Good morning, good afternoon, or good evening, depending on where you are. And welcome to our session at Unite on how to maximize your Active Roles implementation for the cloud. My name is Wayne Smiley. I'm principal architect for the One Identity Active Roles product here at One Identity. And with me, I also have Dan Conrad, and I'll let him introduce himself as well.
Welcome to virtual Unite 2020. And thanks for joining us today. My name is Dan Conrad, and I'm a field strategist with One Identity working with the field strategy team. So today, we're going to talk to you, Wayne's is going to do a lot of talking and discussing some of the new features and functionality. But we're really going to be focusing on maximizing Active Roles for the cloud.
Most of you already know what Active Roles is, and it's been used for years and years on-prem. But as that expands to the cloud, and as you expand your footprint to the cloud, we're going to address some of those ways that it can be used, and things to look out for. Both with things like hidden obstacles, and then we're going to compare the major cloud providers, which are AWS and Azure. But then we're going to talk about things like single pane-of-glass, and how to run Active Roles in Azure. And then one of the new features that Wayne is going to go into in detail is managing Azure only objects.
So with that, let's take a quick look at a theoretical diagram of the architecture of running Active Roles in the cloud. So as you can see at the center of the drawing, we've got Active Roles running on-prem, managing your local Active Directory or Active Directories, as it may be. Servicing users that are on-prem, servicing home users and remote users, as well as administrators that are across the board in all those areas.
Most of the time, when you start going to something like Azure AWS, you're going to do something like Azure AD Connect. Now there's going to be a distinct difference, what we're talking about, between Active Roles running with Azure and Active Roles running with AWS. And we'll address that in just a little bit more detail here coming up. But this is a typical architecture. Many of our customers have multiple cloud platforms, and we want you to be able to consider how Active Roles can enhance and be used in those architectures.
So with that, let's talk about some of the hidden obstacles that we're going to be addressing. Wayne, please.
Sure. So one of the things about cloud migration or cloud whatever you like to call it, I know migration is probably not the right word. But there are a lot of things you don't necessarily think about, some you do. And I wanted to spend a couple of minutes today talking about what some of those are.
And the first one we want to talk about is bad data quality. Now obviously, as you move from your on-prem world to a hybrid world, where obviously Active Role is going to play a big part of that, you get the same concept that you always have had, which is garbage in, garbage out. If I don't have good data quality on my data on-prem, I'm just moving junk out to the cloud.
So with Active Roles, there are a lot of things we can do to make that better. For example, with policies and property generation and validation policies in Active Roles, and obviously our Access Templates, as well as workflows, we're able to take a lot of that data and make sure that the data that we have on-prem is good as it's moving into the cloud. So before it ever touches things like Azure AD Connect, for example, and pushes it out to Azure AD, we want to make sure the data quality is good. Everybody's titles are correct, their locations are right, their managers are right, their names are correct from HR. And also as you guys are aware, we can use things like the synchronization service, for example, to take that data and pull it in from some other known good feed, and make sure that our data hygiene is really top notch.
Another area to think about is stale, orphaned, and terminated accounts. As we're all aware, this is a constant issue in Active Directory. And as we move to the hybrid cloud, this is even more important. The reason it's more important is no longer are we able to use the crutch of, well, once they leave the physically leave the building, they don't really have access to anything anymore, anyway. That's not true. In Azure, or any cloud system, they have access to any device that can talk to the internet. So that completely goes away.
So what do we mean, and what do we need to watch out for? Let's talk about stale accounts. So these are your contractor accounts and things like that no longer work for the company, and just no one's gone through and done anything about. With Active Roles, we can do things like making sure that somebody looks at those objects every so often, making sure that we're taking a closer look at objects that have password not changed in x period of time, those sorts of things.
