David Miles: How to Handle Massive Forced Change in Active Directory Accounts

Okay. So, you know, what we're gonna do over the next few minutes is we're gonna consider the effects of massive change on our directory management practices. And these changes might be sudden, and they might be dramatic as with our present global predicament or perhaps they may be more planned, but either way they will impact the dynamics of our management process quite considerably. Now, one thing that we can, we can say is that change is hard. We, we know that change is hard. It's part of what we used to call daily normal life. And we've been experiencing recently some significant changes to that, but in the normal time folks join, they leave, we conduct business and everything just ticks over. But interestingly, there are something like 15% of people within our organization, within our organizations globally, as IAM practitioners who can boast that a time to, to deprovision a user is measured in just minutes rather than hours or, or longer.
So that leaves, you know, a whopping 85% of businesses who are taking substantially longer than that. And that situation doesn't actually get any better. When we talk about people joining the organization, you know, it, it's actually 72% of organizations are taking longer than a, a small amount of time, minutes measured in minutes. So, you know, frankly, if, if any of those processes to onboard, to provision a user or to deprovision a user are taking substantially longer than about a minute, then we potentially are storing up a significant problem for ourselves. Now, you know, the main reason for these statistics is that very few organizations have got the correct tooling in place to manage these processes properly. It's approximately a third that do that within just management ad alone. It's about 37% managing on premise applications. Besides active directory is about 33%. And for cloud it's surprisingly hired about 30%.
So, you know, we've got a scenario where many, many people are managing on a, a manual or a series of manual processes that, that leaves it quite difficult for them to cope. So, you know, what changes have been forced on you there's times that we're living in at the moment are very strange, you know, recent events of crystallized, significant changes for businesses globally, remote working levels have gone off the charts, furloughed employees, they're off the charts, layoffs and terminations off the charts. This is a series of massive unprecedented changes, and they have taken place in the space of potentially just days or at most weeks. And this is kind of not the normal operational process that we are used to. We are used to managing. So as these changes occurred, how, how did you do? I think probably the answer for most of us is we did the best we could given the situation and the circumstances that we found ourselves in.
It's not really, as though many of us have geared up for handling such a massive rapid change as we've recently experienced. So overall how we performed will largely be a function of how much automation we have in place around our directory management processes. So, you know, there are some challenges that we see when we start to think about how we manage these things. Making such rapid transitions comes with its own unique set of problems. You know, we consider the repetitive changes that have to be made multiple times over many hours. And we all know what that really means when it's a human being, sitting at a keyboard, right? It's tedium, it's boredom, accuracy begins to become an issue. Errors creep in inconsistencies and mistakes. Human error becomes significantly larger as a problem when we consider these drastic force changes. And as we consider the human error, we need to consider the, the threat that comes along with it.
The risk, the increased risk risk goes up exponentially as mistakes occur. So that can take the form of accounts that are left active, that should have been suspended. It can take the form of accounts that have been suspended in a very poor fashion, not following best practices. It can take the form of permissions being left assigned. So if we wanna consider a, a, a scenario for the moment and how this might look in a, in a fictitious organization, imagine a company that has around 10,000 employees distributed across four locations, globally active directory is their primary authentication mechanism. They're federated with Microsoft for authentication to office 365, all office 365 applications and mail systems are being used. So they're using outlook and OneDrive and teams and so on. And they have approximately 10% of their employees. That's approximately a thousand employees that work remotely or travel on a regular basis.
And they are there for designated as remote employees in the HR system, they've got authorized VPN access, which is only for remote workers and administrators and access to that. VPN is based upon membership of an ad group, VPN users. Now, now this scenario is not really that uncommon and it, it could describe many organizations. So then the unthinkable happens. There is some kind of trigger that causes a massive and abrupt change to our business process. And suddenly we move from requiring 10% of a remote workforce to 90% of a remote workforce virtually overnight. Now in that scenario, what do you do? It it's extremely difficult and we need to, we need to manage that change. So what does that look like? Our CEO calls us in and explains in a meeting that it's absolutely critical that our workers now have to be located at home and they can gain access to our network and all the required applications and resources.
