Over the past year, I’ve had occasion to work with some large enterprises that are pushing the envelope in terms of what the next generation of client computing will look like. In the process of this work, I’ve come to recognize what I think will be an inevitable trend. Namely, that on-premise Active Directory will become increasingly marginalized, as the services that it once provided become more irrelevant to the mix of clients and technologies that are emerging in the cloud technology space. This is a pretty big statement to make, given that I’ve been working with on-premise enterprise directory services in one form or another (Netware, NDS, LanMan, AD) for most of my 20+ year career in IT. But I think it’s a trend that is inevitable, and not all bad. I also think it will take a long time to come to fruition for many large organizations, given the substantial install base and dependent services built around AD, and the lack of a true successor, for the time being. But interestingly, for small companies and startups nowadays, it is not uncommon to see not a bit of AD in their infrastructure. Even predominantly Windows-based organizations are able to get by using cloud-based services like Office 365, Google’s eco-system or similar offerings to get the job done without the need for an internal AD.
So, given all that, what is the basis for the assertion in the title of this blog? Well, I think there’s a combination of trends in technology that are conspiring to reduce the value of the on-premise identity store as we move forward. Let’s look at a number of those
The Changing Client Mix
Increasingly organizations, and thus their IT shops, are looking a lot more like the broader consumer device market, and less like the days when PCs dominated the corporate network. Nowadays, the client device mix is composed of Windows PCs still for sure, but also Macs, Android and iOS tablets, iPhones and Android phones and who knows what else. The Bring Your Own Device (BYOD) approach that many IT organizations have adopted, has only accelerated this trend. And with this trend, the cornerstone of on-premise AD has started to erode–namely, the joining of machines to the domain is no longer the default practice . Even though that activity seems inconsequential on its face, it has big implications for how AD is used in the enterprise. Once you make the statement that domain membership is no longer a given, then a lot of other things go out the window. Namely, all those services, like Group Policy, that rely on domain joined machines, suddenly start to lose their value. You have to find other mechanisms to manage these other kinds of devices. For sure Microsoft plays in this space with technologies like InTune and the “Workplace Join” feature in Windows 8.x and iOS devices, but so do many other vendors. But what does domain membership for machines give us? It gives us trust in the machine. Trust that the machine is part of the corporate domain. Trust for the user authenticating to the machine. And trust for IT to know that they have some control over the machine. Once that control goes away, by virtue of devices that no longer join AD, then IT must find other ways of delivering services to those users and their devices in a trusted manner. And they can do that by continuing to rely on some devices participating in the AD ecosystem and some not. Or, they can find better, more AD-agnostic ways to accommodate what are likely to be an increasing audience in enterprise IT.
The Changing Application Landscape
Let’s face it, applications are the reasons IT exists–namely to serve and support the applications that drive their respective businesses. Historically, applications were firmly ensconced in the corporate data center. The notion of the tight binding of the identity store (in recent times, predominantly AD) to the application was the foundation for controlling who could do what within those applications. But clearly that is changing. With SaaS applications like Salesforce, Office365, etc. providing core business functionality, authentication and authorization are now provided through industry standard federation trusts (e.g. SAML) and are relatively agnostic to the identity provider’s platform. That’s not to say that everyone is running SaaS applications instead of those in their data center. But it is to say that the trend is moving towards application workloads living outside the 4 walls of the corporate data center. And with that, the reliance on on-premise AD is further reduced (note that I did not say that the need for identity goes away, but simply that with cloud-based application platforms, you have more flexibility in terms of how you provide that identity).
The Changing Identity Landscape
Identity itself has undergone a renaissance in recent years. Thanks to open standards such as SAML, WS-Federation, OpenID, OAuth, OpenID Connect and others, a good many public cloud platforms support many more options for authenticating and authorizing users. We have public identity providers such as Google, Microsoft, LinkedIn and Facebook, commonly being used to authenticate new cloud applications, thanks to these standards. And we even have Windows 8.1 supporting authentication to the OS using Microsoft Accounts. This trend will only continue, thanks to the rise of Identity as a Service (IDaaS) offerings that provide cloud-based SSO using cloud directories. Despite the traditional tendency to want to keep identity creation, storage and lifecycle management within an organization’s 4 walls, I think many organizations will begin to see the advantage of not being in the identity business (or at least not feel the need to host identity). There may even come a time in the not-too-distant future where you authenticate to your corporate resources using a Google ID or a Facebook account instead of your AD creds. There are of course, trust issues to be overcome here, but as I mentioned, many startups and smaller organizations have already gotten over those issues and don’t even run AD internally today. It’s only a matter of time before that trend moves up the “food chain” to larger entities.
What To Do About It
Like I said, this trend I’m discussing is not going to happen overnight (or perhaps not for years for some organizations), but I think even Microsoft sees the writing on the wall, as they continue to add more features and functionality to their cloud-based services like Azure AD (for identity) and InTune (for management). So what can you do now if you agree that this trend will happen? I think the tide of technology will make this question moot over time, but there are strategic decisions you can start to make now to prepare for it. First, think about any new technology decisions in the context of how they continue to tie you to on-premise AD and it’s related services, or not. Make decisions about applications, management tools and platforms based on how agnostic they are to your underlying identity provider. AD is a great LDAP directory, but LDAP is a standard, and as you get away from relying on those “value-added” services that AD uniquely provides (e.g. Kerberized authentication, Group Policy, File and Print Services, on and on) it becomes easier to shift from a particular LDAP directory, to any LDAP directory (or any directory service for that matter). And even if you don’t believe this trend is right at all for your organization, it will pay to think about how you can leverage some of these new technology trends within your existing organization, without being so tightly bound to AD. After all, the reality is that connectivity to on-premise AD is and should no longer be a given for today’s mobile device world. Why would you create a strategy that continues to rely on that connectivity, for the sake of doing the things the way we always have?
Those are my thoughts. What do you think?
Darren
I would largely agree with this. I see on premises always remaining in some fashion, and I at least foresee infrastructure remaining on prem (firewalls, routers, storage, IPAM software – the list of these tools I think of is very extensive).
For this, on prem AD will remain and be required. As I work in Enterprise IT, I think from this angle first. AD is also DNS, so it should remain and serve its purpose. If it’s not broke and all that. Things get even more tricky with tools that are AD “site aware” and extend the AD schema, like SCCM, that are deployed in an enterprise. That’s something we use to deploy images, and it would be more unneccessary work to remove.
For clients, I agree with what you predict. But until Azure AD provides everything that AD does, I see a hybrid mix.