High-profile, wide-ranging cybersecurity breaches—the SolarWinds supply chain attack, the Colonial Pipeline ransomware incident, and the Russian hacking of Microsoft—have brutally exposed the consequences of inadequate identity security controls.
Stolen or mishandled credentials, lateral movement by hackers looking for sensitive data across a compromised network, and privilege escalation (in which a hacker gains unauthorized access) remain the go-to tactics for today’s cybercriminals. Despite massive investments to combat these threats with new security tools and technologies, a fundamental weakness in identity and access management (IAM) continues to vex enterprises of all sizes.
Though IAM ostensibly ensures that access to networks and apps is limited to authorized users, weak IAM approaches mean organizations are breached too quickly and often. A weak IAM approach can include:
A lack of multi-factor authentication (MFA) makes phishing or brute attacks more likely, Granting excessive access privileges around sensitive company data, Ignoring poor password management by employees, and risking credential theft.
A failure to fully monitor access activities or having inadequate controls around access,
Security gaps are created by cobbling together point solutions and making it easier for compromised accounts to move laterally within a system. As the threat landscape intensifies, businesses can no longer afford to treat identity management as an afterthought.
Across industries, security and IT leaders are grappling with the harsh reality that their organization’s Achilles’ heel—the weakness that threatens organizational failure—may lie in the systems they rely on to authenticate and authorize access: Microsoft Active Directory (AD).
The history of AD
If you’re an IT admin, you’ve run into Active Directory at some point. AD has been the backbone of identity management for over two decades, for good or ill. Developed by Microsoft for Microsoft-dominated IT infrastructures, AD has become the de facto standard for authentication and access control for many organizations. Its widespread adoption is due to the deep integration of AD with the Windows operating system and the robust set of management tools and features it provides.
Despite its prevalence, keeping AD secure is a challenging feat. As security requirements become more stringent, cloud computing accelerates, and organizations adopt more heterogeneous device environments (i.e., a mix of managed and BYOD devices running on macOS, Windows, Linux, Android, etc.), the AD approach to IAM carries too many risks. Because it’s designed for on-premise use, AD has no native method for connecting agents to the cloud. This makes it incredibly difficult to secure access for remote workers and cloud resources, not to mention those outside of the Windows environment.
Because AD only supports on-premise environments, many users hoped that Microsoft’s Entra ID (formerly Azure ID) would be a cloud-based alternative with the same functionality. But Entra ID isn’t a lift-and-shift replacement for Microsoft AD; it’s a separate platform that locks customers into a new Microsoft ecosystem.
It doesn’t manage on-premise systems or non-Windows endpoints and requires integrations with domain controllers or add-on services to access network resources. Older, locally-operated, and -managed applications can’t support the multi-factor authentication methods Entra ID requires to confirm identity, namely FIDO2 security keys, OAuth tokens, or the Microsoft Authenticator app. Entra ID may be a cloud directory, but you can’t replace Microsoft AD—or rid yourself of its associated challenges— just by adopting it.
The problems with securing Microsoft AD
Despite its widespread use, AD presents several significant security challenges:
Outdated and vulnerable service accounts: Many organizations have legacy accounts with excessive privileges and lax security policies, leaving them vulnerable to potential compromise. As AD environments grow, legacy service accounts accumulate and can remain enabled with excessive permissions, even if they are no longer actively used.
Lack of consistent security policy enforcement: AD implementations are often left to follow a “live and let live” approach to enforcing security policies. Without enforcement, this can lead to weak password requirements, lack of password expiration, and insufficient auditing of service account activities within AD.
Complexity and cost: Frequently, AD configurations require multiple and complex forest configurations to establish logical separation of administrators, which can be daunting for organizations to manage and secure effectively. When you add a budget for licensing, hardware, implementation and migration, training and staffing, and infrastructure and operational needs, many organizations using AD find themselves tethered to an aging legacy system that lacks the flexibility, scalability, and cost-saving potential of more modern solutions.
Modernising AD
Despite these issues, many organizations will continue to use AD. When we polled admins during a recent webinar, while 50% of IT teams said they plan to migrate away from AD completely, 34% said they’d minimize their AD footprint and maintain it for critical applications. 16% said they’ll keep AD as-is and extend it to the cloud.
Some business-critical or legacy applications only work with AD as the backend, and some teams may not be able to access resources like Windows file servers or print servers. These are optimally designed for AD, or they may work in a highly regulated environment that requires authentication stores to remain on-premises.
