Protecting Critical Data by Managing the Active Directory Identity Lifecycle

by Darren Mar-Elia


Active Directory has increasingly become THE critical identity store for more organizations. From controlling access to applications, infrastructure and a broad array of systems, to delivering access to common Windows resources, organizations rely on Active Directory to securely manage their data. Given this critical role, it's important to design an Active Directory infrastructure that manages the complete lifecycle of user identity. In Protecting Critical Data by Managing the Active Directory Identity Lifecycle, author and Microsoft MVP Darren Mar-Elia shows you how to design such a well-managed, secure Active Directory infrastructure, offering insight on developing good processes around user provisioning and especially de-provisioning, delegation of Active Directory objects, and auditing of AD-related activities.


Chapter 1: Active Directory – An Important Part of Identity and Access Control

This chapter lays the groundwork for building a well-managed identity system that has Active Directory as a key component. Whether AD is your only directory or one of several within your organization, it often has a key role to play in terms of being a main source of identity and access control. To that end, managing the identity life cycle will ensure that the right people have access to the right data. Along the way, provisioning users and resources using the principle of least privilege will help ensure that access to systems and data is truly protected. In addition, the right auditing process will ensure that any regulatory requirements that come upon you will be met without gaps in key information.

Chapter 2: Managing the Identity Lifecycle

Chapter 1 discussed how Active Directory (AD) has become a key player in many organizations' identity landscape-controlling access to not only Windows desktops but also an increasing number of systems, applications, and sensitive corporate data. The chapter also talked about the importance of managing the identity lifecycle, as defined by creating, updating, auditing, and removing identities within both AD and related identity systems. This chapter digs into that identity lifecycle, identifying downsides of not getting a handle on your AD and drilling into each of the four phases of the identity lifecycle.

The Challenges and Importance of Managing the Identity Lifecycle

Managing identity is ultimately about managing access to your corporate resources. Users authenticate to resources with their identity, then use the properties of that identity (for example, group membership) to get authorized to resources. In a typical midsize-to-large organization, you might find the following sources of identity

  • AD
  • Other directory services
  • HR systems
  • Databases
  • Custom LOB (LOB) applications
  • Third-party software-as-a-service (SaaS) Web applications
  • Local system accounts on Windows, Linux, and/or Unix
All of these identity stores present challenges. Each one requires its own provisioning event (and de-provisioning as well) into what are usually disparate data stores: directories, databases, flat files, or in some cases, proprietary formats. Each one has its own set of authorization mechanisms and unique ways of granting access. AD Windows uses security groups, databases like Oracle use custom roles built-in to the database, and other LOB applications use yet different mechanisms. More recently, SaaS applications are becoming more prevalent, which means you're now required to provision access to both internal and external applications.

It's also important to not blur the lines between authentication and authorization. Some products-I'll use my previous example of Oracle databases-are able to integrate into AD for authentication (for example, through Kerberos) but still keep their own authorization mechanisms that don't directly leverage AD ones such as security groups. This kind of mixed integration may or may not help your provisioning processes.

This mix of identity stores increases the complexity around ensuring that the right users are provisioned into your environment, and de-provisioned when the time comes. But it also increases the importance of having lifecycle management in place because it becomes a lot easier to "lose track" of identities if they are not all knitted together using a common framework. I've seen many an organization that had far more identities stored in a system than they had users. When asked why that was, the response was usually something like, "Oh, those are old users who are no longer here." I can remember personally being at a job for a number of years, then going back to do some work for them 5 years later, only to find 10 year-old Unix accounts that I had the first time I was still there floating around their systems. That kind of poor identity management is a recipe for unauthorized access, failed audits, or both.

Chapter 3: Securing Active Directory

So far, we've discussed the increasing importance of Active Directory (AD) within the identity management life cycle (Chapter 1) for most organizations, and we've talked about some of the finer points of that life cycle (Chapter 2). This chapter is dedicated to the point that, if AD is going to be a key part of your identity strategy, you have to protect it. You have to ensure that the data within AD is sacrosanct and that only those with a business reason to access AD information are granted that access.

This chapter provides a practical guide to protecting your AD-based identity data. It is not part of the life cycle I spoke about in earlier chapters, but it is an important part of ensuring that any identity system you implement that leverages AD is protected such that it is able to do its job of authenticating and authorizing the right people to the right resources. All the great identity provisioning processes in the world won't help you if your AD is a free-for-all that anyone can fiddle with to their heart's content. This chapter will dive into the AD security model and provide techniques and best practices for securing the data that resides in AD.

Chapter 4: Auditing & Compliance and Active Directory

Through the previous three chapters, we’ve talked about the importance of managing your identities in an Active Directory (AD) world. Much of our discussion has been centered on the business and security requirements that drive identity management best practices—providing authentication and authorization to critical business applications and protecting access to vital corporate resources. But there is another benefit to having good AD identity life cycle practices: When it comes time to have to prove to auditors or regulators that you are doing all that you can to protect your systems and thus your customer’s data, you have all of your t’s crossed and i’s dotted.

That is what this chapter is about—auditing and compliance. Many organizations, whether publicly traded or not, are subject to both internal audits and external regulatory compliance requirements. Over the years, these audit and regulations have been refined and adjusted to deal with technology advances such as AD. To that end, we now have a lot of data with which to create systems and processes that not only meet our own security and data protection requirements but also, at the same time, satisfy the auditors and regulators that we are doing what is required to protect customer and company data.