The NCSAM series week 1 - If you can connect something, protect it.

October is officially recognized as the cyber security awareness month all over the world, ever since it was started by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in 2004. It is aimed at educating people and creating awareness about practices for keeping their cyber environments safe. The theme for 2020 is 'Do your part. Be cyber smart'.

To keep up with this year's theme, this series will focus on easy-to-implement solutions for the week's theme-specific idea, that'd keep the Active Directory (AD) secure while ensuring it's at its efficient best. This week's post will focus on the idea - "If you can connect something, then protect it". In an AD context, we can interpret this as, if you're opening up access to your AD then you should simultaneously implement safety practices to ensure they don't turn into vulnerabilities.

In your organization, chances are you have delegated IAM or AD operations to help desk technicians, for reducing the burden on admins, balancing the workload, etc. But if the delegation of rights is not granular, you could end up delegating more rights than needed. For example, a technician who is responsible for the password reset could end up having the permission to elevate the rights or permissions of user accounts. This could put your entire AD and organizational data infrastructure at risk. So, as you delegate the rights to access your AD, here are a few pointers for you to ensure it is also secure. ADManager Plus can help you delegate granular, task-based access to as many technicians as needed whilst ensuring the principle of least privilege is always followed to keep the AD protected.

1. Take stock of the tasks to be delegated and their required permissions

Determine the AD management tasks to be delegated to non-IT employees, like IT technicians, HR technicians and business managers, and the minimum permissions required for each task to be carried out.

2. Create a delegation policy with clearly defined roles

Once the tasks are established, create delegation roles and group the IT technicians accordingly. Ensure the group has only the least required permissions.

3. Set up role-based access to IAM operations

Now that the roles are created and the tasks to be delegated is established, you can assign these roles to appropriate users to allow them to perform only the delegated operations.

4. Ensure adherence to organizational and IT security policies

To ensure that the delegated technicians do not misuse their rights or perform unauthorized operations, it is vital to supervise the delegated actions, and keep track of all their activities with audit reports.

If you have been delegating IAM rights to your employees without a clear delegation model or tracking mechanism, it's time you inventory such delegated actions, users to whom permissions you have delegated rights, reassess them and reassign the rights to ensure security and adherence to security policies. With ADManager Plus you can,

Assign permissions for delegated tasks at at the product level while their actual privileges in Active Directory remain unchanged. Learn more about it here.
Get pre-built delegation audit reports and technician specific reports to keep track of the delegated activities.
Manage AD groups and access permissions in bulk. Learn more.
Generate reports on permissions assigned to AD users and groups without scripting. Learn more.