VMware Fundamentals: Likewise Open

Simplifying Identity Management Across Hybrid Clouds with VMware Likewise Open

The relentless march towards hybrid and multi-cloud adoption is reshaping enterprise IT. Organizations are leveraging the best of breed services from various providers, but this distributed approach introduces significant complexity, particularly around identity and access management (IAM). Traditional, on-premises Active Directory, while foundational, struggles to scale and secure workloads across these dynamic environments. The need for a consistent, secure, and manageable identity fabric is paramount, especially as zero-trust security models gain traction. VMware, recognizing this challenge, developed Likewise Open to bridge this gap. Enterprises in highly regulated industries like finance and healthcare, as well as SaaS providers with global footprints, are increasingly turning to solutions like Likewise Open to streamline IAM and reduce operational overhead.

What is "Likewise Open"?

Likewise Open isn’t a new product, but a significant evolution of VMware’s identity management capabilities. Originally acquired as Bitium, it’s a cloud-native identity service designed to connect and manage users across Windows, macOS, Linux, and cloud workloads. It’s fundamentally a directory-as-a-service (DaaS) solution, offering a modern alternative to traditional Active Directory domain controllers.

Technically, Likewise Open comprises several key components:

• Cloud Directory: The central repository for user and device identities. It’s a highly available, globally distributed database.
• Likewise Agents: Lightweight agents installed on endpoints (VMs, physical machines) that establish a secure connection to the Cloud Directory. These agents handle authentication and authorization.
• Likewise Connectors: Enable integration with existing identity sources like Active Directory, Azure AD, and LDAP directories. This allows for synchronization or federation of identities.
• REST APIs: Provide programmatic access to manage users, devices, and policies.

Typical use cases include:

• Centralized Identity for Remote Workforces: Managing access for employees working from anywhere.
• Cloud Workload Identity: Securing access to VMs and applications running in public clouds (AWS, Azure, GCP).
• DevOps Automation: Integrating identity management into CI/CD pipelines.
• BYOD (Bring Your Own Device) Management: Securely onboarding and managing personal devices.
• Simplified Management of Multi-Cloud Environments: Providing a single pane of glass for identity across different cloud providers.

Why Use "Likewise Open"?

Infrastructure teams are often burdened with maintaining complex Active Directory environments, patching servers, and troubleshooting replication issues. SREs need reliable and scalable identity services to ensure application availability. DevOps teams require automated identity provisioning for rapid deployment of infrastructure. CISOs demand robust security and compliance controls. Likewise Open addresses these pain points by:

• Reducing Operational Overhead: Eliminating the need to manage on-premises domain controllers.
• Improving Security: Enforcing consistent security policies across all environments.
• Enabling Scalability: Easily scaling identity management to accommodate growing workloads.
• Simplifying Compliance: Providing audit trails and reporting capabilities to meet regulatory requirements.
• Accelerating DevOps: Automating identity provisioning and deprovisioning.

Customer Scenario: Global Financial Institution

A large global financial institution struggled with managing identities for its hybrid cloud environment. They had a significant on-premises Active Directory footprint, but were migrating applications to AWS and Azure. Maintaining synchronization between on-premises AD and cloud IAM services was complex and prone to errors. They implemented Likewise Open, connecting it to their existing Active Directory via a connector. This allowed them to extend their existing identity policies to cloud workloads without requiring users to remember separate credentials. The result was improved security, reduced operational costs, and faster application deployment.

Key Features and Capabilities

1. Universal Directory: A single source of truth for user and device identities, regardless of operating system or location. Use Case: Managing identities for a mixed environment of Windows, macOS, and Linux servers.
2. Cloud-Native Architecture: Built for scalability, reliability, and security in the cloud. Use Case: Supporting a rapidly growing SaaS application with thousands of users.
3. Directory Connectors: Seamlessly integrate with existing Active Directory, Azure AD, and LDAP directories. Use Case: Phased migration to the cloud without disrupting existing workflows.
4. Device Management: Enroll and manage devices, enforcing security policies and ensuring compliance. Use Case: Securing corporate-owned laptops and mobile devices.
5. Single Sign-On (SSO): Enable users to access multiple applications with a single set of credentials. Use Case: Improving user experience and reducing password fatigue.
6. Multi-Factor Authentication (MFA): Add an extra layer of security to protect against unauthorized access. Use Case: Protecting sensitive financial data.
7. Role-Based Access Control (RBAC): Grant users access to only the resources they need. Use Case: Limiting access to production environments for developers.
8. Conditional Access: Enforce access policies based on device, location, and other factors. Use Case: Blocking access from untrusted networks.
9. Audit Logging: Track all identity-related events for security and compliance purposes. Use Case: Investigating security incidents and demonstrating compliance.
10. REST APIs & Automation: Programmatically manage identities and devices, integrating with DevOps tools. Use Case: Automating user provisioning and deprovisioning in CI/CD pipelines.
11. Zero Trust Ready: Supports principles of least privilege and continuous verification. Use Case: Implementing a zero-trust security model across the organization.
12. Self-Service Password Reset: Empower users to reset their passwords without IT intervention. Use Case: Reducing help desk tickets and improving user productivity.

