Few challenges loom larger these days for IT departments than the need to tighten user account security. While technologies such as multi-factor authentication (MFA) offer one way to address this issue, an important decision remains: Should the directory service which underpins identity authentication be on-premise, fully in the cloud, or some combination of the two?
Users need secure access to both on-premise and cloud resources
Almost all organizations now support a mixture of on-premise and cloud resources, and the need for securing user access to both is pressing. But it’s not always clear which option is best.
Organizations could go all out for a cloud approach, but that means retiring long-established on-premise identity stores such as Active Directory (AD) in favor of options offered by public platforms. For many organizations, this represents a big step.
The trick is to assess the pros and cons of each approach. The cloud approach might appear to have some advantages, but for some organizations, another solution is to extend the capabilities of their existing on-premise AD using a third-party tool.
Why user accounts are key
User accounts, a fundamental building block of every organization’s IT architecture, encompass different types of user access to internal and cloud applications. The burden of securing these user accounts across multiple locations, including home office and field locations with intermittent access, is high. And the number of users who need these types of remote access has skyrocketed since the pandemic.
Cybercriminals exploit complex user and identity management
Cybercriminals have been quick to realize that complex user and identity management makes organizations vulnerable. If attackers can compromise a single user account, they can establish an invisible bridgehead inside the network.
The effect of this change in strategy has been to compress the MITRE ATT@CK Framework into fewer stages, greatly accelerating the speed at which compromise happens.
Zero trust puts identity management at the forefront
The concept of zero trust has become increasingly influential in addressing user account vulnerability. Broadly, it views all connections as untrusted regardless of who they are and where they are connecting from. But zero trust also foregrounds identity as the critical cybersecurity vulnerability, much more than is the case in the traditional perimeter security model.
Zero trust doesn’t specify which technologies should be used. But it is clear that MFA, privileged account management (PAM), and account monitoring and control are high on every organization’s to-do list. Under zero trust, these are no longer nice to have. They’re primary defenses to apply to all accounts, regardless of their status.
The pros and cons of on-premise AD vs. cloud identity store
We know securing user accounts is a top priority for IT teams, but this still leaves open the issue of which identity store to use as the basis for user authentication. In most cases, organizations already have on-premise AD, a mature technology that does its job. Equally, there is a perception that AD hampers the integration of cloud applications in hybrid environments.
In many cases, the apparent advantages of cloud access control—faster deployment and cost-free migration—come with several drawbacks, including:
Cloud systems often lack the tools and features to manage the on-premise infrastructure organizations will need to retain to support legacy systems.
Cloud services depend on a working Internet connection, which creates a single point of failure in the event this is disrupted.
Using cloud access control means abandoning the investment in on-premise AD and migrating to new controls, consuming valuable time and resources.
In addition, on-premise AD offers important advantages:
IT teams retain oversight of the identity authentication store, which is important for certainty and compliance in some sectors.
Despite the often-cited cost benefits of cloud platforms, on-premise AD can be more cost-effective since it’s easier to manage a single directory.
On-premise AD is a mature environment that won’t lack important capabilities or create unexpected management challenges.
The modern, hybrid enterprise can be on-premise
What is no longer in doubt is that user accounts are under sustained attack by cybercriminals who see this as an easy shortcut to beat security. The number of attacks using this technique as a central tactic underlines that user accounts are a major risk. This realization has driven more organizations to adopt MFA and other layers of account monitoring as a standard rather than a special requirement.
Organizations aren’t limited to choosing between on-premise vs. cloud because of their current tech stack’s limitations. With the right tools, it’s possible to keep identity authentication on-premise for a hybrid enterprise without abandoning the familiarity and security of AD.