It’s hard to believe that it has been 23 years since Microsoft’s Active Directory (AD) was released. Since its debut as a part of Windows 2000 Server, AD has gone through many evolutions and iterations to become the complex platform that it is today. And with Microsoft attempting to gain momentum in converting users to its cloud-based service, Azure AD, organizations are learning for themselves how complicated and sprawled their on-premises AD environments are. This is especially true for federal government agencies.
The federal government has been running their directory services through Active Directory for more than two decades. And since its adoption, federal agencies have had plenty of IT staff turnover that has made keeping a solid grasp on Active Directory difficult, and as a result, federal agencies are struggling with managing their Active Directory environments, both on-prem and in the cloud. With historical Active Directory knowledge disappearing with each wave of IT staff that comes and goes, agencies must begin adopting solutions and tools that can withstand turnover and keep Active Directory management in check.
To learn more about the current state of federal agencies’ Active Directory environments and to learn how automated and enhanced solutions can not only improve Active Directory management, but also bolster agencies’ cybersecurity postures, the GovCyberHub sat down with Eric Weiss, Senior Technology Executive at Quest Software Public Sector, Inc.
Here is what he had to say:
GovCyberHub (GCH): Federal agencies’ Active Directory environments have become significantly more complex over the years. In general, what does a federal agency’s Active Directory landscape look like today? Do agencies have a strong grasp on their Active Directory environments? What challenges are they currently facing as it pertains to Active Directory management?
Eric Weiss: Active Directory landscapes have become significantly more complex and convoluted throughout the years. Like most enterprises, federal agencies have had Active Directory implemented for almost as long as it’s been around – almost 25 years. Over the years, agencies have continued to build upon their existing foundation, both organically and inorganically, increasing the complexity of the environment as a whole.
This has incurred what I like to call “technical debt”, which includes legacy architectures, convoluted group policies and complex organizational unit structures. These architectures have been inherited by the people who are managing the Active Directory environment today but were not necessarily implemented by those people.
“As turnover and attrition occur, deep knowledge and expertise in terms of the organization’s Active Directory structure and processes are lost.” -Eric Weiss
You also have old security settings through group policy that have not been reviewed or updated, organizational unit sprawl, group sprawl, token bloat, and multiple forests purpose-built for purposes that are no longer relevant (i.e., red forests, creating security boundaries, resource forests).
Active Directory in most environments is sometimes treated like an invisible, ubiquitous commodity, like air, water, or electricity. It’s always there and it just works. You don’t think about it very much until all of a sudden something goes wrong with it and it’s not available. Then you realize there’s a problem, and your IT team needs to figure out what’s going on.
In a lot of enterprises, Active Directory is passed from one team to another to own and manage, but since it “just works,” not much time is spent to fully understand how Active Directory works – or why. As turnover and attrition occur, deep knowledge and expertise in terms of the organization’s Active Directory structure and processes are lost. Because of that, understanding and knowledge of Active Directory in most agencies is usually just surface level.
“The ability to apply granular permissions to Active Directory is central to securing the environment and applying zero trust principles.” -Eric Weiss
The biggest challenges surrounding Active Directory management today are security, visibility, and recoverability. Native tools do not give you the ability to granularly delegate permissions so that role-based access and principles of least privilege can be implemented, clear visibility into what’s happening in Active Directory or the ability to quickly recover from malicious activities (or mistakes).
The ability to apply granular permissions to Active Directory is central to securing the environment and applying zero trust principles. Role-based access and least privilege ensure that the right people have the right access to the right resources at the right time.
Having real-time, actionable information about what is happening in Active Directory is critical to ensuring that the environment is healthy. Native tools, again, only give the ability to receive event-driven information from Active Directory, but users have to go to event logs, collect and collate that information.
Finally, the least-talked about – but possibly most important aspect of managing Active Directory – is disaster recovery. If your Active Directory goes down, how quickly can you recover? And at what point? If a mistake is made and objects are modified or deleted, what are your processes to be able to restore them to their previous state? Native tools do not necessarily give you the ability to granularly restore Active Directory, and you end up having to rely on the AD recycle bin (and its limitations), an authoritative restore, or a non-authoritative restore, which – depending upon the nature of the disaster – can take hours, days or weeks.
GCH: Many agencies are currently operating in hybrid, on-prem/cloud-based environments. How does working in hybrid environments impact Active Directory management?
Eric Weiss: It has several impacts, especially considering it’s usually the same people managing both on-prem Active Directory and Azure Active Directory. First, it creates multiple management interfaces. You have your on-prem tools for your Active Directory management, and you also have the Azure portal for managing Azure Active Directory (not to mention a separate portal for each Azure service).
Each interface is different and requires ramp-up time. Second, you have to manage Azure AD Connect, which is the mechanism for synchronizing your on-premises Active Directory to Azure Active Directory. This creates additional complexity and knowledge requirements for administrators as very few agencies use the default synchronization options, and changes to Azure AD Connect rapidly increase the complexity of the synchronization processes.
Finally, it creates time and resource constraints because the same people are now required to manage and secure multiple environments that are not completely in alignment for how they need to be managed and secured.
Be sure to check back for Part 2 of our conversation with Eric Weiss, as he explores how automation and enhanced Active Directory management tools bolster federal cybersecurity postures.
To learn how Quest Public Software’s unified identity platform aligns with zero trust, click HERE.