Enterprise Use Cases

1. Healthcare Provider (HIPAA Compliance): A large hospital system needed to secure access to patient data across its on-premises data center and AWS cloud environment. They used Likewise Open to centralize identity management, enforce MFA, and implement RBAC. The audit logging capabilities helped them demonstrate compliance with HIPAA regulations. Setup involved connecting Likewise Open to their existing Active Directory and deploying agents to all servers and workstations. The outcome was a more secure and compliant environment with reduced risk of data breaches.

2. Financial Services Firm (PCI DSS Compliance): A global investment bank required a highly secure identity solution to protect sensitive financial data. They implemented Likewise Open with conditional access policies, restricting access to critical systems based on device and location. They also leveraged the REST APIs to integrate identity management into their DevOps pipelines. The result was a more secure and automated environment that met PCI DSS requirements.

3. Manufacturing Company (IoT Security): A manufacturing company was deploying IoT devices on its factory floor. They used Likewise Open to manage the identities of these devices, ensuring that only authorized devices could access the network. They also used RBAC to limit the access of each device to only the resources it needed. This improved the security of their industrial control systems.

4. SaaS Provider (Scalability & Reliability): A rapidly growing SaaS provider needed a scalable and reliable identity solution to support its expanding user base. They chose Likewise Open for its cloud-native architecture and ability to handle thousands of concurrent users. The SSO capabilities improved user experience and reduced churn.

5. Government Agency (Security & Compliance): A federal government agency required a highly secure identity solution to protect classified information. They implemented Likewise Open with MFA and strict access controls. The audit logging capabilities helped them meet stringent security requirements.

6. Retail Organization (BYOD Management): A large retail chain allowed employees to use their personal devices for work. They used Likewise Open to securely onboard and manage these devices, enforcing security policies and protecting corporate data. The device management features helped them prevent data leakage.

Architecture and System Integration

graph LR
    A[User] --> B(Likewise Agent)
    B --> C{Likewise Open Cloud Directory}
    C --> D[Active Directory Connector]
    C --> E[Azure AD Connector]
    C --> F[LDAP Connector]
    C --> G[vCenter Server]
    C --> H[VMware Aria Operations]
    C --> I[VMware NSX]
    C --> J[VMware Tanzu]
    subgraph Security & Monitoring
        H --> K[Alerting & Reporting]
        I --> L[Network Segmentation]
    end
    style C fill:#f9f,stroke:#333,stroke-width:2px

This diagram illustrates how Likewise Open integrates with various systems. Users authenticate through the Likewise Agent, which communicates with the Cloud Directory. Connectors synchronize identities from existing sources. Integration with vCenter allows for automated identity provisioning for VMs. VMware Aria Operations provides monitoring and alerting. NSX enables network segmentation based on identity. Tanzu leverages Likewise Open for secure application access. IAM is handled through the Cloud Directory, logging is centralized, and network flow is controlled via NSX policies.

Hands-On Tutorial

This example demonstrates connecting Likewise Open to an existing Active Directory domain. (Requires a Likewise Open subscription and access to a vCenter environment).

Prerequisites:

• A running Likewise Open instance.
• A vCenter Server instance.
• An Active Directory domain.

Steps:

1. Create a Connector: In the Likewise Open console, navigate to "Connectors" and click "Add Connector." Select "Active Directory" as the connector type.
2. Configure Connector: Provide the Active Directory domain name, a service account with read access to the domain, and the domain controller IP address.
3. Verify Connection: Test the connection to ensure that Likewise Open can communicate with Active Directory.
4. Sync Users and Groups: Configure synchronization settings to import users and groups from Active Directory into Likewise Open.
5. Deploy Likewise Agent to a VM: Download the Likewise Agent for Linux or Windows from the Likewise Open console. Install the agent on a VM managed by vCenter.
6. Join the VM to the Cloud Directory: Configure the agent to join the VM to the Likewise Open Cloud Directory.
7. Test Authentication: Log in to the VM using a user account synchronized from Active Directory.

