AD Management Survey: Reveals Security as Key Challenge

Transcription

1 Contents How This Paper Is Organized... 1 Survey Respondent Demographics... 2 AD Management Survey: Reveals Security as Key Challenge White Paper August 2009 Survey Results and Observations... 3 Active Directory Challenges. 6 Active Directory Ownership and Influence... 9 The Need for Effective Active Directory Management and Security Conclusion and Recommendations This paper presents the results of a NetIQ-sponsored Active Directory Management and Security survey, conducted in July The study itself provides insight into the security challenges associated with managing and administering Active Directory, examines the ownership of Active Directory within enterprise IT organizations, and addresses the growing influence of the security organization on the Active Directory. About NetIQ About Attachmate... 13

2 Survey Overview The 2009 NetIQ Active Directory Management and Security Survey consisted of one general demographic question and nine multiple choice questions: six questions allowing a single answer and three questions allowing multiple answers. These questions were developed by NetIQ with the assistance and guidance of leading Microsoft Active Directory (Active Directory) experts. Survey respondents consisted of 277 unique participants, representing a variety of enterprise organizations in industries including but not limited to education, healthcare, finance and banking, government, and manufacturing. How This Paper Is Organized This paper is broken into two main sections: a presentation and analysis of the survey results, and a discussion of why organizations must be able to manage, and administer Active Directory environments securely and successfully. The Survey Results and Observations, section examines the responses to the survey questions. The results are broken into the following subsections: Management and Administration of Active Directory examining the resources allocated to the administration of Active Directory; the ability of these teams to meet the demands of the business; and the tools used to administer, manage, and secure Active Directory. Active Directory Challenges focusing on the issues and pains organizations are experiencing with respect to the administration, management, and security of Active Directory. Active Directory Ownership and Influence identifying and examining the delegation of Active Directory administration, management, and security responsibilities within IT organizations. The paper concludes with recommendations for how organizations can more effectively manage the administration and security of their Active Directory environments. Additionally, this section explains how NetIQ can help enterprise IT organizations improve the secure delivery of services anchored by Active Directory to the business. 1

3 Survey Respondent Demographics Active Directory has increasingly become the de-facto standard directory service for organizations of all sizes. To help ensure our survey responses were relevant to the enterprise, only respondents from enterprise organizations were polled. This resulted in 277 unique survey responses - Figure 1 presents the cross-section of respondents by organization size. Figure 1 Organization size of survey respondents Figure 1: Breakout of respondents who participated in the survey according to the number of employees within their respective organizations. 2 White Paper

4 Survey Results and Observations Management and Administration of Active Directory Active Directory has evolved from a supporting technology within the IT organization to a missioncritical service that houses key information about an entity s people and its assets. This section focuses on the resources that organizations allocate to help ensure the successful management, administration, and security of Active Directory. To ascertain a baseline for the resources available to manage Active Directory within the organization, survey respondents were asked about the headcount their organization allocates to the administration, management, and security of Active Directory. As indicated in Figure 2, 70 percent of respondents report that they have ten or fewer people dedicated to maintaining and securing their Active Directory deployment. This is generally in-line with industry norms; and, given current economic pressures faced by most enterprises, it is unlikely to change in the near future: less funding inevitably results in fewer available resources across the IT organization. Active Directory shows no sign of being an exception to this trend. Figure 2 Resources allocation for Active Directory administration, management, and security Figure 2: Breakout of resource allocation for Active Directory management, according to the survey respondents. 3

