IT Necessities For A Distributed World
IT Necessities For A Distributed World
IT Necessities For A Distributed World
Distributed World
Building a Modern
IT Infrastructure for
Hybrid-Remote Work
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. IT Necessities for
a Distributed World, the cover image, and related trade dress are trademarks of
O’Reilly Media, Inc.
The views expressed in this work are those of the author(s) and do not represent the
publisher’s views. While the publisher and the authors have used good faith efforts
to ensure that the information and instructions contained in this work are accurate,
the publisher and the authors disclaim all responsibility for errors or omissions,
including without limitation responsibility for damages resulting from the use of or
reliance on this work. Use of the information and instructions contained in this
work is at your own risk. If any code samples or other technology this work contains
or describes is subject to open source licenses or the intellectual property rights of
others, it is your responsibility to ensure that your use thereof complies with such
licenses and/or rights.
This work is part of a collaboration between O’Reilly and JumpCloud. See our state‐
ment of editorial independence.
978-1-098-11212-7
[LSI]
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
3. The Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Directory Protocols and APIs 12
Recommended Directory Functionality for Distributed
Environments 14
Directory Options 17
Factors to Consider 19
v
5. Implementing Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Optimizing Budget and Resources 31
Making the Case to Leadership 33
Closing Thoughts 36
vi | Table of Contents
Introduction
vii
However, distributed infrastructure models, which power remote
and hybrid-remote work, are distinctly different from traditional
business models. They require the right configurations, tools, secu‐
rity, and processes to succeed. IT professionals need to pivot to meet
these new needs.
This report is intended for cloud-based or partially cloud-based
organizations—particularly small and medium-sized enterprises
(SMEs) working with lean teams and tight budgets—looking to
build or mature their distributed infrastructure. For those that went
remote in 2020, it’s time to reconfigure your temporary remote solu‐
tions to more mature, long-standing ones; for new businesses look‐
ing to pivot to remote work or build from the ground up, take your
clean slate as an opportunity to build strategically, holistically, and
purposefully.
This report will give you the building blocks, tools, best practices,
and implementation insights you’ll need to build a successful,
secure, and future-proof distributed IT infrastructure.
viii | Introduction
CHAPTER 1
The Modern Business Landscape
1
distributed world. SaaS and cloud technology were the key support‐
ing forces that facilitated the shift. Now, employee and employer
benefits indicate that the shift is positioned to become permanent.
Emerging Solutions
IT teams have been innovating and working quickly to find ways to
accommodate their newly distributed environments. While increas‐
ing headcount is sometimes part of the solution, SMEs are often
working under more restrictive budgets. As such, some of the
budget-friendly solutions that help address the challenges I outlined
above include:
Integration and automation
Although integration and automation are necessary to power
resource access, IT teams have found that they are also the
secret to success in improving efficiency and revitalizing the IT/
end-user relationship.
Identity-driven policies
With individuals trying to access resources from different loca‐
tions and devices, IT needed to shift from IP- and perimeter-
based security to identity-driven security. Policies that govern
users with role-based permissions facilitate access to distributed
resources and streamline the user experience. They also auto‐
mate provisioning, authentication, and authorization, relieving
IT of some of the burden of onboarding, tool-based permission
configuration, and password lockout issues.
Unified, proactive telemetry systems
In a distributed environment, successful security requires both
insights and proactive prevention that can accommodate the
distributed infrastructure. Ideally, these insights should be
administered across a unified network to provide thorough
reporting on the people, devices, and activity across the dis‐
tributed network. Further, proactive threat detection and intelli‐
gent activity reporting help prevent threats and alert IT teams to
suspicious activity.
Figure 1-1. A recent JumpCloud survey of over 500 SMEs suggests that
remote work is becoming a permanent business reality.
7
will ensure your IT decisions move your organization closer to its
goals. It will also prevent a piecemeal approach that can fracture a
distributed infrastructure with unoptimized integrations, deviating
data, and multiple sources of truth.