CLI Example (using likewisectl - Linux agent):

sudo likewisectl join <your_likewise_open_domain> -u <domain_admin_user> -p <domain_admin_password>

Tear-Down:

1. Remove the Likewise Agent from the VM.
2. Delete the Active Directory connector in the Likewise Open console.

Pricing and Licensing

Likewise Open is typically licensed on a per-user or per-device basis. Pricing varies depending on the edition (Standard, Premium, Enterprise) and the number of users/devices. As of late 2023, a typical cost for the Standard edition is around $3-5 per user per month. The Premium and Enterprise editions offer additional features and support, and are priced accordingly.

Cost-Saving Tips:

• Right-size your license: Only license the users and devices that require access to the system.
• Leverage existing investments: Use connectors to integrate with existing Active Directory infrastructure.
• Consider annual commitments: Annual contracts often offer discounts.

Security and Compliance

Securing Likewise Open involves several key measures:

• MFA: Enforce MFA for all users.
• RBAC: Grant users only the permissions they need.
• Network Segmentation: Isolate the Likewise Open infrastructure from other networks.
• Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities.
• Data Encryption: Encrypt data at rest and in transit.

Compliance:

Likewise Open supports compliance with various industry standards, including:

• ISO 27001: Information Security Management System
• SOC 2: Security, Availability, Processing Integrity, Confidentiality, and Privacy
• PCI DSS: Payment Card Industry Data Security Standard
• HIPAA: Health Insurance Portability and Accountability Act

Example RBAC Rule:

Grant a "Help Desk" group read-only access to user accounts and the ability to reset passwords.

Integrations

1. VMware vCenter: Automates identity provisioning for VMs.
2. VMware NSX: Enables network segmentation based on identity.
3. VMware Aria Suite (formerly vRealize): Provides monitoring and alerting for identity-related events.
4. VMware Tanzu: Secures access to containerized applications.
5. VMware vSAN: Integrates with vSAN for secure storage access.
6. Okta: Federation with Okta for broader SSO capabilities.

Alternatives and Comparisons

When to Choose:

• Likewise Open: Best for organizations with significant on-premises Active Directory investments and a need for hybrid/multi-cloud IAM.
• Azure AD: Ideal for organizations heavily invested in the Microsoft ecosystem.
• AWS IAM: Suitable for organizations primarily using AWS services.

Common Pitfalls

1. Insufficient Connector Permissions: The service account used for the Active Directory connector must have sufficient permissions to read user and group information. Fix: Grant the service account the necessary permissions.
2. Network Connectivity Issues: Ensure that the Likewise Agent can communicate with the Cloud Directory. Fix: Verify network connectivity and firewall rules.
3. Synchronization Conflicts: Conflicts can occur when users or groups are modified in both Active Directory and Likewise Open. Fix: Establish a clear synchronization strategy and resolve conflicts promptly.
4. Ignoring MFA: Failing to enable MFA significantly increases the risk of unauthorized access. Fix: Enforce MFA for all users.
5. Lack of Monitoring: Without proper monitoring, it’s difficult to detect and respond to security incidents. Fix: Integrate Likewise Open with a monitoring solution like VMware Aria Operations.

Pros and Cons

Pros:

• Simplified identity management across hybrid clouds.
• Reduced operational overhead.
• Improved security and compliance.
• Scalable and reliable architecture.
• Strong integration with VMware ecosystem.

Cons:

• Requires a subscription.
• Can be complex to set up and configure.
• Dependency on VMware’s cloud services.

Best Practices

• Security: Enforce MFA, implement RBAC, and regularly audit security configurations.
• Backup: Regularly back up the Cloud Directory.
• Disaster Recovery: Implement a disaster recovery plan to ensure business continuity.
• Automation: Automate identity provisioning and deprovisioning using REST APIs.
• Logging: Centralize logging and monitoring for security and troubleshooting.
• Monitoring: Use VMware Aria Operations or Prometheus to monitor the health and performance of the service.

Conclusion

VMware Likewise Open provides a powerful and flexible solution for simplifying identity management in today’s complex hybrid and multi-cloud environments. For infrastructure leads, it offers a path to reduce operational costs and improve security. For architects, it provides a scalable and reliable foundation for building secure cloud applications. For DevOps teams, it enables automation and accelerates application delivery. To learn more, consider a Proof of Concept, explore the official documentation, or contact the VMware sales team to discuss your specific requirements.