5 When asked what tools these limited resources leverage to administer, manage, and secure their production Active Directory environments (Figure 3), nearly all respondents (96 percent) indicate that they rely on native Microsoft tools. Given the well-documented challenges of managing Active Directory with native tools, specifically the requirement to extend full domain administrator privileges when using native tools, it is of little surprise that nearly half of the respondents also rely on commercial third-party tools to improve the administration and security of Active Directory. Approximately one-quarter of respondents also rely on homegrown or open source/freeware tools. Figure 3 Tools used for Active Directory administration, management, and security Figure 3: Breakout of the kinds of tools used by the respondents organizations in Active Directory environments. As will be seen later in this survey, the changing pressures on the Active Directory team, especially as Active Directory becomes part of larger Identity and Access Management (IAM) programs, will mandate tighter security controls and better capability to reduce risk from insider attacks. This will therefore inevitably mean an increased reliance on commercial third-party tools that are able to provide more comprehensive security and management capabilities than native or homegrown solutions. 4 White Paper

6 Due to the limited resources organizations are allocating to Active Directory administration, management, and security, coupled with the inherent challenges of native administration, it is no surprise that 40 percent of survey respondents indicate that they are struggling to keep pace with the demands of the business (Figure 4). Figure 4 Ability of Active Directory resources to keep pace with the business needs Figure 4: Breakout of how well respondents Active Directory resources are keeping pace with their organizations business needs. Resource Constraints and Business Needs Pose Challenges In an environment where economic challenges demand that technology support dynamic business environments, the inability to meet the needs of the business is of particular concern. Enterprise organizations simply cannot tolerate the additional risk associated with reliance on Microsoft native tools when it comes to protecting the health and wellbeing of one of the most valuable repositories of business information: Active Directory. It is clear from the above responses that the Active Directory teams remain small in comparison to broader IT infrastructure management organization typical in enterprise organizations. These small teams are struggling to maintain pace with the rate of change within the business, and are therefore likely to be forced into increasingly reactive roles. This ultimately will come at the cost of more strategic programs that would result in better overall security for Active Directory, and that could better position this vital technology to meet the changing needs of the business as we will see in the next section. 5

7 Active Directory Challenges The next group of survey questions sought to uncover the ways in which the resource constraints and limitations associated with native tools affect the secure management and administration of Active Directory. Survey respondents were asked about the tactical and business challenges of managing and administering a secure Active Directory environment. As enterprise IT organizations and their associated Active Directory resources are struggling to keep pace with the needs of the business, it stands to reason that IT organizations are also struggling to maintain a secure storage environment for business-critical information, including user identities and business assets. As indicated in Figure 5, more than half of respondents cite their greatest challenges in managing and securing Active Directory are managing Group Policies in a controlled manner and maintaining appropriate user permissions. In short, survey respondents are concerned with the threat of unauthorized changes by users who should not have access to business-critical or sensitive information. Figure 5 Greatest Active Directory management and security challenges igure 5: Ranking of importance for key IT challenges related to Active Directory management and security F 6 White Paper

8 Restricting user access and controlling change are concerns echoed by the business. When asked about their top concerns regarding business-related security issues of Active Directory, 52 percent of respondents cite enforcing policies and 42 percent of respondents cite falling out of compliance (Figure 6). Figure 6 Business related Active Directory security issues igure 6: Ranking of importance for key business issues related to Active Directory security F Enterprise organizations have become keenly aware of risk and are driving IT to follow policy and maintain compliance; this is how they will ultimately keep their critical assets secure in a volatile business environment. 7