Or orphaned accounts, this happens a lot with administrative accounts, more so than we would all, frankly, like to admit. And that's a scenario where I'm an IT person and I had an administrative account, I leave the company, and somebody forgets to terminate my administrative account. Well, with Active Roles, that's pretty easy to fix. We just make sure that we stamp the administrative account with, say, the employee ID, or something like that. And when we go through our termination process, we make sure we look through the directory for somebody who has that same employee ID, or some subset, or whatever it is, inside that terminated account, as well.
And then, of course, there are terminated employees. These are just regular employee accounts that have left the company, or are no longer there, and they need to be dealt with properly. Now using something like the Active Role synchronization service, we can make sure that the data is clean and up to date from an HR feed, for example, and really solve a lot of those problems.
The next thing to think about is disjointed management. One of the things that we know is that as we move towards a hybrid cloud, and in our example here, we're going to talk about Azure AD and Office 365. We now have three places to deal with things. We have our on-prem AD, or done through Active Directory users and computers. We have Azure AD, and we have Office 365. Three different systems, three different places to do it, and more importantly, three different security models. That's a huge problem, when you think about it.
And this is the kind of thing that makes things go really, really poorly. So with Active Roles, we can take, for example, the web interface, and do some very simple customizations, and make sure that all three of those systems are melded into one, and they're logical and simple to maintain and understand, so you can cut down on the amount of training that you have. But you can also have just a single security model to do that.
In addition to that, we talked a little bit about this, that with the multiple security models, some of them are not so great. They're not very granular, and frankly, you probably don't want, for example, your service desk in the Azure portal or the Office 365 portal at all. Well, we can completely get away from that with Active Roles. We can do things like creating what I call easy buttons. We can create a button in the web interface that effectively calls a workflow that does some complicated thing, or something that requires a high amount of administrative access to do. But because we're doing it our way, under our terms, in Active Roles, we don't have to worry that somebody with fewer rights is actually doing that.
And if you think about it, and you roll that kind of logically forward, you can get to the point where we can say, hey, I can even allow, say, department administrators and things like that, to be able to do those things on their own without needing IT help. I like to say that it allows IT to be the car not the driver, and allows the real drivers, the business to actually do what they need to do, while you're keeping it secure at the same time.
Another problem--
Now, Wayne, on the security model topic, Wayne-- Just kind of going back to the security model topic, that's something that specifically Active Roles was designed to do out of the box for on-prem AD, but we're simply taking that to the Azure world, correct?
That's correct. So we have those same Access Templates, for example, that we use in Active Roles to handle on-prem AD. Those spread across to Azure AD and Office 365, as well. And so we're able to handle those. And in version 7.44, we actually have a whole bunch of built in templates for Azure and Office 365 to make that even easier.
So one of the other problems that we run into quite a bit, and then I see customers talk about, is kind of the siloed teams. Now, this may or may not be a problem in your particular organization, but it's certainly something to think about. And think about it this way.
So as you have, for example, an AD team, an exchange team, an Office 365 team, a cloud team, an x team, a y team, a blue team, a green team, whatever they are. You've got all these different teams out there. And as what happens in teams, teams create their own policies, and they create their own ways of doing things. And that obviously creates inconsistency in policy and process. And this can be a major problem. It seems kind of trivial when you think about it, but as these blur together, for example, the AD and the cloud team clearly blur together in a hybrid AD scenario, they'll collide.
Active Roles can be the glue that glues all of those together. With one consistent and simple security posture and policy in Active Roles, we now know how our security model works through all of those different teams. So while those teams may be different, as long as we're administering them, from a technical perspective, the same way, our security risk goes down significantly. And that's a big advantage of Active Roles.
And lastly, we want to reduce the risk of attacks. So by reducing the amount of access that somebody has natively in all these different systems, we are shrinking the attack surface that somebody can use to attack these different environments out there. Now that's obviously a goal of every security department I've ever dealt with, and it's something that Active Roles does a very good job at.
