Can I replace Microsoft Active Directory with Azure Active Directory? This is a very common question for IT professionals. With almost all of the IT environment moving to the cloud, there are a number of incentives to move the core directory service to the cloud too. Unfortunately, Microsoft’s path to the cloud can be unwieldy, expensive, and difficult to comprehend. It’s also heavily focused on Windows as its first-class citizen and the Microsoft ecosystem at large.

It all starts with Azure Active Directory (AAD), Microsoft’s foray into cloud-based directory services. It’s reasonable to think that it would have all the capabilities of Active Directory^® (AD), as the name implies, but the truth is more complicated than that — even before Microsoft’s licensing factors in.

Azure AD’s True Purpose

AAD was created to extend Microsoft’s presence into the cloud. It connects Active Directory users with Microsoft Azure services, and is easier to implement than Active Directory Federation Services (ADFS) for single sign-on (SSO). It doesn’t incorporate the full features of Active Directory and lacks support for authentication protocols including LDAP and RADIUS. It may manage non-Microsoft identities, but there are additional fees for multi-factor authentication (MFA). A gated licensing model keeps many features behind a paywall. For example, group management with role-based access control (RBAC) isn’t included with the free tier of AAD.

AAD is the cornerstone of Microsoft’s portfolio of identity, compliance, device management, and security products, because it provides a common identity for Azure, Intune, M365, and more. The permutations of products and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants for implementation and planning. The breadth of configurations and options may be fitting for enterprises that have considerable resources to support deployments. Considering that it’s not even possible to abide by Microsoft’s best practices for AAD without subscribing to Premium tiers, AAD may be a mismatch for small and medium-sized enterprises (SMEs) that have more essential needs.

Costs tick upward when SEMs are pulled deeper into the Azure ecosystem or require interoperability with services that fall outside of the Microsoft stack. For example, fees are assessed for unrestricted cross-domain SSO and MFA authentications with other identities. 

Replace AD with Azure AD?

Can Azure AD actually be the complete replacement to AD that admins are looking for? Unfortunately, the short answer to that question is no. Azure AD is not a replacement for Active Directory. AAD was originally intended to connect users with Microsoft 365 services, providing a simpler alternative to ADFS for SSO. It has since evolved into a springboard to new subscription services that target enterprise customers and charge for capabilities that on-prem AD provided at no additional cost. 

You don’t have to take our word for it, check out what a Microsoft representative said in this Spiceworks post:

Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.

As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.

Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.

If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.

So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.

Why Azure AD Can’t Replace AD Outright

When you step back and think about Microsoft’s identity and access management (IAM) strategy, it makes sense that you can’t replace AD with Azure AD. From a business perspective, Active Directory already has more market share than just about any solution they offer.

The on-prem directory acts as a tie that binds a Microsoft network together. By providing a way for customers to shift to a cloud directory service, Microsoft would open up the door to potential customer loss. Instead, it directs SMBs to cloud services that broaden the breadth and depth of its product families. However, these are intended to service enterprise customers and can be difficult to deploy and learn. 

Beyond the business perspective, there are also the technical capabilities to consider. Think of Azure AD as a user management platform for the Azure cloud platform, along with basic web application SSO capabilities. Where Azure falls short is that it doesn’t manage on-prem systems or resources without being integrated with a domain controller or add-on services for Windows.

For example, on-prem Windows (except for Windows 10), Mac, and Linux systems can’t be controlled for user access or systems management without subscribing to Microsoft Intune or Microsoft Endpoint Manager (MEM). Intune has limited functionality for Macs (without more MEM subscriptions) and, at present, has limited Linux support. Windows support is extensive, including auto-pilot onboarding.

Further, non-Microsoft solutions such as AWS and Google Workspace are outside of the scope of provisioning as well. There are a lot of resources that users need that can’t be touched by Azure alone, without adding additional subscriptions. 

While it’s possible to utilize Intune for a domainless enterprise, many organizations are still compelled to have a hybrid environment for full compatibility with AD or ADFS. Microsoft’s reference architecture (diagram below) prescribes both AD and AAD in an environment.

