Your Journey to the Cloud: Can you Finally Replace Active Directory?

So just to present myself, my name is Silvan. I'm working for a company named tenable. I'm working in this, you know, crazy identity security stuff from 20 years. Right now I am by the way, Microsoft MVP. So Microsoft is not there for the next panel session, but I will be there. I will try to represent Microsoft in a way, and we will talk today about different stuff around 80. So it seems weird during the cloud convention, we will talk about 80, but 80 is part of what we have to do, what we have to manage.

Then we need to understand that during your cloud journey, you will, you will need to take care about 80 as well. So let's talk about it. And here today, we will want to answer the second question, not the first one. And second question is about, is a table really right now today to get the card with ad. So here we will talk about identity directories. I just want to be sure that everyone is on the same page. So I will spend like one minute and we understand how many identities we have to, to manage during our journey.

So back to the seventies, if you are old guy like me, you were playing with TCP file, local identities. And so on. Then we get the niece for managing identities entities. Then we start to use some magic new stuff like NT three NT, four network NDS. And we start to use something which was quite new during this period, the L app. So let's say let's call it L up protocol based entities, which is not true because L D is not a protocol, but let's make it simple. So we add more and more identities during this journey then ad appear. And it rose really revolution, honestly.

I mean, I'm coming from the network world. And during this period, I was doing migration like hell from Nobel to 80. So year after year, we, we did this. Let's say network replacement going massively to eighties, which means right now a lot of organizations are using ad.

I mean, really a lot. We think it's about 95% of the organization, which are using more than 50 pieces, which are using ad in the world, which is massive. Then the cloud is coming. So cloud means new type of identities, new way to manage identities. And we add again another layers. So for sure when you start to use the cloud, in fact, you think, if you think about it, you need to use two different pieces and I will come back on it later. You need a piece, which is the identity as a service, which is basically the single sign on part, but you need as well to manage identities.

You need to store identities. You need to have a cloud user store, which is a directory as a service part.

And again, we will come back on it a little bit later in this presentation. So that's what we are doing right now. We're using like identities from the really basic one, because I'm depending your activity, depending your vertical, depending your size, you still like some systems somewhere. So perhaps you still use some et C password files somewhere, and I'm sure you are doing that, but you perhaps you still use N which is not a good in term of security, but perhaps you still use this for sure. You have still some L up directories and for sure you have eighties. So what does it means?

It means we didn't get the other identity store during our journey. We just add layers. And now we have the new layer, which is a cloud one. So just to be sure, again, we are on the same page before to jump. Can we cut 80? What is 80?

In fact, so perhaps you think, okay, I know what is 80, but I want to make it very simple. So 80 for me is three different things, authentication authorization, which is almost using standard. I will say almost, but the main part of 80 is not the authentication and authorization part ad is providing to you some very specific stuff. And when you are thinking about cutting ad, in fact, the main problem is coming from the third one, because you are using ad for doing computer management.

Perhaps you are using some specific features like global catalog, C awareness, all this crazy Microsoft stuff, which are embedded in ad and you are using it every day. So if you think about it authentication authorization, that's easy because you can use a new cloud directory to do that. But how do you manage the therapies? So why ad is so special? I just want to give you some examples there again, you are using GP, for sure. If you have ad you are using GP GPO. So you are doing that for computer management. You are doing that to manage user profile, perhaps you are using the Microsoft DNS.

So if you are using the Microsoft DNS, you can use the DNS integration inside ad, perhaps are you using the Microsoft PTI ADCs? If you are doing that behind the scene, you are using ad. And for sure, perhaps you still have some silos, printers.

I mean, all this crazy old stuff, but you still have it. And I can provide again more and more example. But what I want to explain is if we have a look, I mean, in an accurate way, we are using behind the scene, 80 in a lot of different situations. And the last one perhaps is VPN connection. Let's imagine you are some VPN connection using radius. Radios is using a, in, in, in the back to perform the authentication.

So 80, you have like the, you know, the top thing, which is authentication authorization, but you have the item thing, which is more difficult to understand, manage fine. And so cut cat. So perhaps you may think, but I'm peer with ad. Why do I want to cut?

I mean, ad is great. Perhaps ad is, let's say better product made by Microsoft. So I I'm using ad I'm peer with that.

Hey, the thing is eighties massively used by run somewhere for a lot of different reasons. First one, the attacker knows in advance. You're using 82nd. Perhaps you install 80, like 20 years ago.

I mean, I made a lot of 80, you know, design 20 years ago and I made a lot of mistakes a lot just because we, we weren't aware about all this pass attack, pass the ticket, attack, all this stuff, which are invaded in 80. We weren't aware about it 20 years ago. So if you design your already 20 years ago, or even 10 years ago, you made a lot of mistakes and you do a lot of mistakes every day, just because you create user groups, you install applications. So you are doing a lot of operations every day, which create what we call ad misconfiguration. And it's exactly what's wrong.

