How to secure cloud access starting with on-premise Active Directory? Implement SSO and MFA
If Active Directory (AD) is the backbone of your infrastructure, your AD security shouldn't be an afterthought. With single sign-on (SSO) and multi-factor authentication (MFA) for Active Directory, on-premise Active Directory environments can allow access to cloud resources — without compromising security.
Updated June 6, 2024For a long time, Active Directory single sign-on (SSO) and multi-factor authentication (MFA) were seen as nice-to-have technologies to use on a case-by-case basis to make network access more user-friendly or to add an extra security layer where needed.
But recently, as the risks and effects of cybercrime garner public attention, this rather laid-back view of SSO and MFA, and how they work together, is changing.
If you woke up today and started a company, it would probably be full cloud. But if you already have an on-premise Active Directory environment, your organization likely wasn't born yesterday. And it's not so simple to push all those legacy systems and applications to the cloud. Anyway, it's not gonna happen overnight.
Plus, highly regulated sectors, like government, defense, and manufacturing, often have obligations to keep authentication on premise.
But the realities of modern work, not to mention remote work, mean some of your services — resources, applications — are now in the cloud. Even if you are a locked-down, dinosaur of an org.
And you need to bring access to those services under IT's control. In other words, you now need to protect SaaS connections, on top of everything else. This is where MFA and SSO come into play.
Active Directory SSO and MFA are critical security measures, working together, for organizations at any stage of the journey from 100% on-premise to the cloud.
The two technologies have also grown closer to one another in the minds of network architects.
SSO is a usability and management tool that knits disparate network access together under one credential. It’s a simple principle: the user need only identify themselves once. This means:
Reduced password fatigue
Less scope for shadow IT
Fewer credentials to manage makes life easier for the IT helpdesk
MFA, meanwhile, is a security layer that reduces the risk of relying on a single exposed credential. Arguably, MFA has become so fundamental to effective security that it is now the default for any type of secure network access, especially SaaS connections or remote access, with or without a VPN.
Underlying the challenge to provide secure access to cloud resources with SSO and MFA is the question of identity. Your identity provider (IdP), identity management system, or directory service is of course a key system, against which your organization authenticates users. Today, network architects have almost too many choices on this front, including many cloud identity providers.
Of course, whether or not you opt to send your organization's digital identity to the cloud (and we encourage you to think twice) depends on several factors. For one, as we mention above, you may be compliance-bound to keep identity and authentication on premise. But you also want to consider whether your security posture can tolerate trusting external, cloud-based identity providers (IdPs) to fill such a key role.
The challenge, of course, is that most access security solutions start with identity in the cloud. So when you want to go from on-premise to the cloud in any way, shape or form, the first step is usually to duplicate your AD directory or create a new one. But that leads to all kinds of complexities and drains on IT's time, not to mention important security gaps.
AD has been around since the 1990s, which might explain why a notion has taken hold that it is not up to the job of acting as an identity system for SSO.
Designed around the idea of an on-premise domain controller, using AD as an identity store dovetailed perfectly with the LAN era in which almost all resources were internal. Nevertheless, AD also had limitations, such as support for non-Windows resources. Over time, users accumulated too many credentials beyond the confines of AD, which forced them to authenticate multiple times.
Now, deep in the era of cloud computing, some see AD and the concept of on-premise control as a relic of a bygone age. And yet nothing could be further from the truth.
Despite this, it’s possible to easily retain AD as your identity store for SaaS connections via SSO using a third-party tool such as UserLock. With this pragmatic approach, the advantages of SAML SSO with Active Directory are many, including:
You retain the on-premise AD directory you’re already using and are familiar with
You keep your authentication infrastructure on-site, which many organizations desire for optimal security if not for compliance requirements
You avoid the security and connectivity risks that come with using a cloud identity provider, which relies on an internet connection
You build on your existing investment in AD, which is already a proven tool for handling the job of user identity management
On paper, Microsoft’s AD Federation Services (ADFS) can do the heavy lifting, but it can be tricky to implement. First, it requires multiple types of complex infrastructure such as DNS servers and load balancers in addition to an SQL configuration database and digital certificates. Any disruption to the availability of certificates can quickly cause problems. AD is supposed to be simple and cost-effective, but ADFS can end up being anything but.
Many organizations today find themselves grappling with how best to secure access across both on-premise and cloud resources. And where you keep identity and authentication is far from the only challenge. The sheer number of systems and credentials that users now use, in addition to the modern infrastructure’s mix of on-premise and cloud applications, can create management and security headaches.
For many organizations, the answer is to both issues is to combine Active Directory SSO and MFA.
This is the challenge of the hybrid enterprise: to bridge the on-premise and cloud spheres without compromising either. It sounds like a complex demand, but by improving AD security with SSO and MFA, it becomes possible. For most organizations trying to accommodate legacy applications with an expanding cloud investment, this will be the most simple and most cost-effective way to enable SSO across their user base.