The whole point of identity and access management (IAM) is to ensure that the right people have the right access to the right stuff at the right time in the right way and that all the other right people say that it’s okay that they have that access. The vast majority of IAM projects aspire to “get it right” across the entire enterprise (applications, data, and systems), including all user populations (employee, administrator, partner, customer, etc.), and all access types (on-prem, remote, BYOD, etc.) but they usually get bogged down with one system or another and end up going way over budget, running extremely long, and mired in the minutiae of access control at the expense of governance objectives.
In my many years dealing with these types of IAM projects, I’ve seen that quite often the system that bogs down the project is Active Directory (AD). This may be due to the importance and ubiquity of AD in the enterprise and the fact that “cookie cutter” IAM simply doesn’t work with AD. So heavy amounts of customization are required of the IAM solution or manual processes implemented simply to achieve minimal AD management and security functionality. There are a few common themes that are relevant with regard to AD in enterprise IAM:
- AD’s native tools are solely lacking
- Manual processes put in place to overcome the native shortcomings are cumbersome and error-prone
- Building a custom AD connector to an IAM framework that can do everything necessary is prohibitively expensive and complex
- The AD admin account is one of the most important privileged accounts but typically the least controlled
The highway to IAM success is littered with organizations that could not get past the AD roadblock and highlighted by some who found the way to move beyond AD.
- I’m aware of one large investment bank that sought to build custom AD functionality with its IAM framework – three years, 16 full-time developers, and millions of dollars later they succeeded in achieving basic AD provisioning but lacked de-provisioning, group management, or extension to key Microsoft assets like SharePoint, Lync, and Exchange. They are still struggling with the problem.
- A large government agency estimated that every instance of IT-assisted IAM (primarily account set-up and password resets) cost as much as $250. The agency implemented Dell’s AD management and security solution called Active Roles and AD bridge, called the Privileged Access Suite for Unix and experienced a $45 million savings in the next 12 months
- A school district that used Dell’s automated AD management and security tool, ActiveRoles Server, found that operations came to a grinding halt when they tried to do it themselves and survive on their own. When they returned to use of the solution, the director of IT swore that he would never again attempt to manage AD without Dell.
- An energy company company was able to complete its enterprise IAM project by removing AD and Unix/Linux from the mix and having ActiveRoles Server and the Privileged Access Suite for Unix do all of the IAM heavy lifting, freeing the framework to focus on the applications it could actually provide value for.
- A document management company, one of the world’s major food brands, and one of the largest technology companies all experienced similar benefits by removing AD from the mix and optimizing management and security of AD in conjunction with their chose IAM platform.
The challenges of managing AD with native tools or custom integration with an IAM framework should be obvious to anyone who has tried either. It all comes down to the potential power of managing AD correctly, and the difficulty of actually doing it. At Dell, as illustrated above, we’ve cracked that nut and have out-of-the-box automation and security for AD that is second to none. We’ve written a white paper called Active Directory Security Challenges … Solved! that details where the opportunities lie to get AD running smoothly so you can move on to the next challenge.
And if you want to learn more on the power of good AD management in an enterprise IAM program read: Access Control is Easy, Use Active Directory Groups and Manage them Well.