Security Manager's Journal: Security left out of the loop again

A reorganization of the Active Directory architecture goes forward without the security manager even being informed

How did I get overlooked? I just found out my company's IT department has been working on a plan to reorganize our Windows Active Directory architecture and settings. Naturally, when I heard about this, I figured I needed to get involved. After all, Active Directory is all about security. It is at its core a tool to manage user access and permissions. Therefore, I need to be a part of the design team, if not running the whole show. I have some important considerations I'd like included in the new design. This is a perfect opportunity to optimize our security techniques and make improvements to our Active Directory infrastructure.

So imagine my surprise when I found out that our IT department's Windows gurus have already completed the new design. Not only that, but they also spent a lot of hours with Microsoft professional services in design sessions. This was paid for as part of our premier support plan, and it's already used up. When I asked for an opportunity to sit down with the Microsoft engineers to review the design and add my feedback and input, I was told the engagement has already ended. Somehow, I completely missed the boat, and I never even knew there was a boat until it was too late.

How did this come to pass? We are all working a lot harder these days, due to the economy and its associated cuts, staffing reductions and budget limitations. Everybody's wearing multiple hats and working on many things, so there's not always time to step back and look at the big picture. Also, in this case, I think they were in a rush to get the design done and then move on to other things, and involving me might have been perceived as adding additional complexity that would slow things down. I admit that's probably true, but sometimes it's good to slow down a little bit in order to do things right.

In any case, now that I've been left behind, I'm trying to run to catch up. The design is already done, but I'm hoping I will have a chance to make a few tweaks. In designing an Active Directory architecture, there are a lot of choices that fit different business and security needs. We can go with a single domain, or multiple domains, or hybrid approach with child domains, all of which have their own merits and drawbacks. The way our business is structured, I think a multiple domain approach within a single Active Directory forest makes sense, but the design calls for a single domain. We can also distribute domain controllers regionally, and even break up the Active Directory server roles. Our current design relies on centralized domain controllers, which I think will cause problems with some of our remote sites.

Our design team also decided on structuring Organizational Units (OUs) based on geographic locations rather than business groups, a decision I think will not be ideal for our situation. We have a need for different policies in different business units, rather than in different locations, and that's really the point of OUs. Finally, to save costs, the decision was made to use our main Active Directory domain controller as a corporate file server, which is not considered a best practice. Domain controllers should ideally be dedicated to the Active Directory function and not used for other purposes.

The best I can hope for at this point is a compromise on some of these issues, because it's too late to start over and change everything. I'll pick the ones I think are most important or least intrusive on the design and try to change what I can. As for the larger issue of why the security manager was not involved in the design of what is essentially a platform for security policy enforcement, I'm taking that up with my CIO to see what can be learned from this experience to avoid being left out in the future.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.

Join in

To join in the discussions about security, go to blogs.computerworld.com/security.

Related:

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon