IAM program continues to make strides with AD review - University Information Technology

IAM team By Emily Rushton

The Identity and Access Management (IAM) team has been hard at work identifying University departments that manage their own active directory (AD) systems - a complex but necessary task.

“We started reaching out to all of the IT managers and active directory administrators who manage that system on a day-to-day basis,” said Subhasish Mitra, IAM senior program manager for the Information Security Office (ISO).

What they found were 18 AD domains that exist beyond the central AD system - meaning each of those departments manages and maintains its own AD, separate from the central AD. 12 of those are trusted domains, like Huntsman Cancer Institute and College of Business, and six are "child" domains - departments like the Center for High Performance Computing and Continuing Education. Those six participated in a two-day risk assessment workshop with the IAM team and Microsoft to assess whether or not the systems were in good health.

Following the workshop, the IAM team met individually with each of the 18 departments to determine what the AD domains were being used for, how they were managed, and what application dependencies (if any) existed.

Based on the results, along with leadership directives, Mitra and his team decided to do a full architecture review – roughly five weeks of on-site engagement with Microsoft – to determine if any improvements can be made to the current AD system and processes.

“The intention is to have Microsoft come in and try to understand the whole landscape from a systems, security, network, and services standpoint,” said Mitra.

Over the course of those five weeks, Microsoft plans to meet individually with the IAM team, the pre-identified IT administrators, ISO, the UMail group, and the network team.

“Overall, we want to know how we stand from an architecture landscape point of view,” said Mitra. “Do we need to continue to operate as we have been, or do we need to make adjustments in order to provide better services?"

Adjustments could include allowing departments who run independent systems to be part of the central AD system, while still retaining complete independence and control in managing their own groups and resources.

“This would be for people who really don’t want to be in the business of administrating an active directory system,” said Mitra. “The benefit for them would be zero administration. It’s completely backed up, and it’s completely redundant.”

When the review is completed, Microsoft will collect all the data and make a best-practices-based recommendation. The end goal is to comply with Microsoft and industry-standard best practices, while providing quality services that are based on the AD system.

“It will be really exciting to see what Microsoft suggests," said Mitra.

Once Microsoft provides its final recommendation and report, the IAM team will be able to establish a plan for the future. Whatever the outcome, one thing is certain: it’s a big step forward to a stronger, healthier, and more secure AD system overall.