9 Change and the management of change in Active Directory are primary concerns for enterprise organizations; however, an alarming number of respondents indicate that they are not highly confident they can rapidly detect unauthorized changes. As indicated in Figure 7, less than onequarter of respondents indicate they can rapidly detect unauthorized privilege escalation, Group Policy modification, or group membership change. Unauthorized change the very thing that causes the respondents concern is the thing they are least confident that they can detect. If unauthorized change cannot be detected, then those changes malicious or accidental have the potential to result in significant risk and business exposure that the enterprise simply cannot tolerate. Figure 7 Confidence in ability to rapidly detect unauthorized change Figure 7: Breakout of confidence level in the respondents ability to detect change in Active Directory environments. Policy and Change Management Are Critical In this section we have seen that the primary concerns for Active Directory management teams are associated with the maintenance of policy and compliance. Controlling user permissions and access are of particular concern because a user with elevated access can execute changes that expose the business to significant risk. As the primary defense against an insider attack is the effective management of permissions implemented through Group Policies, ensuring that these controls remain in place and are in line with organizations risk management and security policies is essential. However, there is little confidence that any changes to these security measures can be detected rapidly. If the business cannot detect changes to Group Policy and user permissions swiftly, the risk of a serious breach, especially a breach by a motivated and skilled insider, will be significantly magnified. Ideally any Group Policy management solution would both enable a simplified, streamlined management, and also integrate change detection into other security event management solutions, such as Security Information and Event Management (SIEM) technologies. Without these capabilities, changes to Group Policy can go undetected and will remain a critical potential weakness in user activity and access security. 8 White Paper

10 In short, there is a dangerous potential disconnect between the security objectives of the Active Directory team and their ability to enforce those objectives. Active Directory Ownership and Influence The next set of questions examines the evolution of Active Directory ownership, influence, and responsibility over the last three years. Figure 8 Primary ownership of Active Directory administration Figure 8: Breakout of primary ownership of Active Directory administration.. The day-to-day ownership of the administration of Active Directory has historically fallen to the Information Technology organization; and respondents validate this point (see Figure 8). However a shift has occurred over the last three years as enterprise IT organizations have dramatically matured and regulations have grown in both scope and quantity. 9

11 Nearly half of IT organizations are increasingly influenced by the Information Security organization (Figure 9). It is no wonder that the greatest concerns are fundamentally security issues enforcing policies and reducing risk by minimizing user privilege and access. As more enterprise organizations find themselves in the news due to security breaches, the traditional Active Directory administration owners are being tasked, via security teams and the security policies they develop, with improving the protection of the business-critical information stored in Active Directory. Figure 9 Three year change in Information Security influence on Active Directory policy and/or architecture Figure 9: Breakout of the change in Information Security influence on Active Directory over the last three years. 10 White Paper

12 Given tightening budgets and increasing business demands, enterprise IT organizations are interested in maximizing the functionality of their existing investments. Extending the capabilities of Active Directory, standardizing on Active Directory, and becoming Active Directory-centric are all avenues the enterprise IT organization can take to make Active Directory the commanding repository of business-critical information. It is no wonder that 76 percent of respondents indicate that Active Directory, guided by the increasing influence of Information Security organizations, plays an important or critical role in the formation and ongoing execution of their organizations evolving IAM strategy (see Figure 10). Figure 10 Role of Active Directory in Identity and Access Management (IAM) Figure 10: Breakout of the role Active Directory plays in the respondents IAM strategy. Security Has Critical Influence on Active Directory While Active Directory is still primarily owned by IT organizations, the influence of Security on the management and administration of Active Directory has drastically changed. This change impacts the role Active Directory plays in one of the most critical elements of any security policy and the enterprise s IAM strategy. Tasked with protecting the most valuable business resources, Security organizations recognize the powerful capabilities of Active Directory. They also see the inherent risk and lack of control natively available in Active Directory. With the majority of enterprise organizations citing Active Directory as a key component of their IAM strategy, the policies that guide the Active Directory administration will continue to be further defined and influenced by Security organizations. Industry best practices dictate that Active Directory become a central element of a broader security strategy, especially as it pertains to the management of privileged users to reduce the risk of insider attack and data breach. Security organizations should, therefore, continue to work to minimize if not remove the gap between Active Directory as a vulnerable, standalone application and Active Directory as a secure, critical component of the greater approach to securing the business, IAM. 11

