Whatever your opinion is on the cloud and how secure it is for data storage, one thing that holds true is that a lot of cloud services are now moving into cheap ‘commodity’ territory. We are seeing around a 90% adoption rate by businesses of cloud-based systems. This number continues to grow, as the slower moving companies finally deploy at least simple systems, such as email (Exchange), to Office 365 in the cloud.
For IT pros, this means it is inevitable that you will need to plug your on-premises Active Directory into some form of cloud system, and that your internal identity and access management (IAM) strategy just got at least twice as complicated. Now you need to deal with twice as much user CRUD (Create, Read, Update, Delete) operations as before. And, that is assuming that you already do user life-cycle management properly.
The problem is that Azure AD (AAD) and on-premises AD are a long shot from being the same thing – and native management tools for each have limitations controlling one environment, much less a hybrid environment. In a hybrid AD/AAD environment, you now need to administer multiple systems for user management and license/feature administration. Starting with data from HR systems, you have to move it to on-premises Active Directory, and then into Azure AD. To make this efficient, you have to automate these workflows and secure this data as much as possible.
At Core Technology Systems, we have leveraged our expertise in identity management systems to simplify complexities and reduce the overhead of running cloud-based systems and their related CRUD processes. Using One Identity’s Active Roles 7.1, we can automate user-data feeds from HR systems into Active Directory, perform additional data gathering and manager-authorisation activities, enable automation of features such as litigation hold on the mailbox, and then push the user data to cloud-based systems like Office 365. Plus, we can do all this while automating licence allocation all across the hybrid environment.
With Active Roles 7.1, we have the ability to manage our hybrid identities by abstracting the view of the AD/AAD environment. This allows us to display the data via a web interface in ways that are meaningful to user administrators, while having a customised view for non-technical managers to oversee approvals or group management. It is important that the system is intuitive to all user levels and has a proven enterprise-class role-based access control (RBAC) system underpinning it.
Using ActiveRoles, we are able to eliminate most administrative ‘global admin’ rights from the Office 365/Azure AD system and centralise all hybrid identity management tasks to a single system.
Centralising and automating the management of the ‘hybrid’ user identity reduces the need for additional staff and the re-training of existing staff. Plus, it reduces errors and misconfiguration from manual processes in multiple systems. Just as important, is that it enhances security for cloud-based systems because the number of administrative accounts is reduced and global standards-based (such as PCI-DSS, SOX etc.) reporting is generated for all user-management tasks, be it cloud or on-premises.
Core runs a PaaS-based Identity as a Service (IDaaS) with Active Roles underpinning nearly 30,000 user identities, which includes our managed services staff and our user base. We love the intuitive, simple web interface, which the security team trims to the users’ delegated rights and scope of visibility/access. Our identity management engineers love the ease of customisation of the web interface for customers and the easy-to-build graphical authorisation workflows. From a skill set perspective, we love that the scripting is PowerShell based; this gives us a large pool of skilled AD resources for recruitment versus other products where it is more expensive to get AD and C# coding skills together.
With the release of Active Roles 7.1 and the enhancements to user management in the Azure AD, we can accelerate user adoption of cloud-based systems, while simplifying the hybrid user management experience.