Is it time to Separate Domain Joined Machines from Active Directory?

Active Directory is not all bad. It provides Group Policy features, provides excellent central management of security policies, can store encryption keys, and provides an excellent security boundary to internal on-premises systems, and it is easy to synchronize identity with various c . But is it really needed? That answer would be, “it depends.”

Whether or not one needs to have Active Directory, as it is traditionally, or rather typically deployed, in their environment is a matter of examining how many and what cloud services and environments are being used by the organization, how many users, what type of internal resources are needed to be accessed remotely, and just how users work day-to-day. For example, are users still dependent on file shares and mapped network drives to collaborate or store information? If so, then Active Directory will still be needed for those transactions, or at least Active Directory makes managing such working environments much easier. If employees rely more heavily on cloud environments with all collaboration tools, email, and shared files exchanged via the cloud, then the answer would probably be Active Directory is no not needed as much. But in most cases, the answer is somewhere in the middle. Organizations typically have a significant amount of resources for work and collaboration available to employees through cloud environments, with a handful of legacy applications that still live on-prem or in co-lo data centers. So diving from Active Directory becomes a bit more difficult.

Maybe the breakup with Active Directory is not necessary – at least at first, and like a problematic relationship, boundaries are set. Active Directory needs to have space from the end users. In this case, then we focus on the end users’ environment for security. Do we need the end users’ environment so entwined with Active Directory? Given how most organizations have a mixture of cloud and on-prem services, the answer would be surprisingly – no. Also, given how many of Active Directory’s problems come from end-user access, and the answer should be clearly – no.

End users do not need direct access to on-prem resources and certainly do not need domain-joined machines to access cloud and internal resources. Gartner has provided a wealth of information on the Security Service Edge (SSE). This, in short, is a collection of cloud-based security products or services that facilitate access to both cloud-based and on-prem resources. Assuming the SSE is already constructed, then there is actually no need for users to have domain-joined computers to access resources that are both protected with and in the cloud or to on-prem applications and data to which access is controlled by Active Directory authentication and permissions. Again, it all depends on how the organization builds out its SSE.

A matured SSE provides for Zero Trust Network Access (ZTNA), and often the capabilities that are orchestrated to form the SSE are Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), and Cloud Firewall services. Cloud-based security used In this manner you can strictly enforce access by geolocation, Multi-factor Authentication (MFA), and other security features that are easily deployed.

The posture of end-points can be checked before they are granted access. Finally, by distancing the end user’s computing environment from the network to the outer edge, the footprint on which an attacker can start a malicious action is reduced, and lateral movement becomes more difficult.

Removing computers from the domain does not mean the organization loses control; many end-point management solutions can be deployed as part of the cloud security environment to apply patch management, access control, and user access policies to a computer or other mobile device. These capabilities also allow an organization to realize the benefit of not being limited to just Windows machines or even Apple computers. Access can be granted for tablets and even Chromebooks with no negative impact on user productivity. This could allow organizations to expand bring-your-own -device programs, resulting in significant cost savings in hardware maintenance. Again, this is all just food for thought.

Maybe your relationship with domain-joined computers is good, or the organization’s security measures, Active Directory, and end-user computing environment is a happy story without any problems. I would suspect this is not the case and that, like a problematic relationship, There is a fair amount of denial over the security problems presented between the combination of Active Directory and the end user computing environment. But that is a decision only the organization can make if the pain points caused by the security risks are less problematic that changing how employees access corporate resources. At least now, an alternative to a more traditional end-user computing environment can be contemplated.