After working with Active Directory for longer than I care to confess, the term ‘Zero Trust’ has bubbled up just about everywhere I look. For years, I ignored it, mostly because it sounds too good to be true. I assumed – as with some industry buzzwords – there couldn’t be much substance behind it. Well, now that the term has evolved and been defined, I understand the purpose of Zero Trust and how it applies to the systems I’m responsible for securing – Active Directory (AD).
I had the great opportunity to do a webcast with Nick Cavalancia on this exact topic. In discussing AD with Nick, many things came to light. As we prepared for the webcast, I began to realize exactly how Zero Trust applies to AD. Basically – it doesn’t. At its core, AD is a single sign-on solution designed to provide a user experience with access to objects. Of course, there are many security-type things you can do in AD that will enhance the security of the directory. Concepts such as ‘least privilege’ have been around forever, and we always work hard to apply this principle to AD, as well as anything to which it provides access. Other best practices are to review the permissions and Group memberships periodically (a.k.a. ‘attestation’ in IAM terms) to make sure the right people have the right access.
In securing AD, I tend to focus on breach prevention which, in most cases, involves privilege elevation. So I focus on the privileged roles/groups such as Domain Admins, Enterprise Admins, as well as groups nested in privileged groups. Any of these can exploit the SSO capabilities of AD to own the system. Here’s a link to show how that exploit works.
As I discussed the topic of Zero Trust with Nick, we compared some ideas. Native AD is full of ‘least privilege’ which is persistent. In our conversation, we talked about making sure the right person has the right access, a new concept of ‘at the right time’ which is starting to show up more frequently. How do I grant someone elevated credentials occasionally? In the world of IAM, we call this ‘just in time’ provisioning. I am certain that this term will be added to the IAM vocabulary going forward. After working with AD and PAM solutions for years, I think the value of PAM technology’s ability to counteract the SSO vulnerabilities of AD-managed privileged accounts should be obvious. Even if I have my own personally assigned Domain Admin account, this account should be vaulted so that:
- No human knows the password when the account is not in use
- The password is changed every time the account is used, which will spoil the residual hashes
- The account is disabled when not in use to prevent authentication
These capabilities adds incredible value in protecting privileged credentials. As Nick mentioned, AD trusts but does verify – once. As part of this webinar, I got to talk about one of the coolest solutions to manage privileged AD accounts: Just-in-Time provisioning. This is the capability using a combination of our solutions – One Identity Safeguard and Active Roles – to vault an account and provision it to the right groups upon checkout. This combined functionality makes AD very dynamic, which adds to the Zero Trust goal and makes the account completely useless when checked in. Take a look at this four-minute video to learn more about it:
In my opinion, Just-in-Time provisioning of privilege accounts in AD can significantly improve the capabilities of AD to conform to Zero Trust concepts. Listen to the full conversation here and learn more.