Why you will never find an Active Directory sync tool at INFIMA

A core part of our company vision is adding value to our partners by developing tools that simplify and automate the management of Security Awareness Training programs. Creating an application that syncs users from an on premises AD to our services seems like an easy candidate, so why haven’t we built one? The answer is value, security and stability - if we cannot assure all three, the product isn’t a fit.

Value

When we assess whether to build a product we look at the value it would provide to our Partners, specifically in comparison to existing alternatives. When we look at AD Sync, it would be incredibly difficult to improve on Microsoft’s Azure AD Connect. Now, if Microsoft were charging a steep price for the functionality, there may be an opportunity to undercut and provide value. Instead, Microsoft provides a free tier of Azure AD that is going to meet most Partner requirements.

Security

At INFIMA, we limit the user data we store to only the minimum required to satisfy our services. In addition, we limit OAuth grants to the minimum required scope to successfully interact with identity providers. We can accomplish this because we have mature APIs to rely on. The same cannot be said for Active Directory. To satisfy the usage scenarios our partners require, there would be a degree of flexibility that would too easily allow for syncing unnecessary or sensitive data to our servers.

We aim to increase the security posture of our clients, so limiting the attack surface is a logical conclusion. If every third party product offered their own AD sync tool for provisioning users to their service, each new integration provides a potential vector for attackers to exploit. It’s our opinion that the more secure solution is to limit AD sync to a single provider (Microsoft) and utilize their mature APIs for accessing the data we need.

Stability

The last challenge here is stability, something we have heard is a major challenge for other products that do offer an AD sync tool. This does not come as a surprise; AD is an old product. Microsoft faces the challenge of maintaining backwards compatibility while also modernizing identity and authentication for today’s cloud products. As Microsoft pushes changes to AD, there’s a chance each change could break our custom connector (importantly, Microsoft only guarantees their connector backwards compatibility for 18 months). Since we have limited visibility into future changes (only what Microsoft publishes) providing consistent sync stability would be nearly impossible.