Running some part of your business operations in the cloud is practically a thing in today’s world. The ability to easily extend your environment to include best-of-breed cloud applications – without the headache of having to own and maintain the application itself is not just appealing; it makes financial and operational sense.
But, as organizations shift to cloud-based applications and platforms such as Microsoft 365 (and Office 365), Google Workspace, Salesforce, and others, there remains a reliance on their on-premises identity store. It is usually Active Directory – as the foundation for this new operational ecosystem. This hybrid approach to the network comes with some specific challenges around identities and the access provided to them.
In a survey by Statista in 2019, over 51 percent IT security practitioners stated that their organization had separate identity management interfaces for both the cloud and on-premise environments. Whether your strategy is to use a hybrid environment for temporary or permanent period, organizations will still require a means to ensure proper identity and group security across the entire environment.
In this article, we will discuss some of the reasons why it is imperative to continually manage groups and identities across your hybrid environment – and provide ways to simplify this work.
Let’s start with defining “Managing”
We’ll begin by providing some context around what needs to be accomplished when discussing the management of groups and identities. There are two specific use cases of groups and identities that require recurring attention be placed on how current and accurate these data sets are:
- Security – when boiled down, all assignments of permissions and privileges are accomplished directly or indirectly using either a user or group account in a directory service. Any deviation from having a sanctioned security configuration makes the organization insecure.
- Productivity – these very same accounts have details used for email, messaging, and collaboration. So, by not maintaining information such as title, location, phone number, email address, etc. can have repercussions that may impact user productivity.
Managing groups and identities requires addressing both use cases through proper group and user attestation. User attestation is a process whereby users are assigned to be responsible for ensuring the accuracy of details and permissions of certain accounts. This can be performed in a number of ways. Self-service tools can be used in the case of a user validating their own details.
Read more: The Value of a Self-Service Portal
Ensuring the accuracy of permissions assigned to groups and identities usually involves a defined process where department heads, line of business owners, and power users are made “owners” over specific accounts and are held accountable for the accuracy of their details, permissions, and group memberships (as is appropriate).
Now, throughout the remainder of this article, we’ll look at four reasons for managing groups and identities is necessary in your hybrid environment.
Reason 1: Your “world” is expanding
For many organizations, groups and identities have only existed within on-premises Active Directory (AD). But with most organizations going through some form of digital transformation increases with each cloud resource. Given that 60% of organizations consider the security of their environment either be over-privileged or be in a completely unknown state, the default assumption should be if one directory isn’t under control, neither will be the expanded hybrid environment.
If AD’s user and group accounts, and the permissions assigned aren’t regularly validated, how can IT expect to control an ever-growing expanse of cloud applications? The reality is you can’t.
To counter this, consider the following best practices to get groups and identities under control:
- Establish an employee system of record. With so many potential “sources” of identities and their details, it’s necessary to have a single source that will eventually be replicated to all applications and directories. Mature organizations that are serious about identity use their HR platform, as it maintains the correct contact details, title, location, manager, etc. and is nearly always up to date.
- Get syncing right. Different applications and platforms have their own attributes and not everything will sync between all your on-prem and cloud-based applications, identity stores, and directories. And not all of them will sync with one another. That’s troubling, right? Having a solution in place that both serves as the initial recipient for the employee system to record data and the means to sync – both your on-prem AD and your cloud-based applications/directories will help to ensure the entirety of your hybrid environment is using the same group and identity detail.
Reason 2: There is a ripple effect
If you employ a hybrid environment of on-prem active directory group management and cloud applications and resources, any single incorrect configuration can be propagated throughout the environment. Adding a user to a group in Active Directory can give a user access to resources across multiple applications. This is one of the most important reasons why managing your central identity platform – whether that’s AD or a cloud-based identity solution – is so important.
If group memberships, department assignments, or even job titles are incorrect and are propagated throughout the environment, there can be an adverse impact on security and productivity, depending on how each cloud resource leverages account attributes within the directory.
It’s imperative that you are managing groups and identities in a way that is cognizant of the impact a configuration in your primary identity store will have enterprise-wide, as demonstrated in the best practices below:
- Start the Security Cleanup Now. Even if you’re only using on-premises active directory group management, it needs to be cleaned up now. This is even more critical if you’re already using a hybrid environment. Cleanup starts with the attestation of every user and group account, and group memberships. It’s a lot, but there are ways to simplify the work, such as identifying dormant accounts that have not logged on in a specified period of time. Several third-party solutions exist to help with running reports on accounts, as well as to manage accounts that require attention.