JumpCloud: Extend or Replace Azure Active Directory 

Every environment has different requirements and constraints that can make cloud migration more challenging. Some shops are locked into the Microsoft stack and would benefit from SSO, simplified Zero Trust security, and cross-OS system management that AAD + Intune don’t provide or charge too much for. Other organizations aren’t tied to legacy on-prem systems and can adopt a domainless architecture, saving on infrastructure, management, and rising CAL licensing costs. JumpCloud makes it possible to do either, or anything in between, for individual SMEs or through a multi-tenant portal for MSPs to consolidate tools and deliver value at scale.

JumpCloud’s open directory platform can serve as a cloud replacement to AD. JumpCloud enables admins to have seamless management of users with efficient control over systems (Mac, Windows, and Linux), wired or Wi-Fi networks (via RADIUS), virtual and physical storage (Samba, NAS, Box), cloud and on-prem applications (through SAML, OIDC, RESTful APIs, and LDAP), local and cloud servers (AWS, GCE), and more. Automated group memberships, that pull relevant user attributes from other IdPs or HRIS systems, assist with identity lifecycle management. Environment-wide push/TOTP MFA is implemented for each protocol for free.

Your identities can be assigned to trusted devices. JumpCloud provides mobile device management (MDM) for Android, iOS/iPadOS, Linux, and Windows. Zero-touch onboarding is available for Apple devices. With MDM and the Windows agent, IT teams can leverage GPO-like policies such as full disk encryption. The CLI of each OS is accessible, at root, to deploy custom commands and policies that fall outside of JumpCloud’s point-and-click catalog of policies.

The platform services IT management and security needs with security add-ons, including:

• Cross-OS patch management and browser patching
• Pre-built conditional access policies for more privileged access management
• Cloud Insights for AWS

JumpCloud can also integrate seamlessly with Azure AD, Google Workspace, or Okta to create one core identity provider for an organization. It is truly the cloud-forward directory that is built for the modern IT environment. JumpCloud’s open directory platform is interoperable and frees its users to adopt the IT stack of their choosing from best-of-breed services.

An Open Directory Platform™

The JumpCloud platform does not need to fully own and manage an identity. It consumes identities from different sources to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing access control and security challenges that arise from having siloed apps and heterogeneous device endpoints outside of a corporate network. For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals would otherwise have to seek alternatives for Identity and Access Control (IAC) and device management. Unfortunately, most other alternatives aren’t an integrated solution.

JumpCloud makes it possible for trusted devices to securely access resources across domains.

Delegated authentication is another option for access control. IT can configure AAD credentials to be used for RADIUS authentication into Wi-Fi networks with JumpCloud. There’s no domain controller or third-party service required.
JumpCloud helps SMEs to improve security, save on licensing, reduce headcount, and save time and effort by consolidating orchestration into a single, open directory that serves as an identity broker. The JumpCloud platform also works with Okta identities to provide RADIUS and LDAP access control, SSO, and system management for your device endpoints.

Try JumpCloud for Free

Want to learn more about how you can replace Active Directory with JumpCloud? It’s as simple as signing up for the JumpCloud Free account. JumpCloud offers all free accounts for 10 users and 10 devices, with no credit card info required. This grants the perfect opportunity for you to try out the entire platform including all of our premium functionality and see exactly how it works for yourself. Need more tailored, white glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.

The JumpCloud community is always open for peer discussions about any IT topic.

“The house of every one is to him as his Castle and Fortress as well for defense against injury and violence…”— Sir Edward Coke, English judge and jurist.

Coke uttered the famous words across the pond more than 400 years ago. For centuries, the legal precedent has underpinned the right to freedom from intrusion. 

One can only imagine what Coke would think about today’s ongoing privacy debate between consumers, big tech, and legal systems. 

No longer are homes the only places we store personal information. Today’s companies have multiple options (and incentives) for collecting, storing, and sharing data. 

As the IT admin of a small-to-medium-sized enterprise (SME), what do these developments mean for you? And what are the essential things you need to know about data privacy laws?

