In keeping with our mantra of Better Groups, Better Security, we look for great ways you can improve your security through better group management. While the amount of work needed to add a single user to a group takes the smallest of efforts, it’s when you make a conscious effort to improve the security of your critical initiatives – and security overall – through continual management of groups and the access they allow, can all become a bit overwhelming.
Since none of you actually wants to work for a living, you’ll take advantage of any automation, or simplification of the work you need to do, any chance you get, right? So let me point out a data set you have just sitting around that you could take advantage of today that, when utilized, could make your group management – and, therefore, your security – that much more current.
One of the best ways to ensure security is correct is to keep your group memberships up to date. We’ve talked about periodic certification of group memberships previously, as well as the value of managing groups dynamically. So, let’s put those two concepts together to improve both the accuracy of your security and the productivity of IT by adding a third element to the conversation – external HR databases.
HR is sitting on some really great information that definitely is up to date – more, in fact, than your groups are. For example, you added Susan to the Accounts Receivable group when she started at your company, but when she moved over to Accounts Payable, did anyone remove her from the Accounts Receivable group? Probably not. But, over in HR,the position, title, and boss were all updated.
So, rather than try to redo all the work in AD that HR’s already doing (which includes updating their personal details, etc.), why not update AD from the HR database?
Now, you’ll need either Windows Server 2016 (which has an ability to create temporary groups that require re-upping the group’s TTL value) or a third-party solution to create the groups. The other half of the equation is to have an ability to access and pull the information from the HR database, match each record to a user in AD, and then update AD (and any dynamic groups based on new HR information). That’s going to require either a bit of work on your end – including some serious database PowerShell skills – or a third-party solution to assist.
No matter the method, the outcome is, as Susan moves from job to job – and HR updates their information – you keep your dynamic group memberships up to date, which, in turn, keeps your security up to date.
With the need to find new ways to empower IT to get more done with greater degrees of accuracy, you need to finding ways to leverage existing systems, and marrying them with security methods like dynamic group memberships is key. By doing the heavy lifting – or utilizing third-party solutions – to create an environment where groups are constantly in a current state, you decrease the amount of group cleanup work needed, lessen the risk of data breaches and privilege misuse, and increase your organizations security position overall.