We all remember how it started, don’t we?
Microsoft Active Directory was implemented, and practically everyone at the organization had an account. It was only practical to redirect other applications to authenticate to AD. You made groups for each redirected application and added people who should have access to that application to the group. After time you directed authorization to AD groups as well, which meant you made AD groups for different authZ combinations. The organization started using Distribution Lists, which meant that either business users were going into AD Users and Computers to create DL group objects. If they weren’t granted access, the burden fell on AD admins. As AD became more business critical, your AD admins couldn’t field all of the activity and requests.
The next thing you knew, you had more groups than users, and no good descriptions of or understanding of what was out there! It was hard to audit, hard to figure out how many duplicate or near-duplicate groups there were, and hard to know when someone got or lost access.
Were you part of this process?
It’s possible that you embraced MIM, Microsoft’s Identity Manager, which provides automated identity lifecycle management for the enterprise and some more advanced capabilities. This ties into Microsoft’s Enterprise and Mobility Suite (EMS+) to help ensure security. It helped with efficiency, but you still had a need to provide Governance around identities and access.
There are variants on the story; some organizations have non-MS automation in place to move people in and out of groups, for example. Others have bought or created a tool so non-admins don’t have to go into AD Users and Computers to create groups. However, almost every org struggles with group duplication, membership staleness, and challenges in regards to auditing or compliance.
And now, it’s time to go to the cloud.
It’s likely you want to move to Azure AD, and you are looking at DirSync or Azure AD Connect to extend your on-premises AD into the cloud. However, CW (conventional wisdom) says before you do so, you really need to iron out your current group data and get a governance process in place. The clean-up project will take months at best, and the goal is to be in Azure by then, not starting the plan.
The pain of growth is real!
Over and over I hear from companies how they want to make the jump to cloud, but they have to either scrap their present security and start anew, or go through an exhaustive and predominantly manual rearrangement of nested and duplicate groups. And over and over I hear people say, there has to be some easier way to do this.
The good news is yes, there is an easier way.
A more comprehensive, secure, and flexible way.
Saviynt Express leverages your existing investment in Microsoft AD and MIM by using these as the foundation to extend identity into the cloud and other applications such as your HR, ERP or ITSM solutions. The AD group complexity is streamlined, bringing true agility to your environment while injecting governance, approval, and auditing into the process. Business users no longer have to have excessive administrative access to make Distribution Lists for business purposes, but instead have an easy, form-based way to create lists.
Digital transformation, previously so elusive, is now attainable without having to rip out and replace existing implementations and processes. Best of all, it doesn’t require a monolithic, multi-year services engagement. Rather, there’s swift deployment and value with Saviynt Express.
Come see more about how Saviynt is helping our customers through these growing pains and smoothing the way for them during our webinar with our partner, Oxford Computer Group on February 19th. Register here!