Analyst Chat

Analyst Chat #77: Don't Manage Access in Active Directory Groups


Maintaining finer grained access by administering AD groups through dedicated and delegated application administrators is the reality in many organizations. Martin Kuppinger and Matthias discuss these types of indirect authorization management and why they are no good choice, even more when AD becomes legacy.

Welcome to the KuppingerCole analysts chat. I'm your host. My name is Matthias. I'm a senior analyst and lead advisor at KuppingerCole analysts, I guess today is Martin Kuppinger. He is one of the founders of KuppingerCole and our principal analyst. Hi Martin. How much? Yes. Great to have you again. And we want again, to pick up a topic that we see in real life and advisory situations, but also when it comes to designing overarching, I am architectures. We want to talk about how access is maintained, how authorizations are maintained in real life in many systems. And to describe a bit the, the, the context we usually say, see that, um, authorizations are done within IAM in terms of roles, of course, great roles that for example, assigned access to a system that is then connected via AD to an overall, um, architecture within an organization. So a system, um, has an account in AD, so it authorizes against AD and I am make sure that this account exists and that the user has access to that account. But when it comes to, um, find a grant access to the actual business roles that are assigned, that is then done within AD itself. So there is an administrator somewhere delegated somewhere in the field and they do change authorizations within AD. This is something that it's very common and I think you March and have quite some, some perspective on that,
Right? I have. Yes. Um, so, so let's start looking at some of the challenges here. And, um, I, I think one of the challenges clearly is when we talk about AD here, we talk about Microsoft active directory on premises as part of the windows server platform. That is where does approaches commonly fall the pointers, um, at best will. And believe me, I'm a, I have a friend of a windows server. I'm a friend of active directory. I wrote things like windows, 2003 handbook, and the drum language, uh, back many years, I've wrote a ton of books on windows server, but active directory on premises is legacy. So the first thing is we must not build future strategies on legacy technology. The second thing is ed frequently is owned by the infrastructure teams, not by the identity teams, not by the governance teams. So we frequently have ownership issues when people say, oh, yes, but we need to do that because you, as a creative, whatever exchange mailboxes and stuff like that, and that, then you have some, some clash here that the search thing is, um, if you have, um, sort of a multi tier concept of granting entitlements, then keeping control from an ex governance perspective becomes more complex.
And, um, number four is, um, a lot of people, that's also a part frequency and the infrastructure thing are doing their work and work tumbling around doing their work in the active directory. So the risk of that, some things go wrong that you need to reconsolidate very loose control. That risk is considerable. And these are, I would say four 50, at least four essential points to keep in mind for this approach. And so I think these speed carefully revisited, and yes, there are applications which mandate that because they're fully integrated to eight E but even there, the question is what kind of you provision directly into these applications or the Kennedy to that can be managed directly and whatnot.
I think one aspect that is hidden inside that way of managing authorizations is something that is actually quite modern. It's really involving the business in authorization processes. So it's not the admin somewhere in it who usually does not know the, the semantics of the actual authorizations anyway. So it's really transferred to somebody who's closer to the business, maybe a line of business manager who then does this authorization, which is a modern concept, but then the, the way of how it is done and the way how it is governed should really be changed to make sure that all of what you've mentioned is taken care of properly. So really having the governance aspect, knowing what has been assigned.
Yeah. And I think the segregation becomes complex if you try to do it in the active directory, because, um, you don't have so to speak two options either, and that is more or less impossible to do. Well, you have two parties which are working with the same groups, uh, in active directory where we have this coop concept. So, um, you might integrate a group as a role. You can do a multi-tiered things there, uh, with the different types of groups. Um, but at the end it would mean you have business. And, um, it elements working on the same, uh, types of objects. Um, so that, that is problematic. So you could try to segregate by saying, okay, I have a sort of a multi tier model. It's an active directory, at least as local and global groups. So that's the responsibility of the ones, that's the responsibility of the address.
