operations at Fort Knox. He has also served as a network administrator for some of the nation's largest insurance companies.

Dig Deeper on Microsoft identity and access management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.