Another Question to Consider: What is the central authority that governs your active directory domains?
The Driver Behind This
Identity (and by extension access) is at the center of not only security, but compliance as well. The way your organization manages users is critical, now more than ever. The way your organization protects authorized identities, ensures policy compliance, and provisions access to sensitive/regulated data all drives toward the overall organizational risk posture.
Additionally, privacy regulations are driving requirements for organizations to demonstrate the proper handling of data and ensuring its ethical use. While privacy is often viewed as a subset of confidentiality, being able to confidently state conformance and demonstrate compliance with privacy expectations now require additional controls to be in place, which results in additional monitoring and auditing.
Processes, Practices, and Activities That Address This Question
Within Microsoft Windows Active directory, you have the native capability to enforce policies for all server and desktop security. Within Linux/Unix environments, where identities and access has traditionally been provisioned directly on the server itself, integration into an MS Windows Active Directory system is possible, allowing you the same capabilities and centralized management. Additionally, reliance on “X-as-a-Service” provider applications (e.g., Google, AWS, O365) has increased the footprint as well as our responsibilities, but you can integrate just as easily there too.
By using a centrally managed domain, you can consistently enforce policies as well as rapidly respond and mitigate many common attacks. By leveraging centralized management, you can implement and ensure appropriate access controls are in place. It serves as the authoritative answer for authorized and approved accounts present within the domain.
You also need to ensure that you have processes and practices in place that allow you to suspend/retire/remove any accounts or systems which have been dormant for a defined period. As mentioned in prior posts, having an inventory of approved accounts that can be reconciled is important.
- “Not consolidating and centrally managing systems and service providers.”
- “Expecting individual business units to run their own.”
- “Our administrators [or outsourcers] need to be able to remotely manage servers easily.”