13 The Need for Effective Active Directory Management and Security Secure, effective, and efficient administration of Active Directory is critical to any enterprise IT organization tasked with supporting the evolving needs of a dynamic business. It remains one of the most critical elements in the enterprise IT infrastructure, but given the limited nature of native controls also one of the most vulnerable. While cost reduction and efficiency are imperative for business operations, they are no longer the only drivers of the enterprise IT organization responsible for day-to-day Active Directory administration. The results of this survey clearly show that while Active Directory teams still firmly operate as part of the overarching IT Operations teams, they are now increasingly seen as the front-line for enforcement of security and compliance policies. At the same time, these small, heavily-tasked teams are working with a broad mix of tools and are struggling to maintain pace with the growing demands placed upon them by both the business and Security teams. This represents a dangerous trend. With teams showing little confidence that they can detect potentially significant changes to the foundational elements of security and compliance, the risk of breaches, especially caused by insiders, will continue to grow. Worse, this lack of foundational security will actually grow in significance as organizations begin to deploy broader IAM solutions built upon the current Active Directory infrastructure. Protecting data, maximizing system availability, and maintaining and demonstrating compliance are critical drivers for any IT organization. Securing the most valuable business assets must take a new level of precedence, and enterprise IT organizations are now driven to recognize, minimize, and address vulnerability and threats. Meeting these challenges begins with the secure management and administration of the heart of the IT infrastructure: Active Directory. Conclusion and Recommendations Enterprise IT organizations tasked with securely and efficiently supporting the evolving demands of the business should take a proactive approach to administering Active Directory. This is the only way to help ensure critical and sensitive business information is stored in a manner that supports the business while maintaining organizational and industry compliance thus mitigating risk in an uncertain business environment. To proactively and securely administer Active Directory, NetIQ recommends that enterprise IT organizations use third-party solutions that enhance the security of Active Directory. This proactive approach to managing Active Directory helps enterprise IT organizations meet growing security and industry demands by enforcing policies, minimizing user privilege, and controlling unauthorized change either malicious or unintentional. To help organizations more efficiently secure Active Directory while controlling the costs of maintaining compliance and ultimately aligning with the greater business goals, NetIQ provides the following key capabilities and benefits: Detect and audit Active Directory changes NetIQ s Active Directory Management solutions provide real-time detection and classification of changes made to Active Directory, allowing organizations to determine if changes are authorized or unauthorized. Through customized settings, alerts can be raised and activity can be logged and reported on, to proactively address unintended changes. 12 White Paper

14 Securely delegate privileges NetIQ solutions provide both rule-based and view-based delegation of privileges, making it easier for administrators to manage access. This allows users to perform a limited set of tasks, based on their permissions, to enable user self-service, thus decreasing demands on help desk and other administrative personnel. Report on entitlement and security configuration Utilizing NetIQ Active Directory Management solutions, organizations can produce detailed reports to illustrate which employees can make business-impacting changes, effectively reducing the number of administrators with unnecessary super-user privileges. Automate IT Processes for Active Directory Leveraging the powerful automation capabilities of NetIQ Aegis coupled with NetIQ Directory and Resource Administrator, organizations can automate routine Active Directory administration tasks. This allows organizations to minimize the possibility of administrator error and significantly improve data integrity, while minimizing data pollution. Enterprise IT organizations that take this proactive approach to securely administering Active Directory will be able to consistently and cost effectively meet the evolving needs of the business. These parameters will also allow the enterprise IT organization to maintain a secure Active Directory environment that is industry- and business-compliant. For more information on how NetIQ can help organizations securely administer and manage Active Directory, visit About NetIQ NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control, and Enterprise Administration. About Attachmate Attachmate enables IT organizations to extend mission-critical services and assure they are managed, secure, and compliant. Our goal is to empower IT organizations to deliver trusted applications, manage services levels, and ensure compliance by leveraging knowledge, automation, and secured connectivity. To fulfill that goal, we offer solutions that include host connectivity, systems and security management, and PC lifecycle management. NetIQ and the NetIQ logo are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names may be trademarks or registered trademarks of their respective companies NetIQ Corporation. All rights reserved. 13