Best practice: early consultation with stakeholders
When planning, engage stakeholders across the organization in
initial conversations to account for the diverse needs of all
teams. This will not only save time and possibly money later,
but it can also prevent team member frustration if they feel their
needs weren’t considered.
Best practice: plan up front
It’s tempting to roll up your sleeves and dive straight into pur‐
chasing software and implementing processes. However, think‐
ing about the needs of your business today and strategically
selecting partners who will help your enterprise scale tomorrow
will save you time later.
11
Directory Protocols and APIs
While some directory implementations use only one protocol, oth‐
ers use a combination of many protocols and APIs to broaden the
directory’s scope. When weighing directory solutions, consider the
protocols each one uses to determine which resources will be com‐
patible and whether they can accomplish your goals:
SAML
SAML (Security Assertion Markup Language) is one of the most
common and important protocols in a distributed environment.
It uses Extensible Markup Language (XML) certificates to
authenticate users to an application through an identity pro‐
vider (IdP) as shown in Figure 3-1.
Figure 3-1. The SAML protocol is one of the most critical to pow‐
ering a distributed environment. It authenticates users to applica‐
tions through an IdP in six steps.
Device Management
Remote and distributed environments tend to take on more devices
that are subject to less regulation. Mobile device management
(MDM) is a baseline must for managing these devices; however, we
recommend a directory solution that combines IAM and MDM.
This combination, called unified endpoint management (UEM),
connects information about users and devices, assigning users to
specific devices and allowing administrators to manage devices as
well as identities.
UEM powers capabilities like setting device rules and configurations
based on user roles and permissions, tying multi-factor authentica‐
tion (MFA) and conditional access policies to users’ assigned devi‐
ces, and remotely onboarding users and setting up their devices. In a
distributed environment, directory-driven UEM helps maintain
unified management, delivers more intelligent insights, and allows
for more granular identity-driven policies.
Network/VPN Management
Some directory solutions include network and VPN authentication
and management protocols, like RADIUS. This allows administra‐
tors to manage network security and to include networks and VPNs
in conditional access policies.
MFA
Some directory services now offer MFA on top of their access man‐
agement services. MFA allows the directory to layer the authentica‐
tion process with multiple factors for added security. MFA is a key
element of Zero Trust, which is a highly recommended security best
practice for distributed environments. MFA and Zero Trust is
detailed further in Chapter 4.
Reporting
Because unified, proactive telemetry is a necessity in distributed IT
environments, it is best delivered by the directory, which should act
as your organization’s core unifying solution. Insights should be
deep yet easy to use to help administrators keep a close handle on all
activity. The right reporting in a robust directory can help IT
administrators manage everything from security to budgeting: they
can receive flags for security concerns, take deep dives into activity
trends, and find opportunities to lower licensing costs by identifying
tools that are paid for but underused, for instance.
Automation
As previously mentioned, automation is one of the pillars of sup‐
porting distributed environments. While not all directories offer
robust automation, some can automate almost everything, from
security alerts to account provisioning to data exports. Directories
that include automation significantly reduce the burden of ongoing
maintenance and management, facilitate scalability, and optimize
resources:
JIT provisioning
Just-in-time (JIT) provisioning is a SAML-based process that
triggers automatic account creation the first time a user accesses
a site. This process reduces onboarding time on the IT side and
streamlines the user experience. Directories that enable JIT pro‐
visioning often roll it into their SSO store, resulting in a process
where new users never have to create accounts or remember
automatically assigned account login information.
Directory Options
There are several directory providers and formats on the market.
This section will cover popular directory choices, including market
leaders and emerging competitors.
Directory Options | 17
Open-Source, Self-Managed Directory
Because some directory protocols are open source, like LDAP, it’s
possible to create a directory from scratch and manage it in-house,
without investing in directory software or services. This solution is
the cheapest up front but requires the highest degree of expertise,
which can be expensive to source. Additionally, these directories
also tend to have the most limited functionality of all the directory
options, as creating a directory based purely on an open source pro‐
tocol would accomplish only what the chosen protocol can enable.
This is in stark contrast to multiprotocol directory services and soft‐
ware, which include additional features and functionality.
