An increasing number of organisations are migrating their data processing operations to the cloud, and it’s not hard to understand why. Cloud service providers, such as AWS, are secure, flexible, scalable and relatively inexpensive to setup. They provide automatic software updates and disaster recovery. Specifications such as CloudAudit, are being developed, which provide a standardised method for presenting detailed statistics about a cloud system’s performance and security. Yet, despite the proposed improvements, there are still a number of limitations and concerns associated with auditing critical data in the cloud. After all, you are still hosting your critical data on a shared server that you have little or no control over. Cloud solutions are less customizable and are typically more expensive than on-premise solutions in the long term. Cloud services may be subject to disruptions and outages, and there’s even the possibility that the service provider will go out of business.
Amazon Web Services (AWS) provide a tool called the AWS Directory Service, which enables IT administrators to run Microsoft Active Directory on their servers. There are three different options for running Active Directory in AWS: Microsoft AD, Simple AD and AD Connector. However, each option comes with its own set of impediments.
The first option; Microsoft AD, is the enterprise version of AWS Directory Service and is able to handle up to 50,000 users or approximately 200,000 Active Directory objects. These objects can include users, groups and computers. While such limitations are unlikely to be an issue for small companies, they could be a problem for companies who process a very large number of AD users and objects. Additionally, the AWS Directory Service doesn’t allow users to configure the performance settings in Microsoft AD, which makes it impractical for users to remedy performance issues. For example, users may wish to change a number of resources allocated to processing, storage or memory, for a given AD instance. Another drawback of using AWS is that it’s currently not possible to migrate your existing on-premise AD database to the cloud.
The second option; Simple AD, would be suitable if you require an inexpensive AD-compatible service for running Active Directory in AWS. Simple AD provides a subset of features found in Microsoft AD. It allows you to manage users, groups and computers but, does not allow you to define trust relationships between domains, or add domain controllers to instances. Also, you will not have features such as AD Administrative Center, AD Recycle Bin and PowerShell. You will also have limited control over password policies, the group managed service accounts and schema extensions. Again, this may be fine for small organisations, but for large organisations, Microsoft AD will probably be required.
The third option; AD Connector, is used to connect your existing on-premise Active Directory database to AWS. The AD Connector enables you to mitigate both the costs and complexities of managing and maintaining your own infrastructure. AD Connector allows you to use the same tools to manage AD in the cloud, as you would manage your on-premises AD. Since no information is cached in the AWS cloud, your organisation can retain control over the way critical data is handled. However, the AD Connector does not allow admins to make changes to Active Directory in AWS, which, as previously stated, will inhibit the admin’s ability to address potential performance issues.
As you can see, there are pros and cons to running Active Directory on AWS. One might argue that for larger organisations who want unfettered control over their data, an on-premise setup might be more appropriate. While an on-premise setup might require an up-front investment, it will actually work out cheaper in the long run. Furthermore, prices are coming down. For example, solutions such as LepideAuditor, provide an affordable, yet feature rich suite of auditing and reporting tools, which will give you complete control over your data.