Others may be in an in-between state as they transition to the cloud. Modernising AD is critical for many organizations who want to bridge some of AD’s functionality without introducing security vulnerabilities. Modernizing a few tips to get started, no matter where you are on your AD modernization journey.
Extend AD to the cloud:
Integrate AD with a cloud-based identity and access management (IAM) solution to extend user access to cloud resources like SaaS applications, VPNs, Wi-Fi, and non-Windows devices.
Synchronise AD users, groups, and credentials to the cloud IAM solution, enabling centralized management and authentication.
Minimize the AD footprint:
Maintain AD only for mission-critical Windows servers or applications that cannot be migrated or decommissioned.
Reduce the number of domain controllers and their locations, as fewer users and devices rely on AD authentication.
Migrate end-user Windows computers from AD to the cloud IAM solution, eliminating the need for direct AD connectivity for these devices.
Manage AD from the cloud:
Utilize the cloud IAM solution to create, suspend, and manage user accounts and security group memberships, with real-time changes propagated to AD.
Minimize logging into AD servers directly for user and group management.
Migrate away from AD:
Provision access to cloud resources (SaaS apps, LDAP, RADIUS) for users managed in the cloud IAM solution and migrated Windows devices.
Replace Windows file servers with cloud storage solutions or network-attached storage (NAS) systems that support LDAP authentication.
Migrate legacy applications to cloud-based alternatives or solutions that support modern authentication protocols.
Migrate networking hardware and services to support LDAP and RADIUS authentication from the cloud IAM solution.
Decommission and retire the remaining AD infrastructure once all dependencies have been migrated or replaced.
Whether you’re looking to leave AD behind entirely or find a way to co-exist, simply keeping antiquated AD implementations as-is creates an unacceptable risk posture in today’s hostile cybersecurity landscape. Even temporarily, organizations that choose to keep AD must prioritize securing and modernizing their AD environments through robust access controls, consistent security policy enforcement, and integration with cloud IAM solutions.
AD modernization is an essential bridge to a more secure future. It reduces risk while positioning the business for a complete transition to modern, cloud-native identity management.
Robust identity management has never been more critical. The delta between the flexibility and agility of a cloud-forward approach and the complicated, expensive, and antiquated on-premises approach is only growing.
Embracing an AD modernization strategy developed around evolving identity needs enables organizations of all sizes to protect identities, safeguard critical assets, and strengthen points of organizational weakness.
Stolen or mishandled credentials, lateral movement by hackers looking for sensitive data across a compromised network, and privilege escalation (in which a hacker gains unauthorized access) remain the go-to tactics for today’s cybercriminals. Despite massive investments to combat these threats with new security tools and technologies, a fundamental weakness in identity and access management (IAM) continues to vex enterprises of all sizes.
Though IAM ostensibly ensures that access to networks and apps is limited to authorized users, weak IAM approaches mean organizations are breached too quickly and often. A weak IAM approach can include:
A lack of multi-factor authentication (MFA) makes phishing or brute attacks more likely, Granting excessive access privileges around sensitive company data, Ignoring poor password management by employees, and risking credential theft.
A failure to fully monitor access activities or having inadequate controls around access,
Security gaps are created by cobbling together point solutions and making it easier for compromised accounts to move laterally within a system. As the threat landscape intensifies, businesses can no longer afford to treat identity management as an afterthought.
Across industries, security and IT leaders are grappling with the harsh reality that their organization’s Achilles’ heel—the weakness that threatens organizational failure—may lie in the systems they rely on to authenticate and authorize access: Microsoft Active Directory (AD).
The history of AD
If you’re an IT admin, you’ve run into Active Directory at some point. AD has been the backbone of identity management for over two decades, for good or ill. Developed by Microsoft for Microsoft-dominated IT infrastructures, AD has become the de facto standard for authentication and access control for many organizations. Its widespread adoption is due to the deep integration of AD with the Windows operating system and the robust set of management tools and features it provides.
Despite its prevalence, keeping AD secure is a challenging feat. As security requirements become more stringent, cloud computing accelerates, and organizations adopt more heterogeneous device environments (i.e., a mix of managed and BYOD devices running on macOS, Windows, Linux, Android, etc.), the AD approach to IAM carries too many risks. Because it’s designed for on-premise use, AD has no native method for connecting agents to the cloud. This makes it incredibly difficult to secure access for remote workers and cloud resources, not to mention those outside of the Windows environment.
