The Cloud Identity Dilemma

I feel the dilemma ‘Between a rock and a hard place’ applies to many medium-sized businesses when it comes to cloud identity in the face of Microsoft retargeting their identity investment towards the cloud. These organizations may be too big to fully benefit from Identity Management-as-a-Service, but too small to really afford the impact an on-premises datacenter has on their bottom line.

The Startup Way

In the cloud era, small business and typical startups are having field days.

Even if they started out with an on-premises datacenter, most of them can benefit from getting rid of their on-premises datacenter’s footprint and sharing knowledge, management and maintenance with cloud providers. The agility that comes with pay as you go allows startups and small businesses, typically, to perform business at even lower (initial) costs. Startups don’t really worry about a cloud exit strategy, in the first couple of years anyway.

The Enterprise Way

By now, most enterprise organizations have made up their minds. They’ve accepted the fact that they’ll need an on-premises environment going forward. Either to be able to fully protect their intellectual properties, or to functionally meet all their requirements. Their choice is Hybrid Identity.

In Hybrid Identity, it’s important to realize that both sides of the equation, both Active Directory Domain Services on-premises and Azure Active Directory, require strategy, management and maintenance. It’s costly, but effective.

In line with Microsoft’s Active Directory administrative tier model, I see enterprise organization implement their Tier 0 assets on-premises and move the entire Tier 1, except from some business-sensitive systems, to cloud-based systems, services and/or applications. From my experience, I fully expect these organizations to keep Active Directory Domain Controllers, their PKI solution, and their SIEM, TSCM and other management and reporting systems on-premises, including their back-ups, anti-malware and other information security necessities.

I even feel Active Directory is going to be the last thing they’ll keep on-premises.

Figure 1 Microsoft's Active Directory administrative tier model (Picture courtesy of Microsoft)
Figure 1 Microsoft’s Active Directory administrative tier model (Picture courtesy of Microsoft)

For low-bandwidth locations, I additionally see implementations of caching, synchronization and bandwidth-reduction solutions to make cloud-based functionality available.

The additional cost of not being able to fully decommission their (redundant) datacenters, the additional management effort, complexity and reliance on connections will be offset by the ability to engage in multi-cloud scenarios in terms of Identity, Bring/Hold Your Own Key (BYOK/HYOK) scenarios and in meeting strict legal and/or business requirements they might have.

While it would be easy to declare that enterprise organization don’t trust the cloud, I feel that statement doesn’t do justice to all the challenges that enterprises face.

The Dilemma

For medium-sized businesses, this is a harder business choice to make.

For organizations needing to meet strict legal and/or business requirements, they won’t be able to go full cloud like small business and startups. The rock. The terrifyingly high costs and effort to go the Enterprise way, is daunting to many medium-sized businesses, though. The hard place.

Why Go The Enterprise Way?

So, what kind of requirements would make medium-sized organizations decide to choose the Enterprise way? Let’s dive in:

  • Systems hosting sensitive financial, privacy-related or state secret data and/or applications, that need to be placed on-premises. In this scenario, the Identity and Access Management (IAM) should also be placed on-premises.
  • Applications and/or services that host the organization’s most precious intellectual properties, like Coca Cola’s secret recipe or KFC’s five spices and six herbs. Without proper physical IAM processes and protections, this information would likely put the organization out of business.
  • Guarded host controllers and/or guarded fabric controllers, like Microsoft Host Guardian Service (HGS), that result in Bring your own Key (ByoK) and/or Hold your own Key (HyoK) scenarios with private and/or public cloud service providers from an infrastructure point of view. As Microsoft’s HGS solution is built upon Active Directory Domain Services and Health Attestation, this results in a similar scenario as described for the previous bullet point.
  • Public Key Infrastructure (PKI) solutions, like Active Directory Certificate Services (AD CS), that result in Bring your own Key (ByoK) and/or Hold your own Key (HyoK) scenarios with private and/or public cloud service providers from an infrastructure and/or data perspective.
  • Centralized management of public infrastructure services, like nuclear and other power plants, water treatment facilities, dams and public transport, like trains and train stations. In a world that is becoming more digital by the hour, systems for management of the physical layer of things from any software layer are increasingly targeted. The cloud may bring incredible scale, but Identity and Access Management (IAM) should be centralized.

Going The Extra Mile

However, once an organization takes the step to go the Enterprise way in terms of Hybrid Identity, it entails a lot more than simply installing a couple of Active Directory Domain Controllers:

  • In my book, in a hybrid world, being in control of Identity and Access Management on-premises means authentications take place on-premises. While Microsoft offers Active Directory Federation Services (AD FS) and Pass-through Authentication (PTA) as hybrid authentication methods to this purpose, its consequence is more on-premises systems, management and processes. As we can expect outside authentication requests to grow, continuity might become an issue. A second datacenter with its own dedicated internet connection will quickly be brought to the table by architects, together with the accompanying processes to test and perform fail-overs.
  • As a lot of highly-secure solutions rely on certificates, the Public Key Infrastructure (PKI) should also be implemented on-premises. Active Directory Certificate Services (AD CS) offers a solution, but for redundancy it also requires a second datacenter.
  • We’re going to need a Security Incident and Event Monitoring (SIEM) solution to gain insights in what’s going on in the entire environment (both cloud and on-premises) from a security and auditing point of view. SIEM solutions like SPLUNK and ArcSight plug into APIs for many cloud services to make this work, even in multi-cloud scenario’s. A Security Operations Center (SOC) would take care of the processes surrounding the SIEM solution.
  • A Technical State Compliance Monitoring (TSCM) solution comes highly recommended to monitor the settings and behavior of the on-premises systems, to close the loop on changes.
  • In an environment with a lot of Domain Controllers, AD FS servers and other systems, a centralized configuration management solution reduces the administrative burden on administrators, but requires more systems and licenses. Solutions like System Center, ZENworks and Symantec Client Management Suite would make this happen. The combination of WSUS and MDT might also suffice. Don’t forget to centrally manage anti-malware technologies, too.
  • Solutions like Microsoft’s Advanced Threat Analytics (ATA) for behavioral analytics in Active Directory, a Cloud App Security Broker (CASB) solution and, of course, Microsoft BitLocker Administration and Monitoring (MBAM) when you’re using BitLocker throughout the environment, can be considered future necessities.
  • Backups and regular restore tests should be on the schedule. It would be a shame if something would happen to your Active Directory Domain Controllers… right?
  • In terms of reporting, I feel many organizations have invented the wheel for themselves. While custom scripts and solutions, like the one to gather related ADFS events from the security, admin, and debug logs, across multiple serversand even some AD FS telemetry integration with Application Insights, might get you (half way) there, organizations these days show a huge need for reporting. This, too, requires hardware and/or integration.


I feel medium-sized business with hard Identity and Access Management (IAM) requirements are going to really feel our industry’s shift to the cloud. I think they have hard choices to make, because for them going to the cloud means doubling down on on-premises systems, like many enterprises do.

One of the options can be having several Active Directory Domain Controllers, implemented over different regions of the same IaaS provider (like Azure) or distributed between several providers (a mix between Azure, AWS, Google cloud and so on, commonly referred to as multi-cloud). The benefit of such a configuration will leave the control of the identity layer in the organization’s hands, while benefiting from cloud redundancy and lower costs for maintenance.

The post The Cloud Identity Dilemma appeared first on Semperis.

*** This is a Security Bloggers Network syndicated blog from Semperis authored by Sander Berkouwer. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)