Linking cloud servers with corporate Active Directory (AD) or LDAP user stores can be tricky for enterprise IT. Ensuring that access rights are assigned correctly can also become complicated if the number of servers is large. For example, administrators must ensure that every server is covered at all times, all changes are logged, and all users are synchronized to the core user store, all of which must be managed on an ongoing basis.
To this end, administrators can manage users in a number of ways. The following will focus on some common user management methods and their respective advantages and disadvantages.
1. Manual management
Many administrators choose to manually manage users on cloud servers, including creation and deletion. The administrator usually receives an email to notify the user of the access request to the cloud server, and then manually configures and manages it. The specific process is as follows:
1) The administrator logs in to the server
2) Manage user creation
3) Modify account and user information
4) Handle the access termination process
5) Communicate with users (usually less secure)
The problem with manual management, however, is that it presents some significant challenges for access tracking as the number of servers and users grows. Adding features such as multi-factor authentication (MFA) can also be problematic, and configuring solutions one by one can be quite time-consuming. In addition, when using AWS, many administrators directly use Amazon EC2 user accounts to access. Although it is easier to log in, it also loses the host auditing function.
2. Adopt configuration management tools
The second user management paradigm is to add or remove user accounts using configuration management tools such as Chef, Puppet, Ansible, Salt, CFEngine, or others. This method is faster, easier, cheaper, and easier to maintain for enterprises with a small number of users and simple access rules (users can access all servers).
But administrators also know that this is not a long-term solution, because configuration management tools cannot scale.
As the enterprise continues to grow, the number of users increases sharply, access rules become increasingly complex, and management becomes difficult. Administrators have to take on the time-consuming task of updating code every time access roles are changed, as this purely administrative task cannot be delegated to non-professionals.
3. Network public LDAP or AD
A third approach is to expose LDAP or AD to the Internet and have the server communicate directly with the user directory. Administrators can lock the LDAP or AD server to only communicate with specified servers through additional security measures and configurations, and can also decide whether to set up according to the network architecture and server growth. If not set, the user directory store will be exposed to the Internet and anyone can query it.
4. Create a new LDAP or AD instance on the cloud server
The fourth method is to create another directory store, which usually requires creating a new AD or LDAP instance on the cloud server. The premise of maximizing the benefit of this approach is that the logic of the cloud server is set up in a virtual local area network (VLAN) or an equivalent enclave where the directory server can communicate directly with other servers.
In addition, cloud directory storage needs to synchronize the main user directory or manually update, which allows administrators to manage users on cloud servers through LDAP or AD, but at the same time increases the administrator's work.
5. Implement an enterprise-friendly identity management solution
Large companies sometimes leverage existing enterprise-grade identity management solutions or acquire new ones to manage cloud servers. Generally, these solutions are installed locally, then connected to the main directory storage, and then install the agent on the device that needs to be managed. These tasks basically have the professional technical support of the manufacturer.
The benefit of this type of solution is that it can be used on enterprise desktops and servers, and mobile device management (MDM) capabilities can be added. For cloud server management, an administrator installs an agent on the server that communicates with the local master server in the solution. In summary, although this type of solution is excellent in terms of function realization, it is too cumbersome and costly to implement for most enterprises.
6. Directory as a Service
The final approach is to leverage directory-as-a-service (DaaS) solutions. Use the cloud directory as a bridge to connect local AD or LDAP user storage to the cloud infrastructure, and then synchronize users to the cloud directory through a lightweight agent in the internal user storage.
Cloud servers can communicate with DaaS from the cloud directory and verify access. Since DaaS is also a cloud-based solution, the servers communicate with the cloud directory through a secure connection or through a proxy installed on each server without additional network configuration.
Changes to user information are also uniformly processed in the internal directory and transmitted to each server through the cloud directory. The benefits of this approach are simplicity, security, and high availability, but the premise is that the enterprise is already accustomed to cloud infrastructure.