What is one of the sticking points every time you want to deploy a new business application, upgrade your server or desktop environment, or move another application to the Cloud? Someone on your team asks, “But what about Active Directory?”
Active Directory is deeply intertwined with nearly everything on your network. So how did this happen?
A Brief History
Microsoft previewed Active Directory in 1999 and released it the following year in Windows 2000, but back then, most people didn’t consider it a mission-critical tool. We upgraded from Windows NT to Windows 2000 and had a “similar” directory service with some cool new functions, such as Group Policy Objects to manage servers, PCs and security. We organized users and computers into OUs and managed them uniquely. We took domains and organized them into Trees and Forests and then built Trusts between Forests to run special applications and to meet our growing organizations’ needs. We didn’t worry too much about granting system administrators privileged permissions, because Active Directory was considered a tool for managing a Windows environment.
But companies quickly learned that business processes worked better when applications authenticated against Active Directory. Users already had an account with a password and since users were already in grouped in Active Directory by department and work teams it was simple to grant access to corporate applications. Vendor applications were the first kind to be configured for LDAP or even specifically for Active Directory. In-house developers soon started integrating their apps into Active Directory.
And Microsoft designed Active Directory smartly: Because many instances of Active Directory ran in a network, a single Domain Controller failure meant that users could keep working. It wasn’t until companies experienced a rare crash of the entire Active Directory infrastructure that they realized their Active Directory had become one of their most mission-critical applications. Only then did CISOs wake up to the fact Active Directory was the directory service that controlled access to critical corporate data and needed controls. With time, Active Directory became one of the primary Identity databases in the enterprise.
Active Directory Has Its Own Identity Crises
Due to the unique features and evolution of AD, AD had an identity crises. Not only had it grown into an unwieldy, complex, mission-critical corporate asset, but many different stakeholders laid claim to it. Did it belong to the Infrastructure Services group or to the Security group? Did the department in Philadelphia own their Active Directory domain or did the Shared Services group in Boston?
Because of Active Directory’s complexity, the ownership claims by so many groups, and its deep ties to so many business processes, many organizations found it nearly impossible to restructure or optimize Active Directory. And with CIOs focusing on line-of-business applications, ERP projects, BI and financial dashboards, who wanted to mess with a system that always had another workaround? Active Directory was left to evolve with Windows Server upgrades but never with any restructuring or optimization or cleanup, so many enterprises had active user accounts for employees who had been gone for years.
The Case for Optimizing Active Directory
If Active Directory today is so robust and stable and always has a workaround, what is the business case for optimizing?
Well, if there’s a problem in Active Directory, we’ve likely already seen it. Itergy has been delivering Active Directory projects and Active Directory managed services for national and global enterprises for more than 15 years.
We have seen Global 2000 companies brought to a halt—not because SAP wasn’t working or because the process controls weren’t working, but because no one could log in! We’ve seen thousands of workers sent home when Active Directory has gone down. We’ve seen transportation networks come to a standstill while a system administrator has done an authoritative restore of Active Directory. We’ve seen global networks grind to a halt because a system administrator inadvertently activated the antivirus on one small part of Active Directory, setting off a hurricane of GPO replications that had to run its course disrupting production for thousands of users for days, if not weeks.
These examples show that enterprises that take the time to plan, reorganize, clean up and apply proven business processes to Active Directory can avoid much of the risk associated with Active Directory. Some companies have realized it is difficult to keep skilled IT staff capable of maintaining and managing Active Directory, so they outsource their Active Directory’s care to a qualified managed services provider.
On the security side, we’ve heard the stories of hackers stealing millions of credit card numbers simply by accessing a user’s Active Directory account. Companies have spent years securing the perimeter of their networks but the inside has become all soft and mushy. Because hackers often sit on known user credentials for many months before using them to breach a network, it can be difficult to anticipate an attack and then shut it down when it happens. Active Directory accounts are among hackers’ primary targets, and privileged accounts are constantly compromised. Itergy knows how to monitor, alert on and secure Active Directory against exactly these kinds of breaches.
The Cloud
The Cloud is the newest driver to optimize and modernize Active Directory. We want to benefit from Single Sign-On when users use corporate applications—whether Microsoft Azure or Office 365, or any other vendors’ services—in the Cloud. In many enterprises, Active Directory simply isn’t Cloud-ready. It has been awkward and clumsy and, in many cases it’s simply impossible to use as-is for Cloud projects. Plus, the workarounds aren’t working anymore, and those long-avoided cleanups must finally be performed. Corporate governance and controls are catching up to Active Directory and insisting that it be fixed if this mission-critical tool that contains private identity information will be exposed to the Cloud.
Investing in the modernization and optimization of your corporate Active Directory infrastructure and in cleaning up the data is now not simply a good idea—it’s a necessity. Unfortunately, few IT departments are equipped to undertake such a project.
Thankfully, many tools exist to help, but it takes time and effort to evaluate all the tools and find the best ones for your business’s unique situation. Some enterprises have decided that the fastest way to bring their Active Directory to maturity will be to outsource its management to a qualified managed services provider that has the monitoring, alerting, support, business processes and overall expertise necessary to manage such a mission-critical application. Itergy is exactly that type of managed services provider. Itergy monitors and manages Active Directory in 65 countries, 24/7 on behalf of its customers. We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs in order to succeed in the coming era of business and Cloud computing.