Enterprise technology infrastructure, application development and software services are moving to the Cloud. Cloud adoption involves integrating Identity and Access Management (IAM) systems with Cloud Single-Sign-On (SSO) solutions for federations and cloud-based security controls. Given such cloud movement trends from “local enterprise” to “intra enterprise” to “inter enterprise” federations, it is critically important that the Directory environment is architected to support these initiatives.
Active Directory (AD) is the de facto standard credential repository in most enterprises. Enterprise infrastructure teams often manage many domains and multiple forests as a result of M&A activities, organic growth and past segregation models. The many domain/multiple forest issue presents problems when the CIO promises the business single sign on (SSO) convenience. As a result, security pushes for advanced Identity Access Management (IAM) methodologies to provide a single unique identity that can be managed easily by the owner, and easily tracked and audited by security and governance teams. With multiple accounts associated with a single user it is often very hard for governance and security teams to follow the webs and links of a single owner multiple account model. These difficulties are not solved by emerging IAM mechanisms and may only expose the problem to a broader audience.
As a result, it is very important to consolidate and clean up the environment before federating the intranet AND the cloud from multiple AD resources because of the many tangled webs that could be created by the federation if you don’t. So what needs to be done to prepare your AD Infrastructure for SSO or IAM futures? There are two primary areas of work. The first is planning the AD infrastructure consolidation to support these trends. The second is a cleanup of your environment to minimize the total number of objects synchronized between credential repositories.
Because of the inherent risk, planning is key to all parts of an AD consolidation project
A single forest/multiple domain model works best for large enterprises. But the realities of the enterprise mean you often find multiple forests based on sub orgs, regions or M&A activities. I can’t say it enough that planning is key to all parts of this type of project. AD consolidations touch every object (User, computer, AD integrated services etc.) and, without proper planning, can cause major outages of services. Some of the concerns that must be addressed in planning include application dependency and integration, object attribute collisions, security of critical objects and the dreaded closet skeletons. The dreaded closet skeletons in this case are undocumented use of AD objects that have been used for so long that the tribal knowledge of the existing organization no longer realizes the use. Object attribute collisions are also important here as the custom attributes are often used as identifiers for HR applications, mapping links to identify which objects belong to a single user, or in the case of an AD Migration which source and target objects are linked. The risk is compounded by the fact that we often see AD object ages of 10 to 15 years. (The original active directory hosted by Windows 2000 was released in 2000).
A key design point when preparing for IAM/SSO is to establish lifecycle identifiers that are unique to the device/application/person and retired and never-used again. The lifecycle identifier allows for a clear unique ID that is known by all infrastructure applications that manage, audit and report on AD. The lifecycle identifier may be hidden from federations via AD access control lists. For each external federation you may wish to use an opaque identifier that is unique and different for each federation partner. The goal of opaque identifiers is to avoid collusion of breaches across organizations affecting the internal AD.
Cleanup reduces threat vectors and minimizes the number of objects synchronized
The second major area of work would be the cleanup of objects. The reason we are cleaning up is to allow for consistent policy application, removal of stale objects which will reduce the object count synchronized, and to reduce the threat vectors against heavily privileged accounts.
Cleanup involves getting a full inventory of objects, identifying object types such as critical, stale or unused objects, then planning for the appropriate disposition of each object. For critical objects such as administration, service and other heavily privileged accounts; these should be isolated within an OU structure that is safeguarded and not included in federation syncs. For objects that will be decommissioned; they should be disabled and left for a period before deletion. Disabled accounts should be filtered from SSO/IAM synchronization. Doing it this way is methodical, unglamorous work, but the methodology is important and the research and resolution does not require advanced technical skills.
In summary, the cleanup of Active Directory is an important medicine that must be taken before emerging IAM technologies can benefit an enterprise. Active Directory consolidation and cleanup must be planned carefully. Do not just jump in and start executing without first planning every step and having a clear understanding of all dependencies. Planning is the part where an experienced partner is most valuable.