In recent years, most enterprises have evolved away from the traditional client/server model of Windows networking – a computing era many of us deeply miss. Now there are custom Web applications, remote access systems, the need to support Unix/Linux and other legacy systems via LDAP integration, and so on that have introduced a vast set of complexities we never dreamed of just 10 years ago.
These changes can be managed effectively if you have some semblance of control in and around identity and access management (IAM). Unfortunately, this is an area of IT that we've yet to master, and it's one of the things I see Windows administrators struggle with the most. From the "I've gotta have it now!" demands of users to the more critical security and compliance requirements expected of businesses today, if you don't have good control of identity management, it's undoubtedly controlling you.
If you've considered establishing some controls around IAM or are in need of improving your current Windows identity management situation, it's high time to step back and look at the soft side of the equation. As we've learned over the years, simply throwing technology at a problem such as this – be it Windows Server 2008 R2's IAM features or some third-party product – will usually only buy you short-term benefits. Like most things in IT, if you don't plan things out and back them up with solid and well-documented processes, they'll likely serve to take on a life of their own and often hinder more than they help.
There are six things you can do right now to improve your current Windows identity and access management situation that will also help ensure you do IAM right from the beginning:
- Get feedback from others who are affected at the administration level. This may include developers, DBAs, and security managers (both physical and information).
- Consider your business data classification and retention policies and processes (assuming they even exist). Identity and access management ties directly into this and your organization's legal counsel, CFO, CIO, HR, and internal audit team will likely have some direction.
- Work with your information security and internal audit people to see if they have any ideas on streamlining the provisioning/de-provisioning of users and other Active Directory objects that may require access approvals and audit trails.
- Consider business partners, customers, and recent/forthcoming acquisitions that may fall under the policies and processes you establish.
- Document, document, document. Create a set of standards and a formal policy for IAM that includes the scope, roles and responsibilities, and specific procedures involved. Here's a security policy template you can build on. Don't forget that IAM ties in with incident response and disaster recovery/business continuity as well.
- Your identity and access management system (documentation, processes, and technical controls) need to be reassessed on a consistent and periodic basis. The larger the business and more complex the environment, the more important this becomes. Annual information risk assessments or internal audits would be opportune times to do this.
When working through these areas, remember to focus on how you can improve visibility, control, and timeliness – the three "other" cornerstones of Windows security we simply can't afford to overlook.
ABOUT THE AUTHOR
Kevin Beaver (CISSP), is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. Kevin can be reached at www.principlelogic.com.
This was first published in June 2010