Keep reading to learn more about data security versus data protection, the history of data privacy laws, and the most relevant laws in the U.S. and Europe. In addition, we’ll share our best tips on how to strengthen your compliance efforts. 

Data Privacy Laws and Why They Exist

The topic of data privacy entered the world stage in 2018. That’s when the Facebook-Cambridge Analytica scandal flashed across news headlines around the world.The New York Times reported that the company harvested the Facebook profiles of 50 million users, without their permission, for nefarious political purposes. 

Shortly after, several high-profile data breaches further emphasized the need for enhanced data privacy and security regulations. Google+ developers discovered a breach that allowed 438 external apps to access 500,000 Google+ users’ data, including names, emails, addresses, occupations, genders, and ages. The result? 

Lawmakers and regulators worldwide are now taking data privacy seriously. Several laws and regulations have popped up in recent years to protect people’s privacy. The most notable and expansive of these are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. We’ll dive into these regulations in a moment, but first, let’s define data privacy laws. 

What Are Data Privacy Laws? 

Data privacy laws are mandates that govern how organizations can collect, use, and share personal information. The laws exist to protect individuals from having their personal data mishandled or misused.

In addition, data privacy laws set standards for how organizations must handle and secure data and give data subjects rights over their information. This often includes the right to know and permit what information is collected, the right to have it erased, and the right to object to its use. 

The specifics of data privacy laws vary from country to country. But they all aim to achieve the same goal: to protect people’s information from falling into the wrong hands.

Benefits of Data Privacy Laws

The benefits of data privacy laws for individual data subjects are self-evident. However, they may seem somewhat burdensome for corporations.

After all, complying with data privacy laws requires significant time, resources, and money investments. But make no mistake, adhering to data privacy laws is not only the right thing to do, but it’s also good for business.

1. Enhance Consumer Trust (and Credibility)

In a world where data breaches are becoming increasingly common, customers want to work with companies they can trust. 

In fact, 71% of respondents in a 2020 McKinsey survey stated they would take their business elsewhere if a company released sensitive information without permission. Complying with data privacy regulations sends a strong signal to stakeholders that you take privacy seriously and do everything you can to protect their data. 

2. Level the Playing Field

Submitting all companies to the same standards means the differentiating factor would be products and service quality, not who has the most lenient data privacy practices. This is particularly important for SMEs that lack the resources of larger corporations and would be at a competitive disadvantage if there were no data privacy regulations.

Understanding Data Sovereignty

As noted earlier, different countries have different nuances on data privacy laws, making the discussion on data sovereignty ever-important.

Data sovereignty is the concept that data should be stored and managed in compliance with the laws of its country of origin. This is especially critical for companies that operate in multiple countries, as they need to ensure that their data complies with the laws of each country.

It also extends to the idea that organizations should store data originating from a country in the same country to avoid subjecting individuals’ privacy to a foreign government’s jurisdiction.

Data sovereignty has immense relevance in cloud storage applications as companies sometimes host servers in different countries from where the data is collected. Data sovereignty will become even more critical as the internet grows and expands.

Data Security vs. Data Protection 

People often use the terms data security and data protection interchangeably without realizing they are two completely different concepts.

Data Security

Data security is the practice of restricting access to data. This includes ensuring that only certain users can obtain data and that information is not modified or destroyed without authorization. 

Data security is vital for both individuals and organizations, as it helps protect information from being misused or stolen. Examples of data security strategies include encryption, firewalls, and password protection. 

Organizations can use an IT toolkit like the JumpCloud Directory Platform to streamline data security compliance, oversee device management in heterogeneous environments, provision/deprovision users, and enforce password controls. 

Data Protection

Data protection involves safeguarding data from loss or damage. It includes measures such as backing up data and storing it in a secure location to ensure that important data is not lost in the event that security measures fail. 

For example, suppose cyberattackers seize control of an organization’s server in a ransomware attack. In that case, data protection measures ensure that the organization can still access its data. 

Though relevant as the last line of defense in a wider security strategy, data protection is also handy for other reasons besides malicious attacks. For example, it helps businesses recover from data loss due to technical failures or human error. 