It's pretty rare in IT that you to get to the security people and actually make them smile. That happens a lot with Active Roles, because they can simply look at the policies, and they know that they're not delegated through the native tools, and as a result, they have a much smaller attack surface. They really just need to be very careful with Active Roles, but then they can be less concerned with some of the other things, as well. And that becomes a significant advantage for everything.
And that's a direct tie back to the security model, right, Wayne? Because at the end of the day, when Active Roles is used, many of those native permissions should be removed. And therefore, the accounts tied to those native permissions aren't going to be an attack service.
Yeah, so again, with that, you want to talk a little bit about AWS?
Please, so, just kind of briefly, we're going to talk about AWS. But not in the same regard as we're going to talk about Azure, because of course, Office 365 is tied to Azure. In regards to AWS, there's really a great opportunity, if you have AWS in your environment, and you wanted to bring Active Roles into that cloud scenario, you may have domain controllers in the cloud. You may have put a domain controller in the cloud, simply for something like a fault tolerance, or for disaster recovery. But there's really nothing preventing you from actually running Active Roles in that AWS cloud, as well, on infrastructure as a service.
And that's going to service the users the same way it did before, as well as the admins. You might want to use the web interface more than you use the MMC just to make things even easier. But that's available to you.
Great, and so one of the nice things is we're spreading ourselves out a little bit. Historically, we've been kind of on the Microsoft only bandwagon. Now we've really spread that out by saying, hey, we're moving into AWS, as well. And in versions coming soon, we're actually going to support running Active Roles in AWS with images, like we have for Azure, which we're going to talk about in just one second.
So with that in mind, let's talk about running Active Roles in Azure. So first of all, in version 7.43, we support running Active Roles in Azure in their infrastructure as a service system. So you can actually go in, create a VM, search in the list of VMs for Active Roles, and find a VM that has the Active Roles already ready to go and set out exactly the way we want.
In version 7.44, we support using Azure SQL as the backend. Now, we support that both in a scenario where you're using Azure SQL on the backend where the VM is running in Azure, or it can be running on-prem. We really don't care. But one thing that we do need to keep in mind is which particular systems we're running. You can see here that I've shown you a quick search of what it looks like when you go to find the images. But we need to worry about sizing, as well.
In the admin guide for Azure, in IAS, or excuse me, Active Roles in IAS, we have a list of which particular sizings we support. Now that doesn't mean you have to stick 100% to these sizings. But if you run into any performance issues or whatnot, you may have support asking you questions about whether or not you're using one of the systems. These are the ones we've tried. These are the ones we've said, hey, at these sizes, this is exactly what we expect, and exactly how we expect it.
Using Azure SQL, I mentioned before that in 7.44, we support this. And I have a screenshot of what that looks like right there. And we're supporting this, again as I mentioned, both in on-prem, as well as Azure based Active Roles instances. Dan, you want to talk to us a little bit about the single pane glass?
Sure, Wayne. So this is the concept of allowing administrators to run multiple pieces from a single view. And this is going to be in the Active Roles web interface. So you'll be able to see, just like you did before, your on-prem Active Directory, whether that's a single or multiple Active Directories. But you'll also be able to see Office 365 and Azure AD, in that single interface, with a few customizations. You can display attributes and give people or give administrators capabilities that they would typically have to go to three different interfaces to manage, before. So that should make life a lot easier for the end account administrator that has to take care of multiple accounts in multiple locations.
You know, I find this one funny, because when I demo this for customers, it's very difficult to explain something that is so fundamentally simple. And that is, you bring up the single pane of glass, everything looks exactly the way in your head you would think it does. But then you have to point out the fact that if you step back and think about what it looks like if you don't use this, there aren't all these different systems. And worse yet, if they change something in one place, and they don't change it in someplace else, that becomes a problem.
So we really solve a major problem both from a security angle, from an error proneness perspective, as well as from a training perspective for your service desk. So it's a really, really big win.
And when you display it in Active Roles, you have the capability to build policy around attributes, and things like that, just like you would for on-prem. So that will eliminate, like you said, the errors and things.
