Is there a case for keeping identity authentication on premise?

Few challenges loom larger these days for IT departments than the need to tighten user account security. While technologies such as multi-factor authentication (MFA) offer one way to address this issue, an important decision remains: should the directory service which underpins this be on premise, fully in the cloud, or some combination of the two?

At issue: Securing user access to both on-premise and cloud resources

Given that almost all organizations now support a mixture of on premise and cloud resources, the need for securing user access to both is pressing. But it’s not always clear which option — an on-premise or cloud directory service — offers the best path.

Organizations could go all out for a cloud approach, but that would mean relegating long-established on premise identity stores such as Active Directory (AD) in favor of the options offered by public platforms. For many organizations, this represents a big step. This leaves many IT teams with the challenge to secure user access to cloud applications while keeping their tried and trusted on-premise identity store.

The trick, as ever, is to correctly assess the pros and cons of each approach. While the cloud approach might appear to have some advantages, for many organizations the best solution will usually be the simplest one: to extend the capabilities of their existing on premise AD using a third-party tool such as UserLock.

Why user accounts matter

First, let’s back up to look at why user accounts matter so much in the first place. User accounts are the fundamental building block of every organization’s IT architecture. And these user accounts encompass different types of user access to a growing number of internal and cloud applications. Added to this is the burden of securing these user accounts across multiple locations, including home office and field locations with intermittent access. Since the pandemic, the number of users who need these types of remote access has ballooned.

Complex user and identity management creates easily-exploited vulnerabilities

Cybercriminals have been quick to realize that complex user and identity management makes organizations vulnerable. If attackers can compromise a single user account, they can establish an invisible bridgehead inside the network. This avoids the need to deploy complex malware or to target unpatched or zero-day software flaws. A simple phishing or brute force attack allows attackers to bypass expensive security systems at the perimeter, jumping to privilege escalation with no need for special skills or time consuming research.

The effect of this change in strategy has been to compress the MITRE ATT@CK Framework into fewer stages, greatly accelerating the speed at which compromise happens.

User account security is a cornerstone of zero trust implementation

Recently, the concept of zero trust has become increasingly influential in addressing user account vulnerability. Broadly, this states that all connections should be treated as untrusted regardless of who they are and where they are connecting from. A second important aspect of zero trust is the way it foregrounds identity as the critical cybersecurity vulnerability much more than is the case in the traditional perimeter security model.

Zero trust doesn’t specify which technologies should be used but it is clear that MFA, privileged account management (PAM), and account monitoring and control are high up on every organization’s to-do list. Under zero trust, these are no longer nice-to-have. They’ve become primary defences that should be applied to all accounts, regardless of their status.

On premise AD vs. cloud access control

So, we know securing user accounts is a top priority for IT teams, but this still leaves open the issue of which identity store should be used as the basis for user authentication. In most cases, organizations already have on premise AD, something they’ve invested in over many years as a mature technology which does its job. Equally, there is a perception that AD hampers the integration of cloud applications in hybrid environments.

A closer look at cloud access control

Where does the balance lie? In many cases, the apparent advantages of cloud access control — faster deployment and cost-free migration — are cancelled out by a range of drawbacks, including:

• Cloud systems often lack the tools and features to manage the on premise infrastructure organizations will need to retain to support legacy systems.

• Cloud services depend on a working Internet connection, which creates a single point of failure in the event this is disrupted.

• Using cloud access control means abandoning the investment in on premise AD and migrating to new controls. This consumes valuable time and resources.

The advantages of on-premise access control

In addition, on premise AD offers important advantages:

• IT teams retain complete oversight of the authentication store, important for certainty and compliance in some sectors.

• Despite the often-cited cost benefits of cloud platforms, on premise AD can work out more cost effective because it is easier to manage a single directory rather than two separate ones.

• On premise AD is a mature environment that won’t lack important capabilities or create unexpected management challenges.