A new One Identity report shows that companies are not yet ready to go all-in on Azure Active Directory (AAD). Instead, 49% of respondents are going to stay with a hybrid Active Directory (AD) solution for the foreseeable future. Additionally, more (16%) have no plans for AAD while only 8% have gone all-in on AAD.
Bhagwat Swaroop, president and general manager, One Identity said: “With 95 percent of global Fortune 1000 companies relying on Active Directory to manage their users’ access, and the swift move toward Azure and cloud adoption, it becomes a natural starting point for businesses looking to implement a zero-trust security model.
“Yet, AD by itself is not equipped to meet the standards of zero-trust architecture, and it lacks the ability to store, issue and manage privileged credentials as seen in traditional privileged access management (PAM) solutions. To simplify AD’s challenges, companies need to invoke zero-standing-privileges by combining a strong PAM strategy and technology with their AD management and workflow program in order to create the zero-trust model they critically need.”
Rapid changes caused problems in AD and AAD
One of the major challenges of 2020 has been how to deal with a workforce that is suddenly remote. Companies discovered that their on-premises systems were not enough. It made them rethink their cloud plans and, for many, that meant moving apps, data, and even authentication so the cloud. However, the latter seems to have opened up trust issues.
The report amplifies some of those. For example:
- Rapid changes in AD/AAD has created challenges for 37% of respondents.
- 30% were not equipped to deal with the volume and scope of changes to user profiles.
- 27% report that security and compliance suffered as a result of changes driven by COVID-19.
- 26% found their cloud strategy did not support rapid change.
What makes these numbers of more interest, and concern is that respondents said Azure AD had slightly more challenges than on-premises AD. Given Microsoft’s push to move as many customers away from on-premises to the cloud, there is clearly work to be done.
Migrating to Azure AD is taking time
One surprise here is that migrating to Azure AD is taking time. Most companies would expect it to be a smooth transition, after all, AD is the same on-premises and in Azure, right? No. There are extra things that need doing and policies to deal with.
As already noted, 49% plan to continue with both on-premises AD and Azure AD for the foreseeable future. A much bigger number than those on Azure AD or planning to move to Azure AD.
Enterprise Times talked to Dan Conrad, IAM Strategist, One Identity, about this. Conrad believes that part of the issue here is existing IT environments. He said: “If I got to start from scratch, I would live 100% in Azure AD because I don’t need on-prem services and things like Internet services reliable enough that I can authenticate to the cloud whenever I need to.”
Conrad went on to talk about how this changes for legacy businesses. Can they really become a cloud-only business, or will they have to become a hybrid business with some apps and data on-premises? He said: “A legacy business where I maybe have 10,000 employees, they’re all on-prem, they’re all used to working a certain way, my data is in my data centre. That’s not a lift and shift.”
Applications throw up another issue in terms of cloud. There are good reasons why many keep them on-premises and that, for many, means going with a hybrid IT architecture. This is likely to be behind the large number of people who want to stay in a hybrid environment.
Which regions are moving to Azure the quickest?
What’s interesting is who is moving to Azure AD the fastest. Scandinavia is the region where Azure AD is making the most inroads. 13% of companies here have already moved to Azure AD, and 10% will do so in the next 12 months. It is a region where cloud has been more widely adopted than the rest of Europe and one where Microsoft has always had a good presence.
The UK is the second highest adopter of Azure AD with 11% already fully on Azure AD and 9% due to follow in 12 months.
However, it is worth looking further out and at those regions who are moving but will take more than 12 months. Using this metric France (22%) and Benelux (19%) are due to overhaul Scandinavia. This, despite in the case of France, 31% having concerns over the storage of credentials in the cloud.
The US and Canada are the laggards here. Only 7% are fully on AD with 9% planning to move in 12 months and 12% sometime later. Given how much cloud adoption there has been in the US, this is a significant outlier.
Storing credentials in the cloud is an area of concern
One thing screams out from this survey, and that is trust, or rather the lack of it. It seems that storing credentials in the cloud is a non-starter for organisations. 89% of respondents have concerns over the security of credentials stored in the cloud, with 23% having significant concerns. Additionally, 29% do not store any business credentials in any SaaS solution.
What is not clear is why people had concerns. There was no qualitative follow-up to the survey to explore this. Had there been, it would have provided a lot more useful data on what cloud vendors need to do.
Despite that, it does seem that 71% will store some credentials in the cloud. So where will they store them?
- Key management services (KMS) from cloud service providers – 71%
- SaaS password managers – 35%
- Hardware security modules (HSM) – 17%
- SaaS Privilege Access Management (PAM) solutions – 13%
These numbers don’t look too bad, especially for KMSs. However, there was another question asked about the range of credential types that will be stored in the cloud. It appears to contradict some of the early findings.
- 51% will store credentials to SaaS accounts
- 48% will store credentials to access accounts/services running on the public cloud
- 48% will store credentials to access accounts in a businesses on-premises infrastructure
There were several other cases where people were storing credentials in the cloud. Some of these were for individuals credentials, and some were for credentials used by scripts and services. Interestingly, 41% plan to store shared credentials in the cloud presumably to make sharing easier.
Enterprise Times: What does this mean
Moving to Azure AD should be a no-brainer for many organisations. It simplifies several AD challenges and provides a more secure environment than on-premises storage. The latter is because Microsoft is putting a lot of effort and security support into making it safer than companies can do themselves.
However, Microsoft has had some embarrassing Azure AD issues recently that took down Azure, Office 365, SharePoint and Teams. A botched upgrade by Microsoft caused that five-hour outage, and it affected more than just cloud. Desktop users whose software carries out licence checks were also locked out of their software. With organisations relying on these tools as part of their remote working plans, this is a serious problem. It may well explain why so many intend to run both on-premises AD and Azure AD in a hybrid function.
For Microsoft, this survey will take a little digesting. It will need to look carefully at the reasons given for not moving to or delaying a move to Azure AD. For customers, the focus will be on whether Microsoft can offer a proper failover service, not one that falls over due to a single error on Microsoft’s part.
One thing that will play out in the next few months is the impact of yesterday’s SolarWinds breach announcement. It sits on Azure, allowed the attackers to bypass Microsoft’s authentication and has hit US government and other companies hard, may well give those nervous about cloud more reasons to worry.