Even “prebuilt,” open source software like OpenLDAP, while easier
to use than building from scratch, is still code-heavy and requires
significant expertise to operate and manage. OpenLDAP, for exam‐
ple, is free open source software that includes highly focused func‐
tionality exclusive to the LDAP protocol. While this is a bit easier to
use than starting from scratch, its reliance on code and lack of user
interface makes it more challenging to use than feature-rich, GUI-
supported software.
If you want to go this route, you can do so with cloud LDAP servers
to make them compatible with a distributed network.
On-Premises Directory
Directories were all originally hosted on premises, as they were
developed before the modern public cloud was. As such, many
directory services are still based on premises, although they are
beginning to expand to accommodate cloud-based sources with
extensions, protocols, and APIs.
Microsoft Active Directory is one such directory that can accommo‐
date cloud resources, but maintains on-prem roots, and cannot exist
solely in the public cloud. And while Azure Active Directory pro‐
vides cloud options, it still relies largely on a local base directory
infrastructure.
While it’s possible to extend on-prem directory solutions like Active
Directory into the cloud to support a distributed environment,
doing so requires add-ons that tend to decentralize your organiza‐
tion’s data and infrastructure. For organizations looking to move
off of legacy systems and new, born-in-the-cloud startups alike,
Cloud Directory
While the original directory was fully on premises and connected to
other on-prem resources, directories are now moving toward the
cloud to help companies manage and employees connect to all com‐
pany resources—not just on-premises ones. This option is ideal for
most companies supporting distributed infrastructures.
In cloud-based directory models, the company subscribes to a cloud
directory service or platform, which includes both the hardware and
software components of the directory (all cloud-hosted). This elimi‐
nates the need to host and maintain directory infrastructure and
makes the directory highly flexible and scalable. Further, as cloud
directories are more modern, they tend to offer more abundant and
relevant functionality. Some of these benefits include (but are not
limited to) cloud-based authentication protocols; remotely accessi‐
ble, browser-based access for users and administrators; and mobile
device compatibility and management.
Note that it’s possible to combine more than one directory service.
While one centralized directory service is often the best-case-
scenario solution, companies already working with one but looking
to add functionality can bind directories to one another. This is a
viable option for companies tied to a legacy system or looking to
make a controlled transition.
Factors to Consider
With the different providers and formats of a directory service
defined, there are three central factors to consider when adopting
one.
Factors to Consider | 19
2. OS Support
Certain directories work better with certain operating systems.
Microsoft Active Directory, for instance, is notorious for being more
compatible with Microsoft Windows than with other operating sys‐
tems. Consider the devices your company plans to support—not just
now, but in the future as well. While Microsoft used to be the busi‐
ness standard and many companies started out as Microsoft-
exclusive, other operating systems are becoming more common in
the workplace. A vendor-neutral directory system that includes
standards-based features and functionality and has few proprietary
solutions can help your organization stay independent and pivot
nimbly where needed.
3. Centralization
While there are merits to both, full-featured solutions tend to be
more secure and better-suited to distributed environments than
single-purpose ones. Without a full-featured solution, organizations
with distributed networks generally need to supplement their direc‐
tory with several other tools. This creates more possible points of
failure and more opportunities for information to disperse, deviate,
and deteriorate in integrity. This was less of an issue in on-prem
environments, but in distributed ones, there’s a wider variety of
resources to unify and less supervision to keep data on track. Cen‐
tralized, full-featured solutions eliminate the need to supplement
your directory with additional tools, generating savings in time,
product, and personnel.
When companies made the quick shift to remote work, many had to
prioritize speed over optimization, which led to security vulnerabili‐
ties in their infrastructure. Further, the tumultuous business land‐
scape pulled leadership’s focus away from security, causing many
businesses to overlook those vulnerabilities. Hackers, however, are
adept at spotting and exploiting them. As such, security must be
integrated into every element of your IT infrastructure and
processes.
In this chapter, we’ll discuss the key approaches and tools to estab‐
lishing reliable security in your distributed organization.
