From the vantage point of most people, even technical folks, Active Directory (AD) seems like it’s doing pretty well. How often can you not log in when you sit down at your PC? How often do you fail to find someone in the corporate directory in Outlook? How many times have you heard of an AD outage?
Of course, those close to AD know this is an illusion.
AD has so many layers of failure resistance, it’s natural that it doesn’t show any cracks in day-to-day operations. That’s why when people want to use AD as part of a larger initiative, they’re so surprised that those closest to AD say it’s too much of a mess to easily achieve what they want.
Line of business folks simply assume they can use AD to sign into cloud platforms, only to find out there is a morass of trusts and domains hidden from their view which complicates things. Data center folks move forward with huge virtualization roll outs and get tripped up by redundant and even recursive structures in AD group memberships. And more near and dear to my heart are all the identity & access management (IAM) projects which have come to a crashing halt when they run to integrate AD as their first platform, only to have their plans dashed by the complexities of AD structure.
IAM wants to work with authoritative sources, and AD seems like a natural first choice since it’s the authentication and authorization source for at least 80% of organizational data. What’s becoming clear today is that in order to truly complete IAM it will be necessary to get AD optimized once and for all. But when does AD optimization ever get included as a business priority?
My firm is dealing with a classic example of an IAM mess right now. A reasonably large financial firm wants to roll out certifications for both applications and unstructured data. Like most organizations of their age, size, and type, they’ve had their fair share of mergers and acquisitions, reorganization, and layers of IT infrastructures. So of course they have a big, cross wired mess at the heart of their Active Directory.
The sad part is they are smart enough to know it. Why sad? Because they also know that the timeline the business has given them to run their certifications will not let them do the right thing. The good news for them is that they will absolutely be able to get their certifications done on the timeline they have. However, the problem will start as soon as the first certification that wants to revoke access to unstructured data hits the “submit” button.
You see, thanks to the big mess in AD, there is no clear way that access is granted to unstructured data resources. Many groups grant similar types of rights to the same resources. And since many of those groups have been formed by redundant and overlapping needs, many of the same sets of users exist as members of those groups.
What’s worse is that these groups usually grant many different rights to many different resources. So let’s say someone runs a review and wants to take away some right to access a file share. How should that be done? If you take the user out of the group granting the access, it’s likely the user will also lose other rights they still need. Since many groups overlap, taking them out of one group may not do the trick. If you take the right away from the group, you’ve effectively removed the access of all the members of that group.
You can see where these problems lead very quickly.
There’s nothing new about the idea that IAM projects often fail due to lack of planning and poor executive backing. A Google search for “identity management project failure” will turn up dozens of blogs posts, white papers, presentations, and articles from vendors, analysts and end users, all confirming what we’ve known for years: that IAM projects are failure prone.
What is becoming more clear now is the intimate connection of these failures and the need to optimize the security model within Active Directory. What’s driving that realization home is the new push to include unstructured data in IAM projects and the fact that unstructured data is so clearly and directly connected to the inner structure of AD.
Unlike applications that may have used AD as an authentication source or perhaps used a few groups they created specially to control authorization, unstructured data links directly to AD groups for access and relies completely on AD credentials for identity. That means every deeply or circularly nested group, every redundant group, every person with multiple accounts or overlapping group membership, are all things that become immediate issues for controlling the identification of access and controlling that access.
In other words, all the robust methods that AD has for allowing you to absorb organizational craziness that people have been taking advantage of for years, while still managing to deliver smooth services from the perspective of the end users, are finally coming home to roost. Because IAM projects want to push into the last areas of the organization and truly understand and control all the access, AD will finally have to clean up its act.
Does this mean you need to halt IAM, not to mention all the other big technology programs you may have, so you can clean up your AD from top to bottom?
Luckily, just like AD has operational coping mechanisms that let it roll on while it’s a mess and structural coping mechanisms so it can contort itself while reflecting your organization’s craziness in the way it builds a security model, IAM has ways to roll on for a bit, too.
You can get some amount of certification, self-service, and other key IAM pieces done even with AD in its current poor state. What this all means is if you ever plan to truly complete the journey of identity and access management, then you will need to also take the journey of AD optimization. Our friends at the financial firm understand this. Luckily for them and us, they are planning ahead to optimize their AD security model as a phase two for this program. Let’s hope the business agrees with the wisdom of that.
Sander is responsible for STEALTHbits’ corporate development and product management. This involves working extensively with all STEALTHbits’ clients and partners. Follow him on Twitter at @sanderiam.