But again, it's, it's hard to segregate it well, and it is the risk of ending up with some extra directory structure, which is from a group perspective, it's just, uh, too complex. And so that also makes it difficult and maybe a start point to add the realities, trust that most croup models, um, and most, or many domain and many forest concepts in active directory. But if you look at active directory, most of that has frankly phrasing a legacy. So to have that, that, that doesn't use for 10 or 15 years, and when it has been administrators for 10 or 15 years, it's really in a very good shape. So we have seen from identi American perspective, so many projects, I a requiring first ed cleanup in the past and, uh, restructuring, um, uh, a reorganization of that is not the best foundation for doing good access management and access governance, because at the end that the good old sentence of garbage in garbage out concierge as well.
Right. So, um, the message is clear, don't manage access via age groups or within a D um, you've mentioned that ADA is something that is more or less to be considered as a legacy infrastructure. So to play devil's advocate here right now, um, does anything solve the problem by moving to Azure AD and to migrate away from a D when it comes to this authorization management aspect from your point of view?
Yeah. I think ID has some integration with some of the environments like Microsoft 365. Um, but also when you look at many of today's, I am solutions, they have decreased into Microsoft 365 wasn't directly. So they take a perspective of both those areas of both ends. And so it is that, um, it's a little different thing. And the other point is, um, the, your on-prem active directory is from its legacy. It's an infrastructure directory, it's a directory Mount to also manage your why's as to it has this concept of science, a lot of other elements, which are really infrastructure driven that start a case for ADH, or it is. Um, so I think the biggest similarity is both have a directory capability in both Exeter directory to name and maybe to serve on, I suppose, off from Microsoft, but technically seen it's a very different thing, and it has a different, different aspect or a different perspective here.
And so, so I would say, um, you must not say it, so these will be CAD fixed sinks entirely because we then need something which manages x-ray D and other things it's used at radio. That's another element for, for the access maybe for fettering or eating out, but when it comes to the, the entitlement management, we usually that light another type of technology, uh, which might be part of what Microsoft delivers and some of the plans for 80, or I'd be something different, um, some of the ha solutions to market, and there are tons of them. Um, and then it's different, different plates that this neatly in the room. So, um, it's a diff it's really done differently and not as mangled everything into another essence system, the on-prem 80 world frequent, right?
So we take as a summary for today that moving away from the traditional on-premise AD might be a good idea also from an access management perspective. So we'll get to a new, a more modern approach to managing authorizations, but when it comes to using Azure, AD, you need to do this well. And it's not just a migration from a to B, from on-prem 80 to Azure, 80, there really needs to be some more brain where to be involved as well, right?
It are two different solutions. The ADT x-ray easing, as I was saying, you should look at it. If you have Microsoft 365, you have . So you need to make your strategy around that and say, what is the place of overall strategy for identity and access management for on-prem ID? It's relatively simple. It is target system, and it should be treated as a target system that is, that serves so use cases, but that as a central element of your future identity management, you have rich access strategy. And it's that easy to replace it in many cases, because there are a lot of legacy applications requiring it. So you might have it for, for quite awhile, but even then you should think about how can you, uh, recuse the role and not further invest into making it a central element of that. And clearly the less going back to our starting point, the less dependencies you have where active directory, so to speak the, the mediary between, uh, identity management at the targets, the less you have that, the easier it is to, to move forward to the modern few Triam and to use on-prem, AD only where you still needed for technical reasons.
What's your legacy application infrastructure.
Absolutely. And not to always have such a large commercial break at the end, just get in touch with us. If you have any questions we can support you in getting, moving away from Azure, from AD and maybe moving to Azure 80, and to have a good transition in between. So that would be something that we can support you in and where there's tons of material available on our website. Thank you again, Martin Ford for joining me today for giving this clear perspective on how to deal with on-prem ad with authorization in on-prem AD and moving towards more and more than I am infrastructures that are future-proof and capable of solving tomorrow's problems. Thank you again. Thank you.