Somewhere are using. Let's imagine you do emerging accusation stuff. So you have this trust, you migrate objects, but you don't really know how the things was done before you made the accusation, but you migrate everything in your forest. So you add complexity. You add misconfigurations you add mistakes every day. So the run somewhere, we, we think it's about, let's say 70% of the wrong somewhere are using 80 to write for the organization, which is huge. And it's why the size O think 80 is a nightmare. And it's why the sizes want to cut 80 from their environment.

So now you are thinking I'm going to the cloud. Good. I can cut 80. It's not so easy. It's not so easy. Why it's not so easy, just because you are just starting your cloud journey. You are just in the beginning of your cloud journey. When you start to migrate to the cloud and here, I want to talk about identities, for sure. I will not cover, you know, applications and so on. We will focus on identities. When you start your journey, you need to think about two different concept. First one is IDAs. So the IDAs one is the single sign on piece. So it's everything you already know.

Like you log in, you have this nice Porwal with the applications logo, you click on it and you single sign to, I don't know, Workday office 365 Salesforce, whatever. So you don't have to sign in anymore. And for sure you have the second part, which is a directory as a service part. So here we are talking about the user store itself, because if you want to or manage authorization, if you want to manage rules group and so on, you need to store somewhere the identities that's the directory as a service piece.

So if you think about it, it's small as the equivalent of a, but running as a cloud service. But remember we said, ad is not only authentication and authorization.

It's GPOs, it's perhaps DNS it's PKI. So how do you manage this next step? Here? You have some examples. That's just to provide examples, okay. Of screenshots from a solution, which is doing directory as a service. So as you can see, you are able to manage, you know, users with some stuff, very equivalent about what you are doing in 80, you know, details, user group directories, and so on. You are managing groups again, very equivalent of what we are doing with ad. You can do some, a integration ad synchronization, a immigration coming from on-prem going to the cloud and final piece.

You are doing device management because remember ad is not only about users and group, it's also about computers. So I just want to highlight the fact that when we are talking about a directory as a service solution, it's really covering everything. Or normally it's supposed to covering everything, which is different. So if I want to simplify everything, I know it's not a simple slide, but if I want to simplify everything, here is a picture about your identity during the cloud on it.

So first, everyone think about the identity as a service piece. So you are going to single sign on going to the application and here you need to manage authentication for your enterprise identities, perhaps your partners, perhaps your customers. And usually when you want to do that, you are using some sort of, let's say, Federation or trust with external, what we call IDPs, which are identity provider. That's the simple part of the journey. Second one is the directory as a service. Because again, you need to use somewhere a cloud directory.

And if you think about it, you need as well to do some different features. Perhaps you need a PKI. Perhaps you need a radio as a service. Perhaps you still have some LDA applications running OnPrem, which need an NetApp connection. So you need to provide, help up something to these applications. And for sure you need something to manage device. And when I'm seeing devices, I'm not thinking only about workstations, because when you are thinking about MDM stuff, a lot of people, or, you know, we call it now more in the workplace management.

And we think about workstation, but tell me if I'm wrong, but you still have some server running on drip. You still have some unique server windows servers, and then saying server, not workstation.

So how, how do you do that? And for sure, during your journey, you will need to migrate everything, which is on-prem to this directory as a service solution. So what type of service can you use to do that? I will present a slide and I just want warn you. I'm not an Analyst. Okay. This slide is just based on my own experience. I'm not a guy who is spending, you know, hours in the books to understand how it works doing interviews. It's really based on my project and own experience. And for sure, you will find some mistakes inside, but that's my view of the stuff.

So here, from my perspective, I provide to you the four main names, which are doing directory as a service. And for sure you can add more. But the thing is I was working with this four guys, not the other one. So I don't know the other one. So I'm not able to provide to you feedback. So I will not cover everything. And I mean, you have the slides, you can download it. It'll be easier. I just want to highlight three, four different points, which are very important. First one is related to age 80.

As you can see here, you have the computer management line and I'm saying it's not Azure, 80 it's in tune or whatever the code is right now. So if you think about it, the way Microsoft is providing to use the directory as a service is you have Azure 80, which is by the way, doing both identity as a service and directory as a service. But so computer management piece is not down by Agera directly is done by another solution, which is named in tune.

So the, they make the choice to separate these two features. Microsoft is not providing, you know, a, what I call advance as a service like service radios as a service SSH service, they start to provide some stuff, but they're not very good at this one, but the other side of the solution are really good. Now we go to gem cloud gem cloud is an American based company and they are coming from the directory as a service world. So they decided from the beginning to not invest, I TT as a service, but directory as a service.

So they provide a lot of different stuff, including computer management, including what we can call MDM, including advanced as a service. But if you want to do identity as a service, the single sign on piece, they are not very good at this one. Okay.

Finally, we have Okta and one login, which is acquired by one identity. I will say these two ones are very similar, very similar, just because they are coming from usually the identity of the service piece.

One, one login was, was doing both from the beginning, but still now they are very, very, very close and they decide to not invest in the MDM piece. So they provide a lot of different, very interesting feature, like for example, Elda as a service or riders as a service, but they decide to not include the computer management in their offer. Okay. So I know it's tricky because when you start your journey, you need to choose someone. But as you can see, it's not so easy, depending your vertical, depending your needs, depending your size, it'll be different. So finally, can you replace 80?