- Perform Group Membership Attestation. Because a single group can be granted access across every application integrated with your directory, members can (and do) access more than they should. Assign owners to groups and have those owners frequently validate the memberships of the groups they are responsible for. Anyone not belonging should be removed.
- Think Hybrid. If you’re already a hybrid environment, the same need for cleanup applies to cloud-based directories and applications, keeping in mind any synchronization occurring and the impact any changes may have.
Reason 3: Cybersecurity is a hybrid concern
According to recent research, 60% of all cyberattacks use lateral movement (the moving from machine to machine within a network). To accomplish this, attackers need to compromise internal credentials, making the bad guys look like the good guys. And, once an account is compromised, attackers today attempt to connect to not just on-premises endpoints and servers, but also cloud-based applications and resources. The same is true of phishing campaigns designed to capture cloud applications credentials – attackers will take steps to gain access to on-premises systems crossing the hybrid boundary.
Read more: 5 Reasons why Cyberattackers love AD Groups
To avoid the above, consider the following best practices:
- Restrict credential access to/from the cloud. If possible, limit the ability for on-premises credentials to be used in the cloud and vice-versa. Implementing least privileged access, paying special attention to any ability to cross the hybrid boundary is critical to minimize the threat surface. If users do not require on-premises access, create accounts in the cloud (e.g., Azure AD accounts for M365 access that don’t sync down to your on-premises AD).
- Practice group permission attestation. To truly know you have least privilege implemented, attestation of permissions assigned to groups is necessary. Initially, this may be a sizable undertaking, requiring application owners to produce permissions reports that may be reviewed. For every group that exists, it’s important to have a full understanding of what that group has access to. Group owners should periodically review any permissions assigned to their group for accuracy to ensure only necessary access is granted.
Reason 4: Compliance is gaining ground
IT has had the benefit of needing to be compliant to age-old government regulations that, truly, have no technical specificity to them, making it easier to demonstrate compliance to a somewhat subjective mandate.
But in the last few years more regulations intent on protecting consumer data have been created that not only contain specifics around what protective measures need to be in place, but also come with harsh penalties.
A great example is the California Consumer Privacy Act (CCPA), which goes into effect in January of 2020. This law seeks to protect the consumer data for California residents. The law is precise in its wording and makes it clear what constitutes a breach of compliance and the penalties.
These newer regulations such as CCPA, the European Union’s General Data Protection Regulation (GDPR), and many more that are popping up in the United States and around the globe are all serious about the real threat of data breaches and the need for protecting consumer data.
To avoid finding your organization in breach of a regulation protecting data, consider the following best practices:
- Understand your compliance mandates. CCPA and GDPR are great examples of how a government seemingly outside the jurisdiction of your business can impose specific regulations and have the authority to impose fines, etc. It’s imperative that you get a full understanding of which mandates your organization is subject to and what the specific data protection requirements are.
- Know where your protected data resides. You can’t protect what you don’t know about. So, the first step in attempting to be compliant is understanding where protected data exists. This can be on-premises or in the cloud, structured or unstructured. It’s likely you’ll need to utilize a data classification solution to help find all instances of protected data.
- Understand who has access. This is a throwback to all the attestation you’ve already done, simply placing the focus on specific data sets that fall under compliance. Ensure only the right people have access to the data through both user and group permissions attestation and group membership attestation.
Hybrid environment requires ongoing management
The shift to a modern business has organizations adopting cloud applications and resources as part of operations. This results in more application-specific directories, permissions being assigned, and users being created. Mix this with IT not addressing the security and productivity issues that will no doubt arise, and it will lead to IT entropy.
No directory, system, platform, or application has ever become more organized over time with zero effort; as IT extends the logical boundary of the network to include the cloud, it’s necessary to continually and consistently manage the state of groups and identities to ensure organizational security and user productivity.
By considering the reasons outlined in this article and following the best practices offered, your organizations set of identities and groups will remain in a relatively constant state of being secure and up-to-date. While the path there is paved with some time dedicated to getting years of mismanagement cleaned up, the work necessary to perform ongoing maintenance of a properly configured hybrid environment can be greatly reduced leveraging solutions designed to automate the work of managing groups and identities.
Need some tips on Active Directory group management from the expert themselves?
Watch this webcast on Directory Management: When you’re into the Cloud
Imanami is the leader in Group and User Lifecycle Management solutions for active directory. GroupID by Imanami offers a suite of solutions that empowers IT professionals to effectively and automatically provision and manage users and groups. With GroupID, groups and users are always up to date.