11-22-2023 10:50 AM - edited 11-30-2023 08:09 AM
This discussion focuses on the modernization of Active Directory (AD) environments, featuring insights from David Worthington, Product and Security Champion at JumpCloud, and Tom Bridge, Director of Product Management at JumpCloud. The conversation dives into various aspects of AD, including its evolution, the introduction of new deployment models, and the complexity of implementing enhanced security measures.
Additionally, they discuss the role of cloud identity providers like JumpCloud in simplifying and integrating management solutions for AD, emphasizing the benefits for Small Medium Enterprises.
You can find the full video recording here: The IT Hour | Modernizing AD 11.3.23
Tom Bridge, Director of Product Management, JumpCloud
David Worthington, Product and Security Champion, JumpCloud
Tom Bridge:
David, for those who haven't met you, give us the capsule sketch of your whole experience, and then we can talk a little bit about the modernization of AD environments.
David Worthington:
Okay. So just to acknowledge the great work of Sam Morgan and her team, they also revamped that documentation. It's really terrific, and you can see different deployment models, including now we have Pass-Through Authentication. So if you're required for compliance purposes to have your authentication store on-premises, we got you. Which is a pretty amazing thing. And you can still install our agents on your Domain Controllers (DCs). It just depends on the use case and which IdP is the source of truth. So it's lots of flexibility. It's pretty awesome stuff. And Tom's intro conveyed the enthusiasm. It's something that you should be jazzed about if you're thinking about modernizing AD. So to encapsulate things, wow, AD modernization is a huge topic. We've all used AD at some point if you're an IT admin. Ran into a few instances where there were some suspect service admin accounts, very live and let live zero policies, no Group Policy Objects (GPOs) on anything, and have also seen some installations that were your hardcore Red Forest and using Advanced Threat Analytics (ATA) and all that good stuff.
So yeah, the point is AD is pretty well baked in, and Microsoft acknowledges that now, but it also has changed. If you look at what's in Microsoft Press, if you look at what's out there in Microsoft Learn and what the Product Managers (PMs) are saying on LinkedIn, believe what they're telling you, the message now is that AD is baked in, but it's a legacy product then needs to be secured and protected.
So what does that mean to you all? If you look at the reference architecture, if you take a look at the Privileged Access model now, if you look at the Rapid Modernization Plan (RaMP), the plan for rapid modernization from Microsoft, they're all in unison. All the stuff that was discussed long ago, ages ago at TechEd, when there still was a TechEd, has now materialized. So it's time to start thinking about what it means. So I had mentioned ATA - Advanced Threat Analytics. I mentioned that fancy Red Forest configuration where there's a logical separation for the administrators. Well, now it's all about (according to the very prescribed plan that we're receiving) using conditional access through EntraID and managing devices as well as managing those endpoints.
So and of course, MFA everywhere, modern authentication. That sounds familiar. That sounds very familiar to us. So the point is that there's also options. So why would you want to consider options? Well, if you follow that aforementioned reference architecture, no matter what size of an organization you are, using AD now means using Defender for Identity to detect and prevent that lateral spread. If you're running it in AWS, Defender for Servers, it's recommended by default, (if you look at the reference architecture, we don't always) that you're using Premium Entra because you need identity protection. Account compromise here can be a compromised account there, and it's not good. It's all one big stack. So ATA is going away. It's nearing end-of-life, the traditional Privileged Access Management (PAM) product that's also going away.
Not to say that's immediate, but it's all approaching end-of-life. There are dates, probably with a few exceptions. So basically, if you're using AD, the message is great, keep using it, but we're going to sell you a lot of stuff to secure it and sell you a lot of stuff to have that appropriate posture. And really, not everyone can afford to take that all on. Having worked with many of those products, they can be terrific and do a lot for you, but you have to have the staff and resources to do it, and it's really a long-term obligation.
Tom Bridge:
Looking at some of that, you mentioned the reference architecture, the Microsoft Entra reference, the MCRA. For those folks who aren't familiar with the reference architecture, can you tell us a little bit more about what's structured in there in terms of how they see that?
David Worthington:
Well, I hope you like PowerPoint because it's pretty huge. It's expansive.
Tom Bridge:
I like PowerPoint.
David Worthington:
You can learn a lot from it. And really, the security architects at Microsoft that put it together, kudos to them and what they've done with the open group and “showing their work”, so to speak. We want to acknowledge people that improve the industry and the state of doing things, but Microsoft are not the only folks who can provide that type of model. It's just that the reference architecture delves into all these other products that are suggested and have a lot of interdependencies. For instance, if you're using a Defender for Servers, I believe you won't get full telemetry for server threats unless you're also using Microsoft Defender for Endpoints. So it's a big puzzle. Very interconnected.