21
crown jewels within the network. However, perimeter-based secu‐
rity proves inadequate in protecting distributed environments.
With Zero Trust security, devices and identities are never intrinsi‐
cally trusted and are required to authenticate their identities before
they’re authorized to access any resource. This goes beyond tradi‐
tional perimeter-based security, which only verifies identities before
granting them access to the central network; once inside, users
maintain their level of trust and only need to abide by the security
that each resource prescribes independently. This relies on individ‐
ual resources to uphold sufficient security, becomes time-
consuming for the end-user, and complicates management
significantly. Zero Trust is an absolute necessity when it comes to
securing your organization’s data in a distributed environment.
Breaching one perimeter is much easier for cyber attackers than
having to authenticate at every point of entry on your network.
Single Sign-On
SSO should always use MFA during authentication; however, once
authenticated, it allows users to access their applications without
logging into each application individually. It accomplishes this
without sacrificing security by using secure authentication proto‐
Segmentation
Network and infrastructure segmentation can play critical roles in
attack mitigation. However, segmentation should be strategic and
complementary to environments and workflows to avoid siloing and
unnecessary information dispersal. While centralization is beneficial
to maintaining data integrity and unification, segmentation in mod‐
eration can regulate data access and minimize damage from
breaches.
VLAN segmentation, for example, is a common method for secur‐
ing WiFi networks. Admins segment networks based on roles and
permissions, following PoLP. Some directories can facilitate
dynamic VLAN provisioning, automatically assigning users to the
appropriate network based on their permissions.
Encryption
Data should always be encrypted in transit and at rest. Ensure your
directory uses secure, encrypted protocols for authentication and
authorization, and check the encryption policies on other applica‐
tions—especially those used to store or share information, like
collaboration and file-sharing tools.
Segmentation | 23
In addition, require all devices on the network to enable full-disk
encryption. Some directory services with device management capa‐
bilities allow you to enable and enforce this policy remotely.
Testing
Organizations should conduct periodic security testing to ensure
ongoing security. We recommend the following tests and checks.
These suggested frequencies are minimums; always err on the side
of too often than not often enough:
Redundancy
On principle, your IT infrastructure should never be subject to a
single point of failure. Redundant infrastructure reduces downtime,
protects data, and recovers quickly when facing a breach. This
requires systems like data backups, high-availability (HA) clusters,
and WAN failover configurations. To optimize your redundant
setup, identify all mission-critical functionality, and make sure it’s
prioritized in your backup configurations.
Redundancy configurations are sometimes described in terms of N,
where N is the single-point-of-failure infrastructure. Thus, an N + 1
approach supplements the infrastructure with one independent
backup point; 2N duplicates the entire infrastructure. Lean IT teams
often take an N + 1 approach, but 2N is more secure and preferable.
Even better, 2N + 1 duplicates the entire infrastructure and adds
another independent backup point.
For any data you store on premises, the 3-2-1 backup rule is a good
baseline to use to ensure the data is sufficiently backed up with
Employee Training
Regardless of office setup or IT environment, employees need to
know how to use the tools they’re given. This need is amplified
when employees are working from different locations, often without
in-person supervision. Skipping or downplaying employee training
can lead to incorrect tool usage, shadow IT, and a lack of security
best practices knowledge. This, in turn, creates inefficiencies, dis‐
crepancies, and security vulnerabilities.
Employee Training | 27
personnel speak with media relations; all other employees point
media inquiries to a specified PR or leadership recipient).
While policies need to support the security stance and needs of an
organization, they should not be too onerous. If they are, people are
more likely to ignore them. Try to keep technical language accessible
and simple. Most employees won’t be interested in the intricacies of
how IT functions or how cybercriminals execute on threats; they
want to know what to do, what not to do, what red flags to look for,
and how to report them.
Tool Usage
Every tool should have a set of usage specifications that is communi‐
cated through both written and verbal training. Employees should
understand how to use each tool. Often, vendors provide end-user
training; use this where available and add in any company-specific
direction around usage.
