SBN

Hot Take: Active Directory Isn’t an Authoritative Source

Hot Take: Active Directory Isn't an Authoritative Source

Let’s break this down…

Active Directory is a directory.

Active Directory is potentially authoritative for access.

But Active Directory IS NOT an authoritative source.So why does this qualify as a hot take?

Because when we at SecZetta ask organizations, “What’s your best source for all of your contractor information?”, the response 9 out of 10 times is…

“Active Directory.”

It’s usually a result of contractors’ identities being managed at the account level, as opposed to every identity being managed as individual and unique. Organizations add contractors and other third-party identities into their environment by going directly to Active Directory and granting access.

So yes, for these organizations, it could be the case that Active Directory is a viable option to view who has access to their networks and platforms. But the problem is little is actually maintained in an Active Directory. It doesn’t track identity lifecycles or validate data to ensure it is up-to-date and accurate…it just grants access.

Instead, Active Directory should rely on an Identity Governance & Administration (IGA) solution to provision and deprovision access to Active Directory, and the IGA solution should rely on a trusted authoritative source to inform it about the identities that need access.

An authoritative source (also called a system of record) is a repository where data is maintained and stored for consumption by reliant systems. No matter who’s involved and what the workflow is in collecting this data, this important information must be accurate and reliable, and the following must take place to ensure this is the case:

  1. Proactive collection and maintenance of complete data by responsible parties
  2. Constant validation of data to ensure it remains up-to-date and accurate
  3. Storage of data in an accessible and searchable repository
  4. Simple integration with identity solutions

It may not sound like too much of a difference but having an authoritative source will prevent your organization from dealing with outdated and inaccurate information that misinforms identity and access decisions, especially for third parties. More serious consequences of relying on Active Directory as an authoritative source include audit findings, breaches, unnecessary costs associated with accounts that should no longer exist, and more.

If you’re one of the millions of organizations that have embraced growing populations of third-parties to get business done but don’t have a way to centrally track third-party users, click here to read the comprehensive “The Identity Gap in Third-Party Risk Management” white paper.

*** This is a Security Bloggers Network syndicated blog from Industry Blog - SecZetta authored by SecZetta. Read the original post at: https://www.seczetta.com/active-directory-isnt-an-authoritative-source-hot-take/