Tom Bridge:
Yeah, well, I was going to say there's a lot going on there in terms of that infrastructure. How does JumpCloud change that? How does an organization that already has an on-prem AD, take that inner direction that is simpler than this reference implementation? I take a look at the diagram that's listed there, and I'm like, “Oh man, there's a whole lot here that I am going to have to take care of, all by myself”. So talk to me a little bit about how partnering with an IdP and Device Manager like JumpCloud is going to help.
David Worthington:
Well, reading all that is probably why I have glasses now. So really, one of the simplest things in terms of guidance that if you’re a Microsoft shop you may have seen is RaMP the Rapid Modernization Plan. And the key to that is having a Cloud IdP. JumpCloud is also a cloud IDP, and using ADI - Active Directory Integration, which we mentioned, has been really enhanced terrifically. You can support a lot of different deployment models, and we offer conditional access. We have integrated Unified Endpoint Protection, including now, as of this month, we'll be able to support more corporate-owned Android devices as well. So that really completes the picture, which is pretty awesome. So we have all those things. We have JumpCloud Go, which, together with stuff like Windows Hello, and in the Mac world or Apple world Face ID, really provides a wonderful hardware-bound credential that's phishing resistant and simpler versus many components. So you get that security from the IT perspective. It really brings it all together in one place.
So we hit on those points, and for many organizations, that's a terrific win. You could buy a lot of stuff, but if you don’t implement it, that's not security. If you're not able to have an MFA environment wide for instance, that's a problem. So with JumpCloud a Small Medium Enterprise (SME) would be able to follow that RaMP model but actually do it with the team they have, with the people they have, with the resources they have. We also offer some help. We have some great Professional Services and folks that will help you get started, but really you're not going to be having dedicated vendors (which is a suggestion from our friends in Redmond) to help manage the automations and integrations of all those various products. So it's more approachable in many ways, and it could be a better solution for organizations that are looking to modernize AD. I hope that answers your question.
Tom Bridge:
I think it does. I think that there's another really interesting thing here because I think that there's really three pathways here for any organization that's using AD today. You can take it out of your system, migrate your entire data structure from an AD to a directory like JumpCloud, handle all your device management, do things like that. There are some organizations where that makes all the sense in the world. What about the organizations who maybe customized software based on AD? What about organizations that may have longer-term needs that require them to stay on on-prem AD? How can they make adaptations to their environments to make them more modern while not having to give up everything they have?
David Worthington:
Well, we focus on different personas. I'm also on, I primarily live in the marketing world, and for a while, the message was “Ah, AD that stinks. Let's all use a Cloud Directory.” But we realized that the things that you just mentioned are very real, and many times IT folks don't get to choose, they inherit the infrastructure that they have.
So you're able to say once you get users into JumpCloud, into the Cloud Directory, you could manage your devices, you could manage access control for web apps or use Radius or LDAP for your network devices with MFA and still keep all that stuff in the AD world. We provide different models. One would be where it works in the Microsoft world. You'd think of a password write back where the cloud is the source of truth. You have to buy a premium-tier Entra ID for that. We provide that through ADI. So JumpCloud can be your really wonderful unified directory, and you could put other directors in it too. That's why we like to say Open Directory. It becomes a wonderful pane of glass for your assets and brings that authentication closer to your assets, wherever they may be. Yet it will play nice with AD, and as aforementioned, if you are highly regulated, AD can still be the source of truth, and you can still do some very meaningful stuff with JumpCloud, such as making sure that your endpoints are being managed.
Tom Bridge:
How does that management environment really help organizations have a set of internal confidences with regard to moving to cloud-based as opposed to AD?
David Worthington:
What was your question?
Tom Bridge:
Well, in those organizations, I think that I always think here of the reason that you don't bind Macs to AD anymore, and that's just not something that you're supposed to do. Yeah.
David Worthington:
I'm not sure what it actually meant other than having a little object in the directory.
Tom Bridge:
Well, in a lot of cases, I mean, since you're not exactly managing Macs with Local Group Policy Objects (LGPO), right? I mean, that's just not a reality that's associated with that, that hasn't been true for a long time, but you do have at least objects in your directory. In terms of where we sit in 2023, a lot of organizations need to think about, “Hey, what does it actually mean to manage devices?” If you're primarily running a doctor's office where you're all on one network, that's one thing. But here at JumpCloud, we like to make remote work happen. I like to work from the coffee shop down the street, or I like to work from my desk, or I like to work from the pub at five o'clock on Fridays only after five o'clock do I actually have the beer, right? I mean, if HR is listening, that's exactly what happens, and don't anybody say otherwise. But we think about it from those perspectives in a more modern distributed workforce, does on-prem device management really make any sense anymore?