Also, if different locations house data (e.g., on premises and in the cloud), data protection helps ensure critical systems don’t grind to a halt if one storage location goes down. 

The Four Basic Data Privacy Protections 

Oftentimes, implementing data privacy policies is challenging for organizations because they don’t approach it as a baseline for operations. 

Instead, they treat it as an afterthought and only focus on meeting regulatory compliance when required. At JumpsCloud, we’ve seen SMEs take a similar approach with IT security compliance measures to their own detriment. 

Organizations seeking to take a proactive approach to data privacy should have the following protective measures in place as mandated by the General Data Protection Regulation and other similar laws:

1. Data Collection and Sharing Rights

Your privacy approach should include letting users know what types of data you collect, how you use it, who you’ll share it with, and what purpose you’ll use it for.

It should also inform and enable them to exercise their rights over their data, such as the right to access, delete, or correct their data.

They should also have the right to deny third-party access to some or all of their data.

2. Opt-In (Consent)

What’s better than letting your users know what data you handle? Asking their permission for how you intend to handle it.

It’s common for websites to have pre-ticked boxes that allow users to opt out of cookies or the collection of certain information. This is neither good practice nor in line with the laws, such as the GDPR’s cookie consent requirements.

Require your customers to take clear and proactive action to indicate that they agree to have their data collected.

3. Data Minimization and Storage Limitation

Only collect and store the data that is necessary for you to fulfill your business purpose. For example, suppose you’re a business that sells products. In that case, you’ll need to store data such as the customer’s name, shipping address, and payment information. 

Don’t store data such as visitor browsing history on your site or the sites they visit after leaving yours. Furthermore, limit the amount of time you keep data. For instance, you can delete customer data once they haven’t interacted with your site for a certain period, such as 12 months.

Perhaps, the most shocking cautionary tale is the double-header case of AdultFriendFinder, where a dating website got hacked twice, and very private information of users was made available on the dark web. What was already a sticky situation became even worse. It turned out that the data of former users who had deleted their accounts were still being kept and were among those leaked.

4. Nondiscrimination and No Data-Use Discrimination

This protection requires you not to engage in discriminatory behavior against individuals who choose to exercise their data privacy rights.

For example, you cannot charge a higher price, refuse service, or give them a lower quality service because they exercised their right to access or delete their data. Also, you can’t use collected data to profile individuals along discriminatory lines.

For instance, using data to target ads or content to individuals based on their race, ethnicity, gender, religion, disability, or other discriminating factors could violate your data subjects’ rights.

Evolution of Data Privacy

As referenced in our introduction, the notion of privacy has been around long before the digital age. Here’s some additional fun facts for the history buffs out there: 

• In 1890, two Americans, Samuel Warren and Louis Brandeis wrote “The Right to Privacy.” The article advocated individuals “be left alone” and not have their lives turned into public spectacles. With time, the need to protect people’s information became more apparent as the technological landscape changed.
• In 1967, an interesting development to the U.S. constitution’s fourth amendment arose in Katz v. The U.S., where investigators had recorded a gambler’s conversations on a public telephone. The court held that the right to privacy extended beyond a person’s house, papers, and effects to include areas where a person has a reasonable expectation of privacy, such as a telephone booth, as in this case.
• Katz vs. The U.S. accelerated the movement toward data privacy, and in time, Sweden enacted the first national data privacy law in 1973. 
• The 1980s saw the Organisation for Economic Co-operation and Development (OECD) release data privacy guidelines which then and till today, form the basis for many data privacy laws around the world.
• Then came the internet, which made it easier for organizations to store more information than ever. In response, the European Union (EU) passed the Data Protection Directive in 1995.
• During the Wild West days of the internet, data privacy concerns took the backseat while data security rode shotgun. However, this soon changed with the rise of big data firms such as Google, Amazon, and Facebook in the 2000s.

The massive data these organizations collected, coupled with high-profile privacy scandals, made it inevitable that data privacy would come to the forefront again.

As previously mentioned, several countries have enacted data privacy laws reflecting its greater importance. Meanwhile, only time can tell what new technologies will develop and what concerns and responses to data privacy they might bring.

