Active Directory Management: Who Owns This Responsibility?
The key question often debated is whether Active Directory is owned by multiple teams, or by a stand-alone IT, security or directory team. And depending on who you ask within the organizations, you may get several different views. So how do you split the responsibility around Active Directory management?
Let’s breakdown a few executive points of views from around the enterprise organization:
CIO Point of View
Active Directory was traditionally owned by the server and infrastructure teams that report up to the CIO. Since the CIO is the business owner, then the IT and applications owners are responsible from capability, process and functionality perspectives – such as for GALsync when integrating multiple Active Directory forests. But with the arrival of public-key infrastructure (PKI), single sign-on (SSO), identity and access management (IAM), and federated authentication, it became apparent for them to build a team to focus on identity. Although the server team still owns the core Active Directory in their organization, two new teams have been created — an IAM team to concentrate on tools that enable authentication, including account provisioning, and a networking team to own the DNS and Dynamic Host Configuration Protocol (DHCP).
CISO Point of View
A chief information security officer (CISO) believes Active Directory is a core IAM service, which should be owned by the IT security team. Especially in large organizations, CISOs may say Active Directory should be owned by the security group given it is the nucleus of access control accounts and groups. Although, IT security teams run Active Directory together with IT admins. The security team develops an organizational structure and some rules surrounding the structure for IT admins to follow. Although IT security teams run Active Directory together with IT admins, it is the security team that develops an organizational structure and some rules surrounding the structure for IT admins to follow. In this arrangement, IT manages domain controllers and hierarchy and Active Directory monitoring, while the security team plans security requirements, and accounts and groups are created by identity management.
COO Point of View
Active Directory is managed by the operations team; which includes creation, deactivation, permission assignment to folders, printer management, etc. However, the security team will also have some responsibilities that mainly focus on policies and compliance to ensure that the operations team is configuring according to the set policies.
CEO Point of View
A CEO believes if Active Directory is used as an application, its ownership should have the following structure:
CIO’s infrastructure team is responsible for all hardware and software, and owns tasks such as updates, replication, backup, Active Directory reporting and so on.
CISO’s security teams operate the application on behalf of the application owner, setting rules for documentation and approvals when changes are needed, and managing all the aspects around maintaining the security of Active Directory.
The application owner is responsible for Active Directory migrations and authorizing changes such as adding users and groups, changing permissions and so on.
At ENow, we’ve supported the largest and most complex Active Directory environments on the planet. The most successful Active Directory team we frequently see with our clients is a team that divides the responsibility among the following three important areas:
Directory services infrastructure and operations – Responsible for the design, deployment and management of the ‘physical’ Active Directory bits: domain controller placement, site design, replication design, etc.
Directory services architecture and integrations – Responsible for the organizational layout, what data is allowed to go into Active Directory, what attributes are used to store that information, and applying delegations
IT security - Establishes the guardrails within which the service is operated: password length, complexity and age standards. They determine the business processes to be followed for approval of privilege delegation/escalation and minimum requirements, such as MFA, for access to logon to a domain controller.
IT admins and IT Security – Establishes improved security awareness in removing users that have inappropriate access to privileged groups (Schema Admins, Domain Admins). They have visibility into what users are doing across their environment.
Even though Active Directory is almost 20 years old, with plenty of industry tips around the ins and outs of how to manage, it’s no less complex today than when it first came out. Whichever team is designated to own the responsibility of Active Directory management, we encourage you to include a shared responsibility in your strategy, especially in Active Directory monitoring and reporting.
Find out more about how ENow can position you for Active Directory management success.
Active Directory Monitoring and Reporting
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
AmyKelly Petruzzella is a marketing executive who focuses on Microsoft Exchange, Office 365, and Active Directory trends, challenges, and business outcomes for enterprises. Over the years, AmyKelly regularly engages with Gartner industry analysts, and she has been recognized several times for Top 50 Microsoft Marketing Excellence. She is a frequent speaker and blogger and an industry veteran who advocates for women in technology.
Passwordless Security & The Evolution of Authentication