Many directories contain groups so old that even you don’t know why they exist, who uses them, and what they provide access to. It’s a more common problem than you’d think. “We should be deleting groups then, right?” might be your initial response. And while the answer is “yes” in the short run, the reality is IT is too busy to continually focus on groups. So, stop thinking about the manual task revolving around deleting groups. A better approach is to look to, instead, group expiration by means of some type of automation. As you’ll see in this article, we’ll discuss the expiration of groups.
There are several reasons why groups need to expire:
- No group is designed to be permanent – A group should exist to serve a business purpose, just like business strategy, operations, etc. changes over time. Groups should be designed to meet the current needs of the business. There are some groups – like Admin-level groups – that will continue to exist. But, the idea here is to expire those groups that are no longer useful.
- Groups experience entropy – Most organizations have no proper Group Lifecycle Management. So, groups are only managed to the degree they are made a priority. This usually equates to just adding users to a group. Seldom (if ever) does it include reviewing permissions assigned to a group and the group’s membership. Groups become an amalgamation of the organization’s needs over time, and don’t reflect the current needs of the business.
- Groups put the organization at risk – Groups are the cornerstone of privileged access to applications, data, and resources. So, the entropy causes security to be way off base. Users are over-privileged, permissions are a mixture of old and new, and the notion that your organization is secure is nothing more than wishful thinking.
This applies to both your primary directory (Active Director for most), and every other application- or cloud-based directories you use.
So, how can you implement group expiration?
The short answer is, for most directory services, there isn’t an option. You can obviously delete a group, but the presence of a setting to automatically expire isn’t there. At a minimum, what’s needed is a means by which to automatically delete a group. But, if you think about the logic behind that action, there needs to be a reason for deleting the group. This translates into someone needing to review a given group to ensure it’s no longer needed. A deleted group comes with it, a large risk in that the deleted object loses the attributes that may be important to your business including group membership details.
Getting Started with Group Expiration
The expiration process should look something like the following:
- Set an Expiration Policy – This is likely going to require either some really fancy custom scripting or the use of a 3rd-party solution. There’s no cause for concern about whether groups are necessary and correctly configured, when there’s no threat of expiration/deletion. No specific guideline exists around how long this should be. It’s more about having something in place that causes the next step to be performed regularly.
- Perform Group Attestation – Someone needs to review whether a group is still needed as part of the business. This can be IT or a user assigned as an owner of the group. Generally, this owner is someone close to the group’s use (like a department head or line of business owner). This step can be performed as part of a larger implementation of group lifecycle management.
- Delay Expiration – There needs to be a mechanism to delay the expiration. Note I didn’t say stop expiration, should the owner determine the group is still needed. The difference here is you want a constant mindset of evaluating the state of your groups. This ensures that next quarter or next year the group is still necessary. So, it makes more sense that expiration isn’t turned off. Instead, the group has its “timer” reset back to the duration set in the policy, should the group still be needed.
These steps keep the group’s owner focused on their assigned groups on a recurring basis. A culture of ensuring the group-based security doesn’t get out of hand over time is established because of this. The reduces the possibility of re-purposing a group (a common source of improper security). It also limits the existing groups to only those that are currently needed.
Free Trial
We encourage you to implement GroupID for a fully functional but time limited free trial to see how we can quickly get your groups under control. Not sure which groups might be ready for a lifecycle policy? Use the GroupID Health Meter to get detailed reports on the state of your directory and let our consultants talk to without any obligation and give you recommendations on best practices to implement.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.