Common Cause of Identity and Access Management Failure: Active Directory

Over at Network World Johnathan Sander, Strategy and Research Officer at the data collection, analysis and protection company STEALTHbits has some advice for companies that think they can easily integrate their Active Directory with an Identity and Access Management solution. Failure of IAM initiatives has been a common problem over the last several years, but Sander writes that only recently has it become clear that the cause for many of those failures stem from contorted Active Directories. While most business and even many IT folks think that their Company’s Active Directory is in great shape, Sander says the reality is different:

AD has so many layers of failure resistance, it’s natural that it doesn’t show any cracks in day-to-day operations. That’s why when people want to use AD as part of a larger initiative, they’re so surprised that those closest to AD say it’s too much of a mess to easily achieve what they want.

When line of business folks try to implement Active Directory log ins for accessing cloud platforms without talking to the IT folks who handle AD, they often:

find out there is a morass of trusts and domains hidden from their view which complicates things. Data center folks move forward with huge virtualization roll outs and get tripped up by redundant and even recursive structures in AD group memberships. And more near and dear to my heart are all the identity & access management (IAM) projects which have come to a crashing halt when they run to integrate AD as their first platform, only to have their plans dashed by the complexities of AD structure.

How is this happening? Sander gives us an example of the troubles that can arise from an unkempt AD. He talks about one client, an unnamed large financial services company that is trying to “roll out certifications for both applications and unstructured data:”

Like most organizations of their age, size, and type, they’ve had their fair share of mergers and acquisitions, reorganization, and layers of IT infrastructures. So of course they have a big, cross wired mess at the heart of their Active Directory.

That “cross wired mess” prevents your AD from integrating with those cloud platforms you want to include as “there is no clear way that access is granted to unstructured data resources.”Other problems also crop up,  like overlapping group membership and group authorizations, which can lead to employees retaining access to data even after they have been removed from a group, among many bad outcomes.

So how do you avoid Active Directory causing your IAM initiative to fail? One answer according to Sander is to optimize your Active Directory first, by cleaning up a lot of the unplanned, unorganized growth that occurs over the years. Before you complete such a potentially herculean task, however, there are a few pieces of IAM you can still put in place to get something while you wait for AD to untangle: “You can get some amount of certification, self-service, and other key IAM pieces done even with AD in its current poor state,” according to Sander. On the other hand, you’ll never finish a full IAM implementation until you get AD untangled:

What this all means is if you ever plan to truly complete the journey of identity and access management, then you will need to also take the journey of AD optimization. Our friends at the financial firm understand this. Luckily for them and us, they are planning ahead to optimize their AD security model as a phase two for this program. Let’s hope the business agrees with the wisdom of that.

May more businesses agree with the wisdom of that, so that we can have fewer Identity and Access Management implementation failures.

For Sander’s piece at Network World. click here.