In the stampede to use (or at least talk about) cloud services, on-premises infrastructure gets little mention nowadays. But even though the cloud has hogged our attention for the past few years, the reality is that most of the data center that existed before the services revolution is still there today. And it’s more important than ever to protect it — in particular, your Active Directory forests that contain all your usernames and passwords.
Why has Active Directory become even more important to protect today? Most companies have chosen to adopt a hybrid identity model that extends their on-premises Active Directory to an Identity as a Service (IDaaS) provider such as Azure Active Directory. If you use Office 365, whether you know it or not you have an Azure Active Directory instance in Microsoft’s cloud. With this hybrid model, users can authenticate to Office 365 and other SaaS apps with their corporate Active Directory credentials.
IT professionals tend to focus on the security around Office 365. This is good, but partly misses the point: if your on-premises Active Directory isn’t secure, it doesn’t matter how much you’ve locked down Office 365. Attackers will gain administrative access to a compromised Active Directory — and thus Office 365 — regardless of the controls you’ve put on it. They will go after the weakest link.
Therefore, it’s important to ensure that although your organization might be strongly pushing for Office 365 adoption, your management team understands it also needs to secure its Active Directory foundation. In Active Directory’s early days, and even in its “tween years” (Active Directory is seventeen years old after all), organizations could get away with using only the Microsoft out-of-box tools to maintain the application. Although Active Directory’s design has aged very well, the cybersecurity landscape has changed dramatically since the product was conceived.
As a result, a range of third-party security and operational tools are required — not optional — to keep Active Directory healthy and secure. Roughly ordered by importance, these tools include:
- Backup and recovery (beyond object deletion)
- Threat detection
- Governance (identity lifecycle and access reviews to remove unneeded access)
Few companies have all these capabilities in place because the costs can be prohibitive. But what is the cost of not protecting your Active Directory foundation? Microsoft estimates that the average cost of a breach is 15 million dollars. Based on this estimate, detecting and avoiding a breach would pay back these tools’ costs in days.