U.S. Data Privacy Laws 

The United States does not have a single, all-encompassing data privacy law. Instead, it relies on a patchwork of federal and state laws and industry-specific regulations.

National Privacy Legislation

There are several pieces of U.S. federal legislation that deal with data privacy. Perhaps the most popular are the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA).

HIPAA establishes national standards to protect people’s medical information. It applies to healthcare providers, health plans, and other medical information organizations.

The GLBA requires financial organizations to safeguard sensitive information and explain their information-sharing procedures to customers. It also demands that they respect the customer’s right to opt out of any data sharing with unaffiliated parties.

COPPA protects the online privacy of children under 13 by prohibiting website operators from collecting personal information from children without parental consent.

State Privacy Legislation 

Several states also have data privacy laws. For example, The Massachusetts Data Privacy Law is one of the most comprehensive state data privacy laws. It requires businesses to take reasonable security measures to protect personal information. It imposes harsh penalties for companies that suffer data breaches.

California has the California Consumer Privacy Act (CCPA), which came into effect in 2020. The act contains residents’ right to know what personal information is being collected about them, the right to delete that information, and the right to opt out of its sale. With few exceptions, the CCPA contains as many measures as the GDPR.

There is also the Nevada Internet Privacy Law, with similar provisions to the CCPA but limited to online and web services only.

EU Data Privacy Laws

The European Union has one of the world’s most comprehensive data privacy laws. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and builds on the EU’s 1995 Data Protection Directive.

The GDPR requires businesses to get explicit consent from individuals before collecting, using, or sharing their personal data. It also gives individuals the right to know what private data organizations collect about them, the right to have that data erased, and the right to object to its use.

The GDPR applies to data processes irrespective of whether the data is collected online or offline; or whether or not the business is in the EU.

Companies that violate the GDPR can receive a fine of 4% of their annual global revenue or €20 million, whichever is greater.

Data Privacy Quick Tips for SMEs

So, what can SMEs do to comply with data privacy laws? Here are some quick tips:

• Get rid of dark patterns: You know how easy it is to use those complicated menus to frustrate users and discourage them from using the opt-out button. Or how easy it is to place confusing words like “Don’t Not Sell My Personal Information” beside the “I agree” checkbox. Well, don’t use them. Dark patterns are not only annoying to your user; specific instances of them could also be illegal under relevant laws.

• Implement privacy by design: This means building privacy into your products and services from the ground up. It starts with understanding what personal data you are collecting and why. Do you really need it? Can you get by with an email address? Once you’ve decided what data you need, figure out how to collect it to minimize the risk of exposure. For example, if you’re managing sensitive information like health data, consider using encryption to keep this information safe both during and after collection.

• Communicate changes in policy: If you change your privacy policy, communicate these changes to your users. Also, ensure you provide an option for users to opt into the new policy. It goes without saying that you should also make it easy for users to find your privacy policy on your website or app.

• Data privacy is more than the internet: Remember that privacy laws also apply to offline data collection. This includes data collected through paper forms, over the phone, or in person. So, if you collect this type of information, take steps to protect this information from exposure and use it only for the purpose it was collected.

Improve IT Security Hygiene with JumpCloud 

Data privacy laws are constantly evolving, and businesses must keep up to date with the latest changes. By understanding the basics of data privacy, you can ensure your organization complies with relevant laws and protects your customers’ personal information.

Did you know that instituting and enforcing IT hygiene policies helps improve organizational data privacy, security, and protection posture?Learn how organizations can adopt data-hygienic practices, improve data privacy, and avoid breaches in The IT Manager’s Guide to Data Compliance Hygiene.

Streamlined and unified authentication to all resources is a core feature of JumpCloud’s open directory platform. That capability extends to secure network access into Wi-Fi and VPNs. JumpCloud’s cloud RADIUS service now supports credential-based (password) and certificate-based (passwordless) authentication. 

The combination of these authentication methods addresses the vast majority of risk levels an organization may face. Furthermore, the certificate-based authentication (CBA) approach is considered the most secure and frictionless method available today. JumpCloud’s CBA is consistent with the open directory principles, offering IT and network admins the flexibility to bring your own certificates (BYOC) as well as the future ability to manage certificates within JumpCloud.

