Managing Active Directory: Who Owns This Responsibility?February 18, 2020
The key question often debated is whether Active Directory is owned by multiple teams, or by a stand-alone IT, security or directory team. And depending on who you ask within the organizations, you may get several different views. So how do you split the management responsibility around Active Directory?
Let’s breakdown a few executive points of views from around the enterprise organization:
CIO Point of View
Active Directory was traditionally owned by the server and infrastructure teams that report up to the CIO. Since the CIO is the business owner, then the IT and applications owners are responsible from capability, process and functionality perspectives. But with the arrival of public-key infrastructure (PKI), single sign-on (SSO), identity and access management (IAM), and federated authentication, it became apparent for them to build a team to focus on identity. Although the server team still owns the core Active Directory in their organization, two new teams have been created — an IAM team to concentrate on tools that enable authentication, including account provisioning, and a networking team to own the DNS and Dynamic Host Configuration Protocol (DHCP).
CISO Point of View
A chief information security officer (CISO) believes Active Directory is a core IAM service, which should be owned by the IT security team. Especially in large organizations, CISOs may say Active Directory should be owned by the security group given it is the nucleus of access control accounts and groups. Although, IT security teams run Active Directory together with IT admins. The security team develops an organizational structure and some rules surrounding the structure for IT admins to follow. Although IT security teams run Active Directory together with IT admins, it is the security team that develops an organizational structure and some rules surrounding the structure for IT admins to follow. In this arrangement, IT manages domain controllers and hierarchy, while the security team plans security requirements, and accounts and groups are created by identity management.
COO Point of View
Active Directory is managed by the operations team; which includes creation, deactivation, permission assignment to folders, printer management, etc. However, the security team will also have some responsibilities that mainly focus on policies and compliance to ensure that the operations team is configuring according to the set policies.
CEO Point of View
A CEO believes if Active Directory is used as an application, its ownership should have the following structure:
- CIO’s infrastructure team is responsible for all hardware and software, and owns tasks such as updates, replication, backup and so on
- CISO’s security teams operate the application on behalf of the application owner, setting rules for documentation and approvals when changes are needed, and managing all the aspects around maintaining the security of Active Directory
- The application owner is responsible for Active Directory migrations and authorizing changes such as adding users and groups, changing permissions and so on
At Binary Tree, we’ve worked on the largest and most complex Active Directory environments on the planet. The most successful Active Directory team we frequently see with our clients is a team that divides the responsibility among the following three important areas:
- Directory services infrastructure and operations – Responsible for the design, deployment and management of the ‘physical’ Active Directory bits: domain controller placement, site design, replication design, etc.
- Directory services architecture and integrations – Responsible for the organizational layout, what data is allowed to go into Active Directory, what attributes are used to store that information, and applying delegations
- IT security - Establishes the guardrails within which the service is operated: password length, complexity and age standards. They determine the business processes to be followed for approval of privilege delegation/escalation and minimum requirements, such as MFA, for access to logon to a domain controller.
Even though Active Directory is almost 20 years old, with plenty of industry tips around the ins and outs of how to manage, it’s no less complex today than when it first came out. Whichever team is designated to own the responsibility of managing your Active Directory, we encourage you to include a shared responsibility in your strategy.
To find out more about how Binary Tree can position you for success on your next Active Directory project, get in touch with us.