Mapping the Journey to Universal Directory
Over the last couple of decades, companies have become accustomed to safely managing their users, groups, devices, and resources within the corporate network. Using enterprise directories, they have been able to define singular access policies that determine how employees and customers can access the apps and resources they need. But as they modernize their systems, smart companies are shifting how they restrict and permit access to business information.
During this time, the enterprise directories of choice have been Microsoft’s Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) servers from a variety of vendors. These have been most commonly hosted in an on-premises data center within a company firewall. Users came primarily from Windows domains, devices were Windows clients or servers, and AD was employed to store properties and profiles for applications like Exchange and Sharepoint, and to control access to WiFi and networks.
As apps increasingly move to the cloud and businesses evolve, this kind of legacy architecture has hit the limit of its capability. In its place, companies are adopting cloud directories that can be deployed as masters and single sources of truth for businesses’ users, devices, groups, and access management. This new cloud-based approach enables users to be provisioned by HR systems or partners, and to access the directory integrations they need from multiple devices, regardless of their operating system. To top it off, modern cloud directories support cloud-based servers and Software-as-a-Service (SaaS) apps, and enable downstream connections to both cloud and on-premise systems and resources.
Charting a course to a cloud directory
The path to a modern cloud directory can be complex and tends to be different for almost every business. As Okta works with our customers, we see that they usually fall into four common categories:
Stage 1: Status quo. Businesses at this stage operate the majority of their apps and services on-prem. They may use some SaaS apps, but haven’t integrated them with their identity system. This is where we find most prospective Okta customers.
Stage 2: Cloud SSO and MFA. Many Okta customers have moved to this stage, where their primary directory is on-premises, but they’ve incorporated Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for their cloud apps.
Stage 3: IDaaS Identity Hub. These customers have already switched to using Okta Universal Directory (UD) as their primary IDaaS hub: a high-scale cloud directory that can interface with APIs and LDAP. Through UD, user identities are created in the HR system and provisioned into Okta and, in instances where a customer still uses AD to some extent, devices are synced down to the on-prem directory.
Stage 4: Secure Identity Cloud. These businesses now have a full Zero Trust environment that enables them to retire their legacy directories and employ Okta’s UD as the primary home for users, groups, and devices. Many of the Okta customers in this stage were born in the cloud and didn't have a lot of legacy infrastructure to contend with, but we’ve also seen older organizations make this transition effectively over time.
One company that exemplifies how to initiate this process is News Corp, which has successfully embarked on its journey from AD to UD.
How News Corp modernized its directory infrastructure
News Corp employs 25,000 people under brands like FOX Sports, Sky, the New York Post, and Harper Collins Publishers—all of which were operating highly siloed infrastructures. Each brand had its own contracts, software, and processes, so News Corp undertook an infrastructure audit across all business units to identify the processes that it might want to scale out across the company as a whole.
In addition to its siloed infrastructure, News Corp had no common identity management tool in place across its business units, and applications only supported one IdP at a given time. The company wanted to find a way to help all its users collaborate, lower license costs, and standardize security policies and compliance standards.
To tackle these goals, News Corp consolidated to a single Okta cloud directory. This involved connecting and importing users and groups from AD, adjusting sign-in policies, and recreating its environment on a new instance. The company then recreated assignments, migrated users and applications, and redefined the onboarding process to transfer users from its old HRIS across to AD and then into Okta. Finally, it deleted all remote access instances, which ensured it would have “One Okta.”
The result is a simplified environment that enables faster access, collaboration across the various News Corp brands, and apps that can be assigned to anyone regardless of their business unit. Okta provides a safe and convenient place in the cloud that combines existing directories through a powerful API—to the extent that News Corp is now looking to eliminate AD entirely.
Investing in the modern cloud directory
We want to make it easier for your organization to model hierarchies, use group profiles, and delegate admin tasks. That’s why we’re making investments to help businesses advance through the four stages of the cloud directory journey and modernize their infrastructure.
We’re making changes such as enhancing AD and LDAP agent experiences and performance and expanding search capabilities. It’s now easy to create unique user profiles for different user types, de-master AD users in bulk, and manage devices. These features will enable even the most complex organizations to connect Okta to their existing data centers as their modern cloud directory.
For more information about how Okta can bring your directory up to speed, check out the following resources:
- Rethinking AD: The Four Stages of Separation, Part 1
- Rethinking AD: The Four Stages of Separation, Part 2
- Rethink Active Directory ebook
You can also use Okta Ideas to give us feedback on how we can help simplify your journey.