If you have to create your own training for a tool, consider including
the following:
General usage
Clarify what the tool is used for and how to use it. Demos or
hands-on training are often helpful.
Acceptable use
Outline your company’s expectations around the tool’s usage.
These guidelines can help with security, privacy, and data
integrity.
Access parameters
How can they access the tool? Some directories offer policy cre‐
ation that can enforce these parameters automatically.
Security and compliance best practices
Clarify any security and compliance best practices and the
importance of following them.
Troubleshooting workflow
Where can employees go for help with the tool: the tool pro‐
vider, your help desk team, or another party?
Employee Training | 29
CHAPTER 5
Implementing Solutions
31
Automation
Automation helps supplement IT labor without incurring the costs
of personnel. Look for solutions that provide automation and iden‐
tify areas where you may be able to create custom automations for
your unique workflows.
Self-Service Technology
Self-service solutions are critical to creating companies that can
grow and scale. User self-service delivers both a positive user experi‐
ence and prevents overloading IT teams. This allows organizations
to keep IT department counts relatively small as they grow in a dis‐
tributed environment.
Strategic Staffing
As IT professionals today need to have a wider scope of knowledge,
versatility and broad experience are essential qualities when it comes
to building out your team—especially if you’re starting out lean.
Additionally, an interest in emerging technology and the ability to
learn quickly are choice qualities in IT professionals on a growing
IT team. Slight overlaps in skills can be advantageous when the team
is stretched thin or employees take time off.
At a minimum, your IT team should be able to cover the following
areas:
C-level Priorities
Business goals
As leaders of an entire organization, c-level executives must keep
company goals top of mind and put them first in every endeavor.
They aren’t likely to consider investing in something that doesn’t
clearly contribute toward those goals.
When drawing up a proposal, make sure you understand your busi‐
ness’s overarching business goals. Often, they’re drawn out in time
Business values
Along the same line, most c-level leaders cultivate their organiza‐
tions to operate within a set of values. This is becoming more prom‐
inent as consumers and workers both highly favor companies with
strong value systems and culture. If you’re not aware of your compa‐
ny’s values, they’re often listed in the “About” section of its website.
Explicitly tying your proposal to one of your company’s values is
another great way to get traction.
Cost
There’s no avoiding the cost discussion when bringing proposed
ideas to leadership. However, the discussion can go deeper than
face-value expenses. Sometimes, solutions deliver cost benefits and
savings that aren’t reflected in their face-value cost. Make sure you
clarify all potential for cost savings in your proposal and delineate
the savings in numbers or estimates where you can.
Common ways solutions can reduce costs include:
Risk
Risk is another factor leaders won’t overlook when considering a
solution. As such, glossing over risk in the hopes of leaving it out of
the discussion won’t cut it. Instead, be up front about risk. Not many
solutions come with zero risk, so a discussion around potential risks
is unlikely to be an immediate deal breaker but rather a necessary
part of evaluating the proposed technology.
While the following list is not exhaustive, leaders tend to consider
risk in the following areas:
One of the best ways to approach risk is by quantifying it. The first
step is to identify potential risks. Then, assign these risks a level of
severity and likelihood. Consider the risk map (see Figure 5-1) for
conveying risk visually. Finally, communicate ways you’ll be able to
prevent or mitigate these risks, either through tool modifications,
additional solutions, processes, or other methods.
Closing Thoughts
The shift to remote work was fast and widespread, and its implica‐
tions on the way IT teams, end users, and businesses as a whole
operate were profound. Organizations need to adapt quickly, but
strategically and securely. And while big initiatives can be daunting,
they only become harder to implement with time as your organiza‐
tion becomes more and more entrenched in outdated solutions. The
time to optimize your infrastructure to support remote and hybrid-
remote work is now.
As you move forward, remember that it’s okay to break large under‐
takings into smaller, digestible pieces; however, never lose sight of
the whole in doing so. Plan strategically, implement purposefully,
and stay on course with the guidelines outlined in this report and
your business’s overarching goals. These principles should guide you
to building a future-proof infrastructure that can support your
workforce in a distributed world.