What Is RADIUS Certificate-Based Authentication?

RADIUS Certificate-Based Authentication (CBA) is an authentication method that leverages the content of a X.509 compliant certificate to validate the identities of the device and the user requesting access to a network resource. RADIUS CBA obtains the certificate contents from the RADIUS client when a user requests access to an AP (access point) via client PC (RADIUS client). It then validates the standing of the certificate, as well as the certificate trust chain, with the corresponding certificate authority (CA). Finally, RADIUS CBA verifies the user status and access privileges against the JumpCloud Directory before allowing access to the RADIUS resource (typically Wi-Fi or VPN) when the certificate is validated. 

The Benefits of RADIUS CBA

The benefits of CBA are predicated on two fundamental capabilities. First, the ability to positively identify the authenticating party by leveraging the digital private/public key pair technology recognized as the most secure technology in the industry; and second, the ability to authenticate the user bound to the certificate without any input from the user (frictionless). Small and medium-sized enterprises (SMEs) can use CBA to secure and streamline user authentication flows and eliminate the potential for identity silos or duplicate systems.

Key Features of RADIUS CBA

All current cloud RADIUS features are available with the RADIUS CBA release. The following new capabilities are part of this new release:

• Bring your own certificates (BYOC) – The initial release of RADIUS CBA allows IT administrators to import their certificates into RADIUS for authentication. The certificate lifecycle management and delivery to target endpoints is achieved by tools external to JumpCloud. 
• Multilayer User Authentication – Before allowing user access, RADIUS CBA authenticates the good standing of a certificate (expiration, origin, and revoke status), compliance to one of three JumpCloud user certificates supported (Email user identifier in Subject Alternative Name field, Email user identifier in Distinguished Name field, or Username user identifier in Common Name field), the user status in JumpCloud directory, and finally the user certificate location (must be located on target client device).
• Password as an alternative to certificates – RADIUS CBA allows administrators to use credentials as an initial alternative to certificate. This capability enables the gradual migration to certificate based authentication. Users can initially authenticate using their Username/Password then transition to certificates.
• User groups – The traditional user group association capability and assignment to RADIUS AP is also available with certificates. Groups leverage JumpCloud’s attribute-based access control (ABAC) to automate identity lifecycle management.
• Consolidated IT infrastructure –No additional servers, Windows Server roles, or on-premise infrastructure is required to set up and maintain cloud RADIUS CBA. This lowers IT’s administrative overhead and reduces potential cyberattack surface areas.
• ​​​​​​​Certificate Status check during Authentication BYOC supports validating the good standing of a certificate on every authentication transaction via the Online Certificate Status Protocol (OCSP). 

The Benefits of RADIUS CBA/BYOC

Certificates may originate from multiple CAs. Organizations that already use and manage certificates can import them into JumpCloud and use them for authentication to JumpCloud RADIUS to secure network access. For more on the JumpCloud CBA, see Certificate-Based Authentication to RADIUS for Admins.

Examples of BYO Certs in Action

When the SME wants its users to authenticate securely and without friction, the administrator:

• Selects the “passwordless” authentication method
• Imports the certificate chain, which allows the JumpCloud RADIUS server to challenge the RADIUS client with EAP-TLS mutual authentication. 

The admin can also allow password authentication as a fallback method for those users who have not yet received a certificate.

Admin 

When a user initially connects to a Wi-Fi device configured for JumpCloud RADIUS with certificate authentication (and password as a fallback), they can select “connect using a certificate.” Going forward, authentication to the Wi-Fi AP will happen automatically without any additional input from the user.

JumpCloud’s cloud RADIUS validates the certificate contents provided and checks if the certificate, and user, are in good standing before granting access to the Wi-Fi network.

Try JumpCloud Cloud RADIUS

JumpCloud offers its full open directory platform without any charges for up to 10 users and devices. Free chat support is provided for 10 days to help get you started. Pricing is workflow-based to help SMEs meet their unique requirements versus feature-based SKUs. Would you prefer tailored, white-glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.

