Active Directory in Information Security


#1

Morning, everyone!

I just started working for a large, corporate company about six months ago for the first time that actually has an Information Security department. We have a sub-department called Identity & Access Management just to orchestrate Active Directory. My question coming form this configuration is this:

Is this typical in large organizations today?

In the past, when I worked in general IT for large companies, we only had one, small IT team and we did everything, including AD. Much to say, this is all new to me.


#2

I’ve never worked in an environment like that, however I have applied for positions at companies like that. I think that it’s becoming more and more common for companies to start segregating their IT teams like that.

Also, congratulations on your new job! Going pretty well so far?


#3

Hey djmoore

Great question. Yea, this is a fairly typical setup. There is a ton to IAM, especially if your org is in a regulated industry (Finserv, healthcare, etc.).

My preference is to have IAM fall under CISO vs fall under CIO, but that is a different topic altogether.

The nice thing about having a dedicated IAM team is they typically know the environment and tool really well, which is critical when things crash or you’re dealing with something cyberbad.

The down side is that to implement new rules and changes can take a lot of time and multiple CAB/CRB meetings for approvals.

I suspect we will see stand-alone IAM/AD teams become a stable (typical) team for the foreseeable future.


#4

Thanks for the insight! Do you work in the corporate IT world?

Also, welcome to the forum. Thanks for joining up :slight_smile:


#5

That’s a new one for me as well. What kind of company is it? Identity and access management sounds like they control physical access and security as well (keypads, keycards, biometric security, etc.). Is that possible?


#6

Well there you go. You learn something new every day. Thanks for the fantastic answer and insight!:+1::ok_hand:


#7

Ooh, the follow-up question! lol

I currently work for a sw coding training company. I am on the implementation side, so often work with client AD/IAM teams (anyone who wants to use SSO to access our training platform).

Prior to this was in consulting working with orgs on security hygiene, posture, risk, etc. and before that building infosec programs in corporate America.

In the regulated industries, esp. Financial Services and Healthcare, they are req’d to show user access to apps and data when audited. Using IAM (especially if it is integrated with an HR app such as Workforce) allows the client to quickly/easily provide the “evidence” required. (NOTE: the is RARELY an quick & easy task lol).

So, if you think about how many apps a large org could use, it could be in the hundreds or thousands (and maybe in the low 10,000s of apps). The trick is to prioritize the app in terms of risk, and connect them (SAML/SSO) to a user in a way that it is easy to ID user access ability and frequency.

Having a dedicated IAM team allows IT Ops to focus on uptime and ops while offloading the AD mgt (groups, users, etc). In a complex environment that takes ppl, which creates a team. Even more, it is ideal to maintain a core group of ppl (team) doing this work b/c they understand the intricacies of how apps connect to data AND restrictions on who can/cant access specific data.

Using our own SCW platform as an example, there are 3 roles in descending order: Company Admins, Team Managers, End Users (developers). A user can only be assigned 1 role. A Company Admin can assign Assessments to Team Managers and Developers, but is not able/allowed to take an Assessment. This is because the Assessment are used for compliance and there are no checks and balances on if the CA actually took and passed the Assessment! lol
Right? “hey CA did you take your Assessment?” “Of course I did! and passed with 100%!” hahaha, right. /s

In regulated industries, it is the same situation. Orgs (and their regulators and auditors) may not want an exec to have the same or greater privileged access to an application OR may not want an entire dept to have access to an app or dataset if only a handful of ppl really need it.

BTW, seasoned execs learn/know: the higher up you go, the less access you want. This is b/c the liability and risk is that much greater.

Hope this helps. Good luck in your new gig.


#8

Wow! Quite a bit of experience in all kinds of different specialties there.

Sounds like that was kind of an exciting job, just because every client organization would have such wildly different needs.

Sounds pretty interesting, and sounds like a fun gig. How long have you been with them?


#9

Thanks! I am absolutely loving it. I am surrounded by super smart people and they are constantly elevating me and pushing me to learn new things.


#10

We are the largest healthcare insurance provider in Louisiana with over 2,500 employees, excluding contractors.

Our IAM team actually only controls logical access to IT resources, internal and external, which means there are actually two IAM teams: internal and external. My team will eventually be orchestrating the technologies around physical access (badge scanning, cameras, servers, etc…)


#11

It’s not. From what I know, we had a lot of stumbling blocks along the way, but we have a lot or processes in place to show that chain now.

But, there will always be the ones that want an exemption.


#12

That’s great. When you find an awesome job like that it makes everything worth it!