Directories, How Many Are You Really Managing?
Directories came from a simpler time – one where a single, on-premise directory was enough. But recent shifts in how businesses leverage technology – such as the digital transformation, and the move to cloud-based applications and infrastructure – have given way to use of SSO (link), concepts like a meta-directory, federated directories, and more. All of these shifts are indicative of the use of multiple directories all trying to act as a unified environment.
It seems like everything has a directory or integration with a directory today – some of the obvious examples are ones like Microsoft 365 (and Office 365), Azure AD, and AWS, but the reality is nearly every application that can run on its own, has a directory of some kind, warranting the need for integration or synchronization to create the façade of a single environment.
So, you have all these directories. The question becomes “Are they being managed?”
As the number of directories increases, the likelihood of IT ensuring each one is accurate and current decreases significantly. This impacts both the security of your environment and the productivity of your users. Think all your directories are current? Let’s put just one directory to the test. Most organizations have a process to add a new user (which includes adding them to groups to provide access to applications, data, and resources), but it’s probably safe to say, the majority of organizations don’t have a formal process to update users to remove them from groups providing access. If this is you, multiple this factor by the number of directories under your care and, suddenly, you have a major problem:
You have lots of directories and none of them are truly being managed.
To truly be considered managed, you’d need several routine hygiene processes in place that ensure consistency and accuracy. This would include keeping your group memberships and directory attribute data current; when Susan moves from Accounts Receivable to Accounts Payable, she needs to be in new groups, removed from old ones, have her title and manager updated, etc. All this helps to drive better security (the group memberships) and productivity (the accurate attribute data).
So, what can you do to ensure all of your directories are properly managed?
Here are some high-level steps you can take to begin walking down the path of ensuring every directory under your care is current and continuously managed:
- Identify your directories – You can’t manage what you don’t know about. Build out a list of directory services – whether cloud or application-based, or on-premises. Even those that “sync” with a central directory or system of record, all need to be identified – you can’t rely on syncs to do your work; those syncs are usually in the business of ensuring an ability to align two users in different directories, but aren’t necessarily concerned with ensuring all aspects of a directory entry are up-to-date.
- Understand security and productivity ramifications if data isn’t correct – Security risk stem from unforeseen ways in which the environment can be taken advantage of. For example, if you have a cloud-based user account that is provided access to your sales data – even after they are no longer part of the sales team – a compromise of their credentials could lead to a data breach. Doing an assessment of risk around what each directory can provide access to, and whether it’s being managed daily will tell you where your to place your focus.
- Look for ways to keep directories managed. This starts with a great system of record (e.g. your HR system), along with some pretty extensive syncing of directory data. After that, the focus is to establish some on-going management practices and uses of technology to make certain each and every directory involved in your business is current based on the data in your system of record. This is going to likely require a third-party solution focused on directory management; the alternative is to either manually have someone update each directory individually, or write some pretty custom scripted solution (if that’s even possible, depending on the various technologies, languages, etc. each of your directories is based on).
- Focus on security and productivity – Groups are a common methodology to establish access and privileges. Putting some kind of group lifecycle management in place helps to ensure the security of your environment remains current. Applications reliant on directory data – such as email and SSO – can leverage nearly any attribute to configure what the user’s working environment looks like. Give the user an office location of Miami and they may be automatically added to a Miami Users distribution list in email or given permissions to a common file share for all Miami users. Every last detail can be important.
Managing Directories. Not Just Making Use Of.
The use of multiple directories multiplies the good and bad management habits of IT. If you’re doing nothing to keep your on-prem directory (AD, for example) up-to-date, you’re not doing it for the tens of other directories your organization uses. By putting these high-level steps into practice, you’ll find IT actually managing the Directories in place, improving organizational security (both on-prem and in the cloud) and increasing user productivity.