Modern IT environments are incredibly diverse, and while this is great for many reasons, it can also make the IT department’s job more difficult. Today’s environments are often comprised of a mixture of on-prem and cloud resources, corporate owned and BYOD devices, varying device and operating system (OS) types such as Mac, Windows, Linux, iOS, Android, and more.

All of these factors, plus the popularity of hybrid work, add complexity around managing identities and sometimes make it feel like centralized and simplified identity management is out of the question. Luckily, this is not the case at all, though some organizations might need to adjust their infrastructure and tool choices to be more future-proof to achieve a modern and unified identity management strategy. Let’s take a look at why that is and how it can be done.

Centralized Identity Management Barriers

As mentioned above, heterogenous IT environments can be a problem for IT, because resources live in many different places, employees work from all over the world, and there are a plethora of device and OS types out there.

Here’s how some of these factors affect identity management:

• Cloud and on-prem resources: It can be hard to get visibility into who has access to what resources, and SaaS apps might not connect to a traditional directory such as Microsoft AD.
• Hybrid and remote working models: Monitoring, managing, and helping employees that aren’t in the office can be problematic without the proper tools.
• BYOD: Personal devices typically don’t connect back to traditional directory services, and they are sometimes difficult or impossible to manage.
• Mac, Windows, and Linux device popularity: Most tools are meant to help you manage certain device types but not others, making it hard to keep track of and secure devices that employees use.

All of these factors and more contribute to an incomplete, decentralized identity management strategy in many organizations. 

Why Centralized Identity Management Is Key

This decentralized approach is often forced on IT, rather than chosen, simply because of the disparate resources that need to be managed on top of the fact that many organizations use outdated or disconnected IT management tools. This strategy (or lack thereof) can quickly turn into a security and compliance nightmare, an unnecessary weight on IT, a fractured employee experience, and a hit to the organization’s bottom line, among other things.

When users and their digital identities are not centrally managed, it’s virtually impossible to get visibility into their resource access privileges, what devices they’re accessing company resources on (whether company-managed or completely unsecured), what problems they might be experiencing, whether their systems are up-to-date or not, and much more. On top of all of this, Shadow IT is as prevalent as ever, which causes even more security hiccups when left unchecked due to poor identity management. 

Considering that 84% of organizations experienced at least one identity-related breach in the past year, you can see how far-reaching the effects of the decentralized identity management problem truly are.

To avoid all of this to the furthest extent possible, IT needs centralized control over all identities, access, and devices, while simultaneously allowing departments and employees the flexibility they need to get work done.

How to Centralize Identity Management

So, the end goal is to provide employees with flexibility in where and how they work, while maintaining the amount of control that you want over their digital identities, access, and devices. To do so, you’ll want to centralize the management of all of these things, as much as possible.

Centralized user management provides IT with the control and visibility over every device, application, and network across the organization, without dictating what resources are the right choice for each group. This strategy saves IT time with easier day-to-day workflows, helps ensure compliance, enhances security, and ameliorates the end user experience.

A modern way to centralize identity management is by adding JumpCloud’s open directory platform to the center of your IT infrastructure. The beauty of an open directory is that it can easily connect to all of your existing infrastructure, as well as any other tools (such as other directories, HR tools, and more) you decide to adopt in the future, allowing your business to evolve and scale with ease. This means that with the JumpCloud Directory Platform, you can centrally manage identities, access, and devices, all from a single, modern platform.

Get complete, centralized visibility into employee identities, what they do or do not have access to, and their devices. With JumpCloud’s identity lifecycle management capabilities, enjoy simplified onboarding and offboarding, add users to groups for easy control, keep devices patched and up-to-date, quickly change access levels, and much more. With this solution, your organization still maintains the flexibility it needs to leverage the best devices, applications, and tools on the market. Plus, you can hire the best talent, regardless of their location, without worrying about how it’ll impact security or how IT will manage them.

Use JumpCloud to ensure that your identity lifecycle management process is efficient, secure, and complete.

Learn More