I use the quotation marks around “the” with respect to enterprise directory because there is almost never a single directory in the enterprise. Fifteen years after the first time I remember discussing consolidating onto a single directory (in an IT job where it was actually easy, given the scale of the organization I worked in), the drive to get to a “single source of truth” for identifying users is still in full, slow motion. In fact, the motion may be a bit retrograde right now, as the shift to software as a service (SaaS) has set back identity management efforts in some places, by introducing one or more completely external sources of authentication.
Any robust security planning around directories has to include the entire web of synchronizations, imports, and uploads that drive population and upkeep of each directory as well as the directories themselves. It also (as we all know from endless wrangling with identity management) has to embrace the human side of directory maintenance. Security strategies have to include proper separation of duties among staff in business departments such as HR and legal, tasked bringing people into and out of the organization itself. They also need to encompass separation of duties in IT, between staff tasked with maintaining the directory software, the systems that feed information into them, and the virtual and physical servers the directories live on.
Without addressing the complex web of data feeds and overlapping directory systems in the organization as well as the risks created by business and IT access to systems, securing “the” directory will be impossible.