Because AD only supports on-premise environments, many users hoped that Microsoft’s Entra ID (formerly Azure ID) would be a cloud-based alternative with the same functionality. But Entra ID isn’t a lift-and-shift replacement for Microsoft AD; it’s a separate platform that locks customers into a new Microsoft ecosystem.
It doesn’t manage on-premise systems or non-Windows endpoints and requires integrations with domain controllers or add-on services to access network resources. Older, locally-operated, and -managed applications can’t support the multi-factor authentication methods Entra ID requires to confirm identity, namely FIDO2 security keys, OAuth tokens, or the Microsoft Authenticator app. Entra ID may be a cloud directory, but you can’t replace Microsoft AD—or rid yourself of its associated challenges— just by adopting it.
The problems with securing Microsoft AD
Despite its widespread use, AD presents several significant security challenges:
Outdated and vulnerable service accounts: Many organizations have legacy accounts with excessive privileges and lax security policies, leaving them vulnerable to potential compromise. As AD environments grow, legacy service accounts accumulate and can remain enabled with excessive permissions, even if they are no longer actively used.
Lack of consistent security policy enforcement: AD implementations are often left to follow a “live and let live” approach to enforcing security policies. Without enforcement, this can lead to weak password requirements, lack of password expiration, and insufficient auditing of service account activities within AD.
Complexity and cost: Frequently, AD configurations require multiple and complex forest configurations to establish logical separation of administrators, which can be daunting for organizations to manage and secure effectively. When you add a budget for licensing, hardware, implementation and migration, training and staffing, and infrastructure and operational needs, many organizations using AD find themselves tethered to an aging legacy system that lacks the flexibility, scalability, and cost-saving potential of more modern solutions.
Modernising AD
Despite these issues, many organizations will continue to use AD. When we polled admins during a recent webinar, while 50% of IT teams said they plan to migrate away from AD completely, 34% said they’d minimize their AD footprint and maintain it for critical applications. 16% said they’ll keep AD as-is and extend it to the cloud.
Some business-critical or legacy applications only work with AD as the backend, and some teams may not be able to access resources like Windows file servers or print servers. These are optimally designed for AD, or they may work in a highly regulated environment that requires authentication stores to remain on-premises.
Others may be in an in-between state as they transition to the cloud. Modernising AD is critical for many organizations who want to bridge some of AD’s functionality without introducing security vulnerabilities. Modernizing a few tips to get started, no matter where you are on your AD modernization journey.
Extend AD to the cloud:
Integrate AD with a cloud-based identity and access management (IAM) solution to extend user access to cloud resources like SaaS applications, VPNs, Wi-Fi, and non-Windows devices.
Synchronise AD users, groups, and credentials to the cloud IAM solution, enabling centralized management and authentication.
Minimize the AD footprint:
Maintain AD only for mission-critical Windows servers or applications that cannot be migrated or decommissioned.
Reduce the number of domain controllers and their locations, as fewer users and devices rely on AD authentication.
Migrate end-user Windows computers from AD to the cloud IAM solution, eliminating the need for direct AD connectivity for these devices.
Manage AD from the cloud:
Utilize the cloud IAM solution to create, suspend, and manage user accounts and security group memberships, with real-time changes propagated to AD.
Minimize logging into AD servers directly for user and group management.
Migrate away from AD:
Provision access to cloud resources (SaaS apps, LDAP, RADIUS) for users managed in the cloud IAM solution and migrated Windows devices.
Replace Windows file servers with cloud storage solutions or network-attached storage (NAS) systems that support LDAP authentication.
Migrate legacy applications to cloud-based alternatives or solutions that support modern authentication protocols.
Migrate networking hardware and services to support LDAP and RADIUS authentication from the cloud IAM solution.
Decommission and retire the remaining AD infrastructure once all dependencies have been migrated or replaced.
Whether you’re looking to leave AD behind entirely or find a way to co-exist, simply keeping antiquated AD implementations as-is creates an unacceptable risk posture in today’s hostile cybersecurity landscape. Even temporarily, organizations that choose to keep AD must prioritize securing and modernizing their AD environments through robust access controls, consistent security policy enforcement, and integration with cloud IAM solutions.
AD modernization is an essential bridge to a more secure future. It reduces risk while positioning the business for a complete transition to modern, cloud-native identity management.
Robust identity management has never been more critical. The delta between the flexibility and agility of a cloud-forward approach and the complicated, expensive, and antiquated on-premises approach is only growing.
Embracing an AD modernization strategy developed around evolving identity needs enables organizations of all sizes to protect identities, safeguard critical assets, and strengthen points of organizational weakness.