Why Active Directory attribute integrity is getting more important (and you should care)
For 84% of all organizations, Active Directory is the cornerstone of their networking infrastructure. Heavy investments in Active Directory technologies have enabled them to achieve authentication, authorization, auditing and centralized management goals, by leveraging Domain Controllers, PKI, Rights Management Services, Federation and Group Policy.
The change in Identity and Access Management
Now, as we enter a next phase in identity and access management, we, as Active Directory admins, need to focus. Where centralized management used to be about managing users in multiple SAM databases, writing *.pol files and joining computers to domains a few years ago, today we are asked to manage identity across multiple systems, locations, languages and technologies. No longer can we get away with assuming the endpoint is safe. No longer is information in Active Directory contained in its own bubble; it’s out there, and organization want it to be out there.
All the while, freedom still opposes control. The freedom for organizations to move functionality to the cloud, the freedom for colleagues to work from home and their freedom to choose or even buy their own hardware, make it harder for us to keep control over who has access where and when, licensing and data integrity. Organizations expect their admins to be in control, but also to enable the New World of Work, Consumerization of IT (CoIT)and Bring Your Own (BYO).
Microsoft to the rescue!
Of course, Microsoft offers some dedicated Identity and Access Management (IAM) solutions to face these challenges. Not surprisingly, these solutions integrate with or are part of the Active Directory family of products:
- ForeFront Identity Manager (FIM) couples identity stores
- Federation Services (ADFS) lets organization exchange claims on each others users and systems, providing access to each others functionality
- Rights Management Services (ADRMS) protects information from unauthorized people through encryption.
- Dynamic Access Control (DAC) centrally authorizes file access, based on claims consisting of combinations of user, device and resource attributes and properties.
- Windows Azure Active Directory is the centralized identity hub on the Internet
- Domain Controllers and ADFS Servers/Proxies on Windows Azure can eliminate the connection bottleneck in Federation scenarios.
- DirSync extends Active Directory users into Office 365.
These products and technologies worry me. Not because I feel Microsoft doesn’t understand Identity, not because I have security concerns when it comes to the cloud, but because I see most Active Directory environments aren’t ready to use these products and technologies, yet.
Claims, attributes, policies and properties
All these products have something in common: They all leverage properties and attributes through sync engines, policies and filtering capabilities. Already, within ADFS and DAC attributes on user accounts can be used to grant or deny access to files, folders and SharePoint libraries. FIM couples disparate identity sources through coupling based on common attributes. DirSync provides user accounts with mailboxes based on their parent container.
Wen these attributes are inconsistent, access to files, apps, partners and cloud functionality becomes inconsistent. If you think it won’t happen to you, think twice. During the first internal Microsoft deployment of Dynamic Access Control, attribute inconsistency was the first encountered problem; in the past a user account was incorrectly changed from a temp to an FTE, resulting in Access-denied situations. You’d think Microsoft, of all companies, knows how to manage Active Directory.
Call to action
Active Directory admins need to take care of attribute consistency throughout the identity lifecycle. Fields like Department, Manager (for user objects) and Primary User (for computer objects) are essential. Your current provisioning tool should force you to provide these attributes, processes should be in place to modify the correct attributes in the right way when someone changes department, gets promoted, gets demoted, etc.
Furthermore, frequent audits should take place to trace attribute inconsistencies and proactively solve them.