Key goals in Active Directory migrations (4 of 4)September 26, 2017
This is the last in our series about the four key goals in Active Directory migrations: accuracy, visibility, efficiency, and security. In this post, we share the criteria you can use to choose migration software that will keep your data secure as you migrate.
Complexity breeds potential security issues
It’s a rule of thumb—the more complex your environment is, the harder it is to secure. On the surface, a migration of Active Directory might not seem quite as complex as something like Exchange, where you have a lot of servers involved, routing information all over the world. But the thing about Active Directory is that it’s been in use for more than 17 years. Over that time, your organization has probably had several different administrators, and they likely each did things their own way. You also might not have kept Active Directory as up-to-date as you have other line of business applications. And you might have experimented with different architectures for your forests, which can get real complicated real fast.
What we find with many of our clients is that they have what amounts to a snarl of yarn, with permissions pointing every which way. So a big part of the migration process is to untangle that snarl. You don’t want to merely migrate over any “garbage” as we like to call it. Not only does this waste time, but it also poses a security threat. For example, it’s all too easy for hackers to take advantage of formerly inactive accounts that have elevated permissions. Or it doesn’t even have to be a malicious example. Maybe an internal user mistakenly activates an old account and gets access to things they shouldn’t. Neither of these scenarios is ideal.
Simplify and centralize
Migrations are a great opportunity to simplify and centralize your permissions, which will help keep your organization more secure in the long run, too. And as you simplify things, you also need to make sure you don’t cause any new issues. For example, you need to make sure that:
- You don’t unnecessarily open holes in your firewall
- Users retain access to the resources they need
- Users don’t get elevated access to things they shouldn’t see
- Inactive accounts don’t reactivate and create security vulnerabilities
Depending on the migration solution you choose, some of these things are easier than others. Let’s talk through what you need to look for as you’re evaluating your options.
Avoid opening holes in your firewall
Your migration software should be designed in such a way that it keeps your data secure as it migrates. Unfortunately, many competitive tools have requirements that pose security risks. For example, Microsoft Active Directory Migration Tool (ADMT) and many third-party tools use common remote procedure calls (RPCs). These initiate the communication from the server to the workstation. What that means is you need to open 60,000 high ports from your service subnet to the end user subnet. It's a server-client design.
Contrast this with the Binary Tree solution. Our Active Directory Pro doesn’t have any technical requirements that add risk. It’s a client-server design, which is more secure and also more efficient. The client calls home to the migration server periodically to get its tasks. Thus, the burden is taken off that migration console. Active Directory Pro also uses standard internet protocols for communication, which are firewall-friendly and secure. It speaks only over ports 80 or 443, and that communication is always one way. It's always from the client to the migration console. This design is much more secure because it opens only a single port to your firewall, rather than thousands.
Use consistent profiles for users and groups
The next thing to look at is how well your migration solution helps you make sure that everyone gets the permissions they need. Our Active Directory Pro lets you do this with profiles. You can create different profiles for different users with different settings. If you’re migrating someone in Singapore, you’d have a Singapore network profile. This helps you keep permissions more consistent across users and groups.
Find and fix issues before you migrate
Active Directory Pro also lets you do a dry run of your migration to make sure that everything will work as you expect. It generates “what if” reports that show you simulated results of what would happen if you ran the migration with these settings. This helps you double-check that users will have the expected permissions after migration.
Don’t gamble on the security of your next migration. See more about how Active Directory Pro keeps everything secure as you migrate. Or contact us to chat more about how we can help with your next migration.