Here at Imanami, we’ve spent the last number of years talking about the need to keep Active Directory secure. While still a valid and pertinent message today, a lot of changes in the industry give us pause to consider Active Directory’s role in the larger picture, and to reflect on how the very same group lifecycle management tactics apply to a more complex definition of an organization’s directory.
What’s Influencing the “Directory”?
It used to be that Active Directory was the center of the IT universe. It was designed with an extendible schema to always allow it to maintain itself as an organization’s system of record. But with the advent of the cloud, the digital transformation of businesses, and the need for more interoperability between cloud-based services, systems, and applications, the very idea of having a truly single directory has fallen by the wayside for many organizations. Microsoft has tried to retain control with Azure AD and it’s integration with both on-prem AD and Office 365 applications, but in practical application, for many organizations, this is merely one more cog in an already complicated directory “wheel”.
Now, there’s the idea of using some kind of federated directory, or a single sign-on to create the illusion of a single directory service, but in IT reality – that reality where someone in IT needs to log on and make an administrative change to this cloud-based directory, and then another over in their on-prem AD – it’s a bunch of directories that interact with one another in one fashion or another.
So, what is the “directory” of business today?
Redefining the “Directory”
For starters, it’s no longer just AD. The directory is the culmination of all of those cloud-based environments, applications, external systems of record (like an HR database), etc.,… and on-prem AD. Think about it this way – your users shouldn’t concern themselves with where they pull a phone number, an email address, a social security number, etc., not how they’re provided access to systems and applications they need to get their work done. From a user’s perspective, it’s ALL the “Directory” (big “d” used for emphasis here to represent the entirety of all those little directories that in sum total, make up your environment). As always, it’s up to IT to address all the gears, switches, rubberbands, and chicklets in the background that make this Directory work.
What Does It Mean Tactically for IT?
With the change from just an Active Directory to a Directory made up of so many components, It’s responsibility doesn’t change – it just becomes more critical. Just like IT is responsible for the security and hygiene of groups in on-premises AD, it now becomes equally responsible to make certain each and every separate directory (note the little “d”) is correctly configured for security to ensure a Directory (big “d”) that users interact with not only provides a productive work environment, but does so securely.
Tactically, this means IT needs to ensure proper group management for all directories. Think about it: just like IT makes sure AD’s groups are updated so email can be sent to the right users, IT also needs to make sure the groups in an LDAP-based directory in the cloud for some app are equally up-to-date, to ensure proper security and user productivity.
The Future of Keeping the (D)irectory Secure
As you read this, some of you are becoming aware of all the somewhat duplicative work that needs doing (e.g. removing a user from a group in AD also potentially means removing them from several other directory’s groups as well). It can mean a lot of work, but it’s an opportunity to look to automate centralized group lifecycle management, even with the groups needing management exist all across your newly defined “Directory”.
We’ll be talking more about this in the coming months, working to provide guidance on how to properly ensure a secure Directory through centralized group lifecycle management, so be sure to keep an eye on our blog for more on how to keep your Directory secure.