2. Microsoft Active Directory

Enterprise IT personnel often suffer from user management issues, especially the hassle of identity management. The three traditional methods of manual management, Microsoft Active Directory, and LDAP directory servers all have obvious drawbacks and are no longer suitable for modern enterprises. The fourth solution, modern cloud directory services, is proposed in the context of business cloud migration and better meets the needs of enterprise IT personnel. Below, we will discuss the respective advantages and disadvantages of the four solutions in detail.

1. Manual Management

Most administrators still choose to manually input commands to create user accounts. When adding new employees and IT resources, administrators manually create accounts on each system, application, and network, and communicate with users about the access permissions of the new accounts. Then, users can log in to the new account to change passwords or upload applicable public keys. If users forget their passwords for some reason or rotate their private keys, these requests need to be manually handled by administrators. Some administrators may also take additional measures to monitor user access to servers, such as occasionally checking log files to determine who is logging into the server, or detecting brute-force attacks, but not every detection is successful.

The problem is that these tasks should be carried out regularly by administrators. Just auditing the complete user login log is time-consuming and labor-intensive, and it is difficult for administrators to complete it alone. Enterprises are also unlikely to have a budget to hire专人 to review logs. Especially for small businesses, with a limited number of servers and few changes, administrators mostly manually manage user accounts, which can last for a long time. However, the disadvantage is that it cannot be expanded, lacks systematization, and is insufficient in security protection.

2. Microsoft Active Directory

Over the past decade, Microsoft's Active Directory (AD) has been a benchmark in the directory service field. Enterprises of all sizes will deploy AD, especially for enterprises that have been established for several years. However, now, these enterprises may encounter many problems when trying to move AD to the cloud.

Firstly, AD is usually hosted locally or in data centers, rather than in cloud servers. Therefore, cloud infrastructure and cloud applications need to establish a communication method with the AD server, and the least recommended method is to expose AD to the Internet, as the risk is too high.

Secondly, most cloud infrastructure is based on the Linux system. Even if the Linux or Mac devices used by the enterprise are in the office, it is difficult to add them to AD. Administrators need to purchase directory extension services to place an agent on the Linux server to communicate with AD, so that administrators can directly manage users, control access, and control access permissions from AD.

Of course, Linux servers or Mac devices are not as good as Windows servers in terms of managing specific permissions and access. For large enterprises that primarily use Windows environments, moving AD to the cloud may be more feasible, in addition to security and network issues. For Linux servers, dynamic cloud environments, and Mac devices, it is best to find alternative solutions to improve work efficiency and cost-effectiveness.

3. Lightweight Directory Access (LDAP) Directory Server

LDAP directory server has become a lightweight open-source alternative to AD. LDAP is a designed database that has been optimized for directory services, and enterprises often use it for LDAP systems and applications. Administrators will set up an LDAP directory server in the enterprise's cloud infrastructure, and then configure it as a user source and as an access control and authorization mechanism. It should be noted that the configuration of LDAP directory servers is very complex, professional, and time-consuming, so the access control mechanism is basically created manually by administrators. As a database, LDAP also needs to pre-configure new users and manually create access permissions, in addition, it also needs to be configured to query whether authentication should be performed on users and what permissions users may have from IT resources to the LDAP directory server. Administrators usually manage LDAP at the command line level, which requires more professional technical support and takes more time.

Non-Windows environments have also been choosing to deploy LDAP directory servers and have expanded them to the cloud. However, from the long-term operation and maintenance management perspective, LDAP directory servers are too costly, and they do not support planning the scale and redundancy of LDAP infrastructure, which are fatal drawbacks for administrators. In addition, both LDAP and AD are affected by the complexity of cross-cloud networks, which may exist security issues.

4. Modern Cloud Directory Service DaaS

From the above three solutions, it can be seen that although each solution has its role, user management has never been well integrated with cloud technology. For enterprises seeking efficient and secure infrastructure, these are obviously not ideal solutions. Cloud directory service DaaS based on cloud architecture can connect to the enterprise's internal AD/LDAP directory, effectively manage the network, reduce human errors, and simplify management issues.

Using cloud directory DaaS as a bridge to connect local AD or LDAP user storage to cloud infrastructure, and then synchronize the users to cloud directory DaaS through lightweight agents in the internal user storage. Changes to user information are also processed uniformly in the internal directory and passed to each server through cloud directory DaaS. The advantage of this method is its simplicity, security, and high availability, but the prerequisite is that the enterprise is accustomed to cloud infrastructure.

During the initial stage of deploying cloud directory, enterprises can point the server to the LDAP server for authentication or install an agent. Both methods have the high security and reliability of multi-level redundancy. In addition, DaaS cloud directory can also help enterprises to unify the management of user identity, support single sign-on (SSO), two-factor authentication (MFA) and other identity and access management tools, and provide device management for different systems.

(This article is from NingDun, for learning and reference only, unauthorized reproduction and redistribution are prohibited)