Yeah, that's a huge win. And I feel like sometimes people don't think about that and they don't really spend time implementing that, but I think it's really, really worthwhile. So let's talk about some new stuff. So in 7.44, we've added a bunch of new things around Azure objects. So as you guys are aware, historically Active Roles has managed the AD object. And as an extension, we've managed pieces of the Azure user component of that, as well as the Office 365 component.
But we're going beyond that. So we're starting to add things like Azure MFA management, multiple Azure tenants, Azure only users, Azure only contacts, Azure/Office 365 groups, and guest accounts. And we're going to talk a little bit more in depth about each of these, in the next couple of minutes here.
Let's talk first about Azure MFA. So again, under the guise of what is simple is very complex on the backend, and that is, we've just made a simple checkbox that says "enable Azure MFA for that user." So simple, easy, now I don't have to give my helpdesk a bunch of rights over managing that in in the Azure portal. It just does things automatically, very, very quick and easy.
Another heavily requested item, which is multiple Azure tenants, and of course, completing our transition to fully supporting modern authentication. So now we can support multiple Azure tenants, we can even say in a account creation policy, for example, which tenant a user will be created in, and what licenses they'll have from that particular tenant. All that's done an Active Roles for you. We'll do all the backend work, you just basically tell us where you want to put stuff and how you want it to look. And then Active Roles will figure everything out from there.
Another big one, this gets requested quite a bit. As people are moving more and more towards the hybrid cloud, what we're finding is that they need to do Azure only users. So maybe they're guest accounts, maybe they're this, maybe that, but they're accounts that don't exist in on-prem AD, and we want to be able to support them. So now, as you can see, we support objects and users that are only in Azure, and we can manage them the same way we would manage, for the most part, and on-prem object. Same thing goes with contact, creation, management, basically all your CRUD operations, all done through the Active Roles web interface.
And Office 365 groups, now this was added. Some of this was added in 7.43. But we've added a little bit more in 7.44. And there's some new stuff. But the bottom line is, you'll be able to go in and see those groups, and be able to manage those. Groups are hugely critical in teams, which we know is a really big thing these days, obviously, in the work from home world that we all live in now. So we wanted to make sure that was well supported, and so we've really solidified that in 7.44, as well.
And then guest accounts. This is becoming a more common thing, if I asked somebody a year and a half ago about this, they would have said whatever. But I hear a lot of customers asking to say, hey, we need to create guest accounts. Now we're going to support, and obviously, right now this has to be done completely in the Azure portal. But no more, we now do this in Active Roles. We can create both types of accounts. Both the invitation account where you basically give the system another email account, and they kind of work through the process, if you will, through the Azure portal later. As well as a scenario where you build the accounts online.
We can apply Access templates, policies and workflows, all that stuff directly to those as they're created. Dan, you want to talk to us about a few takeaways?
So thanks, Wayne, a lot of great information coming for out of Active Roles when we're addressing Azure objects only, or Azure AD. So some of the things that Wayne covered, really quickly. The ability to manage users and groups in Azure AD only, that's brand new. And then the ability to manage guest accounts. So you have to keep in mind that what we're talking about here is going to exist specifically in the web interface.
When we roll out new pieces of Active Roles, there's always templates, policies, workflows, that will be linked back to that so that you can assign permissions, and have workflows correctly around those items. Wayne, you want to address any additional features and functions?
Sure, so there are a couple of things that I want to talk about here. The first is we are adding a bunch of pieces around teams. We know that's really critical now, and so we're working on that. And then the other thing I just want to touch on real quick, something that Dan said, and that is that everything is happening in the web interface.
We realize that the world is moving to a web first mentality in terms of administration of everything. So we're rebuilding the web interface, as well as the backend in Active Roles, to support a lot of those changes. And that's a discussion for another day. But I think it's at least worth keeping in mind as we talk about this.
And with that, I'd really like to thank you all very much for coming today, and enjoy the rest of your night.
20:27