So there are many physical processes that are required to make this new status work. We need to be able to enable VPN access to internal resources. We need to be able to find out who is remote, and we need to do that by looking at our HR source data, we need to locate those accounts in active directory, and we need to add those users that need to be working remotely to the VPN users security group. And we need to repeat that for each remote user and keep a track of what we've done as we do it so that we, you know, we can record what changes we've made. And we need to ensure that the accesses that those remote employees have are correct. There may be role changes. They may have access via group memberships in active directory that need to be made. There may be changes to the authentication, and it's quite likely that we will need to touch every single account and maybe sometimes multiply.
So it's a fairly substantial effort. And this brings with it consequences. It takes a lot of time and it's being done under the pressure of time. We might be hasty and we make rushed changes, and those changes can work to lead towards inaccuracies and mistakes. And duplicate efforts can cost money, but more significantly and more worrying is that those inconsistencies and those inaccuracies can lead to errors, which then lead to risk and vulnerability. Now people with nefarious intent are not slowed by the same factors that are businesses are slowed by the global pandemic signals signals to them a, a perfect opportunity and you know, where they're concerned, it's money. So, you know, we need to give consideration to the risk. And then when we think about it, one would hope that all of these changes, at least in theory, we'll be temporary. And that means that at some stage, a little way down the road, we have another abrupt change and that's going to be involving us, pulling all those furloughed employees back into the workplace.
We need to pull them back in so that their, their work practices have changed. They need to be able, able to come in, log in and pick up where they left off. And we don't want there to be an interruption to our business. Continuity. At least if there is one it's gotta be as small as possible. And that's a big ask under unwinding, all the changes that we made now, it of course assumes that security was upmost in the mind when we put these things back, because it will be harder than just Reen, enabling a bunch of user accounts. And if security wasn't up almost then, well, we may well have bigger problems to worry about. So what about as we, as we try to contract out this remote workforce, which users are affected, who's going to change. Can the HR system provide us a list?
Did we keep all records that we, that we implemented? All the changes that we implemented, we will need to adjust the accounts we'll need to remove the VPN access. We'll need to change. Group memberships will need to be able to adjust the authentication. And we can imagine that there will be a lot of group adjustments for access control as they were made. We'll probably need to make changes to organizational units for laptops, accounts, hardware, and so on. And that's a rinse and repeat process over and over again for every employee that changed. And meanwhile, somebody's gotta answer the phone at the help desk to deal with the queries and spend hours chasing down access issues and fixing errors. So, you know, there are consequences again, to all of this. We've said it takes time. There are inconsistencies, it can be hasty. And as we've said, people with nefarious intent, aren't sleeping during this change, we need to give consideration to them.
So what if we had some kind of automation let's think about that remote access change. Imagine if we could create a virtual attribute in the directory for every user, and we could set this to true for a remote employee. And now imagine that instead of our static group of VPN users, instead we have a group whose membership is dependent upon the value of an attribute. Let's say the remote employee attribute and suddenly our group is automatically populated with all those remote workers. And imagine we can batch update users based upon data from our HR system, so that we can modify attributes like the remote attribute remote employee attribute suddenly we've managed the enablement of VPN access to the users that require it with virtually no intervention. So what does this mean in terms of results for us? Well, really, as we begin to build out some automation, the biggest value, the biggest benefit is that our results are virtually instantaneous and they can happen without intervention from it in most situations.
And because we've removed a significant part of that human element, things can happen in a consistent and accurate manner, saving time, saving money and significantly reducing the risk. So the business is protected. The users get what they need and everyone is happy. So if we now consider a different category, the furloughed employees, you know, these changes that we've considered so far for remote workers are relatively simple. Let's think about something that's involving a little bit more complexity, such as the furloughing of employees and what steps might we want to take for these users. First of all, we're gonna figure out which individuals we're talking about with a list from HR. Again, having done that, we identified the account. We locate the account. We perhaps wanna remove the user from any security groups, which grant access and privilege. We may want to change the user's password to a random value.