David Worthington:
That's a good question. It could. There's organizations where they've spent a lot of time and effort coming up with their policies and they don't necessarily want to give that up. But to tell you that even Microsoft now is identifying complexity and misconfiguration among GPOs as a potential security vulnerability. You may have older policies responding to some past threat, and unfortunately, changes are made, and they could be breaking changes that create vulnerabilities somewhere somehow. Somehow. So moving to a more modern approach, Windows MDM, which JumpCloud offers, does make a lot of sense.
Even Microsoft's moving that way. They've got tools within Intune that will analyze your GPOs and sort of map them to what's happening in Intune. So we have some great policy templates already. There's much more to come. Don't want to let those cats out of the bag yet. But having a security baseline for your device, whether it is Windows, Mac, Linux, Android, iOS is vitally important because going back to that open group reference, that's very important work. You assume breach. What does that mean? It's an open network. So if your devices aren't being managed, do you really want those devices, especially for privileged access, accessing some really important resources? The answer should be no.
Tom Bridge:
Correct. I mean, I was going to say you want to make sure that you're limiting access to your key devices based on their postures and based on their policies and based on the results of whether or not those are managed devices. I think here all the time about our conditional access policies here at JumpCloud and how we want to take a factor like JumpCloud Go, which for now just tells us that the device is present in JumpCloud's environment is managed by an MDM, not necessarily our MDM, but we want to get to a state where you can create those rules based on a whole bunch more than that where you can create those rules based on whole functional constructs like “Is this device secure at this moment?” And I think that there's going to be a lot more that we're going to have to say as we get towards the summer next year about how that's going to function.
David Worthington:
No matter what size of an organization you are. And that's really an advantage of using JumpCloud because it's approachable and it's doable. I can't tell you how much time I've spent just trying to catch up from my admin days just a few years ago to everything that's changed within Microsoft's architecture - that whole notion of logically separated tiered AD Privileged Access Model is now considered to be totally passe, it’s gone. So it's easy to just when you're working with what you have, not to keep pace with what's out there, but there's so much change happening that probably is not going to be optional so much longer, too much longer so that folks who are Microsoft Shop should really start planning and if you consider us, that's terrific, and we want you to be successful no matter which direction you go in.
Tom Bridge:
Absolutely. And I think that there is so much that AD admins can and keep their AD comfort zone in terms of, like, “Hey, I only need to install this ADI connector on one of my member servers, and I can still have a great experience associated with those users.” And there's so much that we can offer in terms of extending your AD out to the cloud without having to go down the Entra route, without having to go into those reference architecture diagrams that make your eyes bleed, without having to go down to that spot. And I think that JumpCloud can be a huge help here. And I think that organizations that are looking to modernize their AD environment can take a look at that.
We recently did a webinar, Sam Morgan, and Roger Bright, and I on modernizing AD. We talked a lot about those three different paths; whether or not you are modernizing what you currently have, whether you are migrating away, or whether you're kind of living in a hybrid space in between them, there are all sorts of great things that you can do to really kind of modernize this older solution. I mean, the first AD servers came online when? Years ago.
David Worthington:
And we've multi-domain support. We've had that throughout the year. And some folks may not realize because you're not living in the JumpCloud universe like we are, but that's an important point for modernization and to have migration paths.
Tom Bridge:
Yep, for sure. And it's funny because Kelly, who is out there, hi Kelly, it's good to see you. She points out like, “Hey, one of the biggest misconceptions of small to medium enterprises is that we're not big enough to need security like that.” Well, I always go back to some really good advice I got in scouts, which is if you and your friend are out there walking in the woods, you don't have to be faster than the bear, you have to be faster than your friend. And while that's a little bit dark, it is definitely better than getting eaten by a bear.
And so when we think about it from that perspective, having a little bit more security than the next guy or a concerted plan for handling your device management or a concerted plan for handling your AD environment is going to give you more than what your friend has. And so thinking about it from that perspective, you have things that you can do to really kind of build that future together here with keeping the AD that you're comfortable with and modernizing it for JumpCloud, and being able to get where you need to go.
David Worthington:
Here's a key point. If you take a look at the enterprise access architecture and all the diagrams that are out there now for AD, assume hybrid of everything, really the notion of standalone AD in the Microsoft world no longer exists. They are strongly suggesting if that's the way you're set-up, you're doing it wrong.
Tom Bridge:
Rob makes a very excellent point. I think I'd rather have had the bear than doing an upgrade of a 2003 AD Red Forest to Server 2019.
David Worthington:
Well, that's an important best practice.
Tom Bridge:
Yeah, you got to stay current. That's kind of the whole deal. And I was going to say, I have some scars from AD 2003, I think a lot of us do. Especially back in the day when they encouraged everybody and their cousin to set up local domains instead of using a full DNS, fully qualified domain like you should have. We all got to that spot or, worse, a directory that had no suffix whatsoever. So all sorts of fun experiences that are frustrating in a lot of ways. So I think that that's a really key part of that.