For any modern company, security is at the top of their agenda. Securing their network, data as well as sensitive customer information plays a crucial role in maintaining daily operations and reputation.
Proper security posture can only be maintained if every process, technology and practice is properly secured. As identity and access management (IAM) is one of the core processes of any company, a secure directory is vital. That way companies can ensure user credentials, company systems, sensitive data and applications are protected from unauthorized access.
We have praised the use of a cloud directory such as JumpCloud as a way of redefining directory services, but are they also redefining the security in the directory? How secure really is JumpCloud?
Before we get to the nitty gritty of how secure is JumpCloud, it’s important to understand how security was done previously in the identity and access management space.
Security with on-prem directory
Before the concept of cloud computing was born, identity and access management platforms, just like any other technology or process, were strictly on-prem. Companies leveraged directory services and stored all of their credentials there as well. OpenLDAP and Microsoft Active Directory were the popular solutions back then.
Because everything was hosted on-prem, directory service vendors didn’t focus too much on the security. While security of a directory was always important, companies used all kinds of solutions and techniques to build protections around the directory. Firewalls, VPNs, encryption, intrusion detection systems and similar perimeter security solutions were all set up to protect the network, and with it, the directory and credentials.
With all this technology there was no actual need to make the directory itself more secure. This further solidified the view that a directory service needs to remain on-premises because the platform on its own just wasn’t secure enough.
Having a solution that isn’t secure by design and needs additional security measures shows us clearly why security of a directory is a tricky topic.
Hosting a directory platform in the cloud simply can’t start with the same approach as with the traditional on-prem services. Any service hosted on the internet has to take security seriously. Many providers build the cloud directory with security in its design. But, whether a cloud directory is secure or not depends on the implementation.
Security of a cloud directory
There are many layers of security that go in a cloud directory service and that happen behind the scenes. While we want to talk about security of cloud directories at large, we will focus on how JumpCloud does security. This will show you how security in a cloud directory should be done and what to look for when deciding on a provider.
Storing passwords
Credentials including passwords are like the keys to your internal network. Storing them securely is crucial in preventing unauthorized access. Most providers use encryption to handle password security, it is not enough. Encryption requires a key for decryption, meaning that there is still a possibility of cyber criminals gaining access to it and compromising accounts.
With JumpCloud, any passwords stored within their cloud directory are one-way salted and hashed, and unrecoverable. You cannot recreate a one-way salted hash without the exact password. This presents the highest level of security you can have for storing passwords.
Handling private and public keys
JumpCloud’s directory services manage and store SSH keys but don’t allow you to generate or store private keys. This is because user’s private device should generate private keys and not somewhere outside of the user’s control.
For convenience, many providers do offer these services which pose a major security risk. You should look for a solution that, like JumpCloud, stores public keys and leaves the private keys stored privately.
Secure communications
Mutual TLS is a level of communication that requires certificates on both ends of the connection to make it secure. This is the type of security for all communication that JumpCloud’s cloud directory offers and the type that you should look for when looking for a right provider for you.
Protection of administration
Administration of a service is one of the most crucial areas that needs high level of security. One of the best ways to achieve it is through multi-factor authentication (MFA) to the login process for admins that access the area. Going beyond just the admin area, any login process for users in the cloud directory should have MFA.
MFA refers to using a second (or third, fourth and so on) form of authentication beyond the credentials such as security questions, SMS code, authentication tokens, biometrics, tc. In a scenario where cyber criminals have obtained a user’s credentials, MFA makes it harder to actually get access to their accounts and compromise them.
Visibility over user activity
User authentication data and user activity in a cloud directory can help tremendously for keeping its security. With it, you can be aware of who has access and who doesn’t, at what areas of your network are users logging into and if there is some suspicious login activity.
A cloud directory service should provide you insights into user activity so you can see if there are any security risks, potential malicious behaviour, numerous login attempts or similar that will need you to investigate further. JumpCloud offers you all user authentication data so you can have the needed visibility over potential security risks.
JumpCloud creates a safer identity for their customers
When you choose a cloud directory provider, you are entrusting them with some of your most confidential and sensitive data. To reciprocate, providers should be putting the security of that data first which is precisely what JumpCloud does.
If you’re still unsure whether JumpCloud is the cloud directory provider for you, ElephantHop is here to help. We are here to help companies better understand both the business and technology impact of a new directory. Furthermore, we can aid in the evaluation and testing of JumpCloud vs. other solutions in the market. Contact us and start your journey to safer identities.