If you want to replace 80, if you want to cut the call to 80, you need to think about three different major steps. First one is, as you can imagine, you need to eliminate all the different connections. You have to 80. That's an evidence, but keep in mind here. We are talking about application, but we're talking as well about what we call legacy services, like five sharing printers. So if you are a young, small company, you don't have 80 because you are not using a file sharing system you are using, I don't know, OneDrive or Google drive or whatever.

But if your company is, I don't know, 20 or 40 years ago, for sure you still have some file servers and how do you manage it? So you need to think about everything from the application to the services, to the cloud, which is not easy, which is it could be long to do that. Second piece, which is interesting is a lot of company will need to redesign their IM system. Why? Because they made a huge mistake. A is not an IM system, a is a technical directory, but a lot of companies try to use ad as an IM system. So now think about it. You want to replace ad.

You want to get 80, so you need to rethink everything around your IM organization, IM system. And remember the classic, let's say sequence is the HR system. You do some provisioning to your IM system. Then you do some provisioning to the metaverse. So the metaverse is not the Facebook one for sure. Okay. That's the IM one. And then you will do some provisioning to your technical directories, including ad. So a is just as the end of the process. Even Microsoft is not using ad as the master directory in synchronization, the master directory is SAP. The HR system.

Finally, you need to adopt more down workplace management for 100% of your devices, including the servers. Because again, if you think about modern workplace, a lot of people we talk about works.

Stations, works stations, but works stations is easy, really easy because on workstations in 99% of the cases, you will use macros or windows easy. But if you think about the servers, we are using Unix, Linex, different flavors of Linex, different flavors of Unix. How do you migrate the computer management from 80 or something equivalent to a cloud service for doing that? It's not easy at all. So here you have. What I call is a realistic skill. If you start your journey to the cloud and want to catch the cloud to 80. So I'm used to say, when I'm doing a presentation to a customer, Mr.

Customer don't make me wrong. You have the PowerPoint version of what I'm seeing, and you have the real life version of what I'm saying here. I'm talking about real life version, but using PowerPoint. I know. So it will take time to do that. You have major steps to achieve.

For sure, for me, one of the main one will be this one, the technical depth, linked to identities because we have a lot. We have a, usually if you are a large customer, you are using a lot of different forest, a lot of different domains because you made an accusation, but you didn't finish the immigration. You still have the old one, you keep it somewhere. Or you still have some local management of identities. So be able to integrate all the different identities coming from on time, going to the cloud is not easy and it will take times.

So if you think about it, I think 10 years is a good timing. Perhaps you'll not agree. No problem we can discuss about it. So five important stuff first is okay. If you want to cut 80, let's imagine your own size. If you want to get a, you need to think about it right now. And you think about the project right now, and you need to start a project right now. That's really important because it will take time and you can dream big, not a problem, but you need to anticipate and you need to have for sure, a vision for, you know, cut everything which is related to and prep.

Second is, Hmm. If you are a large organization, we can make a bet. And I'm sure if we're meet again in 10 years, you will still have eighties. That's an evidence just because I'm saying 10 years, but depending your size, depending your vertical, depending your activities, it should be different. So perhaps it'll take more than 10 years. Firm is an evidence, but I just want to be sure everyone again, understands that if you want to get ad, for sure don't add any new ad dependencies. So if you choose to use a new application, a new service, be sure you don't have any ation with ad.

And when I'm seeing relation, I'm thinking about ad DS. So the ad directory services, but as well, everything which is related to the DNS, the PKI radius, everything we were talking about before.

So again, keep in mind. Ad is not only adds behind the scene is used by a lot of different services you are using every day. Then very important topic, which is my favorite topic. This one you will need to secure your 80, during 10 years. I know that's really boring, but you need to do it. Also run somewhere will use it. And if you want to continue the conversation, you are welcome to go to our tenable booth, to let's say, continue to talk about the 80 security part of the project. So you will still need to have 80 during 10 years.

Let's say, so you need to take care about misconfiguration. You will need to take care about 80 process. You will need to take care about 80 attacks. You need to make something which is linked with yourself to be sure if 80 is a target, you will re receive an alert. That's really important because I'm, I meet a lot of different size, which are saying to me, oh, I want to cut this so I don't need to anymore.

No, no, no. You will keep ad during five years, six years, 10 years. So you still still have to manage it. Trust me. Or it will be a nightmare for you. Not because of me because of the role somewhere. And finally, which is, which is really tricky to manage. To be honest, is the knowledge part.

I mean, if you are all like me, you know, a little bit about security, but let's imagine in 10 years, it'll be really difficult to find people who are able to understand who just want to do 80 stuff because they are, you know, cloud fanatics. They do this DevOps stuff, very, very fancy. They don't want to do ad anymore. It'll be difficult to find people and you need to anticipate that it's even difficult nowadays. So let's imagine in tenure, it'll be really, really complicated.

If, if you remember 10 years ago, it was really difficult to find network people just 10 years ago. So let's imagine it'll be perhaps the same for ad in the future. So you really need to anticipate this part, not only for ad, but ad is a tricky stuff. So now it's time to questions.