We perhaps wanna disable the user's account. We might want to grant the user's manager, access to their mailbox and grant the user's manager, access to their home drive. We might want to U move the user object to a separate OU to designate all ed employees. Perhaps we wanna re return office 365 licenses, adjust some licenses, and we rinse and repeat again. And it's a very manual, a very laborious process. If we're going to do it properly, rather than just simply disabling the user at can, which is not best practice. So again, the consequences of this they're the same, right? You know, that it's long hours. It takes a lot of time. We're rushing because we're under time pressure. It's a lot of wasted money. And the human element is in consistency, error, and risk. We wind up getting back into that same cycle of risk and, and error because it's being done by a human being.
And then again, then the road, we're gonna be bringing those guys back. And we can't assume that all of them will return. So we need to work with HR. We need to identify who's returning. We need to grant access permissions back to them where they were removed, putting them back in security groups. We need to establish a password that they can go in and, and log in with. And then reset. We enable their account. We reinstate access to their mailbox. We move them back into their correct organizational unit for management. We assign them their licenses for office 365 and any other applications. And again, Werin some repeats now that's, that's a lot of work. It's an awful lot of work and it comes within a lot of consequences. Again, you know, you're beginning to see the pattern here. It's the same issues, but we are adding one here.
We're adding disgruntled users this time. We've got a bunch of people who perhaps can't log in after they've changed their password, because they've now reset it. And they can't remember what it is. They no longer have access to the CRM system or to Salesforce and frustration begins to, to kick in. And that affects productivity costs. The business time costs the business money. Our help desk is overrun. So a again, what if we could automate this automation will provide provisioning activities that allow you to decide exactly what will happen according to strict policies. And then it will implement those changes without any human intervention. Automation provides a technical implementation of written and agreed upon policies that can be implemented automatically and without errors. So the results that you get from that are that we are building further on our model of automation. And again, we benefit from virtually instantaneous results without any human intervention, again, consistent, accurate results, save us time and they save us money and they significantly reduce risks.
And once we've established these automation rules and they're in place as changes happen on a day to day basis, they simply execute as required permissions rights and access can be modeled upon roles, departments and job titles. And this ensures that access is our correct, and that we're always following at least privileged security model. So all of our furloughed employees returning to work will be able to hit the ground running. Okay. So the third area is, you know, that we, we might wanna consider here is the reduction in workforce. And these are they're closely related. You know, we obtain the list of users that this applies to. We identify and locate the accounts again, you know, these are, these are the same processes, removing users from security groups, scrambling passwords, disabling the accounts, granting the manager, access to the mailbox, access to the home drive unassign licenses for office 365 and other applications moving the user to that deprovisioned organizational unit repeating for the next account, but now being clean in our deprovisioning processes, we want to come back in maybe 60 days and we want to delete those accounts so that they've been purged we've then followed a really strict and thorough regime for deprovisioning users.
And these are the, these are the processes that can be fully in place, manually hard time consuming. They take a lot of work, it takes effort and we can rush it and we can have the inconsistency. Again, there's another layer here, which is that if you're not doing it properly, you're left behind with a bunch of orphaned accounts, which introduces risks. So good data hygiene around deprovisioning is actually critical for management of risk. Often accounts represent an excellent attack vector for anybody who's got mal intent. So again, if we have automation, we've got the ability to be rep repetitive with these tasks and get the actioned event every time an employee leaves, and that can happen promptly and consistently and dramatically reduce risk. Furthermore, it does facilitate good management of expensive resources, such as office 365 licenses and any other application licenses. So the business makes careful decisions about which process and what will happen.
And these are then implemented once in our automation so that they will happen automatically thereafter without that manual intervention or any human involvement. So what we find when we look at all of this is that from a conclusion perspective, it actually doesn't matter where on the path you are. You may very well have already furloughed, a lot of workers, and that may have been done manually. You may be about to undertake those changes. It may be that you are absorbing a business through some kind of merger and acquisition, but automation will and can save you time, money, and stress. So it doesn't matter where you are on that process. You can implement that automation starting with even the simplest of tasks and it will begin to yield results. And then it's a many layered thing where you start simply you build on those automatic processes and gradually you can put in other systems like Unix, the next provisioning in the on premise environment, provisioning in the cloud applications environment, and you can wind up yielding results, incremental results for very small changes, that yield enormous value. So I think that's pretty close to our time. I hope this has given you some pause for consideration in how you might automate some of your automatic account life cycle management processes. And I, I don't know if we have any time for questions, but I'd be happy to, to, to take any, if we do.