How to secure cloud access starting with on-premise Active Directory? Implement SSO and MFA

For a long time, Active Directory single sign-on (SSO) and multi-factor authentication (MFA) were seen as nice-to-have technologies to use on a case-by-case basis to make network access more user-friendly or to add an extra security layer where needed.

But recently, as the risks and effects of cybercrime garner public attention, this rather laid-back view of SSO and MFA, and how they work together, is changing.

The journey from 100% on-premise Active Directory to hybrid

If you woke up today and started a company, it would probably be full cloud. But if you already have an on-premise Active Directory environment, your organization likely wasn't born yesterday. And it's not so simple to push all those legacy systems and applications to the cloud. Anyway, it's not gonna happen overnight.

Plus, highly regulated sectors, like government, defense, and manufacturing, often have obligations to keep authentication on premise.

But the realities of modern work, not to mention remote work, mean some of your services — resources, applications — are now in the cloud. Even if you are a locked-down, dinosaur of an org.

And you need to bring access to those services under IT's control. In other words, you now need to protect SaaS connections, on top of everything else. This is where MFA and SSO come into play.

Securely support cloud access with Active Directory SSO and MFA

Active Directory SSO and MFA are critical security measures, working together, for organizations at any stage of the journey from 100% on-premise to the cloud.

The two technologies have also grown closer to one another in the minds of network architects.

SSO is a usability and management tool that knits disparate network access together under one credential. It’s a simple principle: the user need only identify themselves once. This means:

• Reduced password fatigue

• Less scope for shadow IT

• Fewer credentials to manage makes life easier for the IT helpdesk

MFA, meanwhile, is a security layer that reduces the risk of relying on a single exposed credential. Arguably, MFA has become so fundamental to effective security that it is now the default for any type of secure network access, especially SaaS connections or remote access, with or without a VPN.

Which identity provider: cloud-based or on-premise?

Underlying the challenge to provide secure access to cloud resources with SSO and MFA is the question of identity. Your identity provider (IdP), identity management system, or directory service is of course a key system, against which your organization authenticates users. Today, network architects have almost too many choices on this front, including many cloud identity providers.

Of course, whether or not you opt to send your organization's digital identity to the cloud (and we encourage you to think twice) depends on several factors. For one, as we mention above, you may be compliance-bound to keep identity and authentication on premise. But you also want to consider whether your security posture can tolerate trusting external, cloud-based identity providers (IdPs) to fill such a key role.

The challenge, of course, is that most access security solutions start with identity in the cloud. So when you want to go from on-premise to the cloud in any way, shape or form, the first step is usually to duplicate your AD directory or create a new one. But that leads to all kinds of complexities and drains on IT's time, not to mention important security gaps.

AD has been around since the 1990s, which might explain why a notion has taken hold that it is not up to the job of acting as an identity system for SSO.

Designed around the idea of an on-premise domain controller, using AD as an identity store dovetailed perfectly with the LAN era in which almost all resources were internal. Nevertheless, AD also had limitations, such as support for non-Windows resources. Over time, users accumulated too many credentials beyond the confines of AD, which forced them to authenticate multiple times.

Now, deep in the era of cloud computing, some see AD and the concept of on-premise control as a relic of a bygone age. And yet nothing could be further from the truth.

Active Directory's second life as an identity provider

Despite this, it’s possible to easily retain AD as your identity store for SaaS connections via SSO using a third-party tool such as UserLock. With this pragmatic approach, the advantages of SAML SSO with Active Directory are many, including:

• You retain the on-premise AD directory you’re already using and are familiar with

• You keep your authentication infrastructure on-site, which many organizations desire for optimal security if not for compliance requirements

• You avoid the security and connectivity risks that come with using a cloud identity provider, which relies on an internet connection

• You build on your existing investment in AD, which is already a proven tool for handling the job of user identity management

How about ADFS?

On paper, Microsoft’s AD Federation Services (ADFS) can do the heavy lifting, but it can be tricky to implement. First, it requires multiple types of complex infrastructure such as DNS servers and load balancers in addition to an SQL configuration database and digital certificates. Any disruption to the availability of certificates can quickly cause problems. AD is supposed to be simple and cost-effective, but ADFS can end up being anything but.