Change Auditor and Active Roles Integration

Welcome. This is Quest Unscripted. A VLOG series on trending topics-- And Quest solutions related to Active Directory. Office 365-- Oh, and don't forget Azure AD. You are here because you have questions. We're here because we have answers. I think. We will address questions we've received from customers. Experience the same challenges as you. All with the goal of helping you confidently move-- Manage-- And secure-- Your Microsoft environment. We call the show Quest Unscripted because-- Except for this intro-- Nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away. Hello. Today I'm joined with Dan Conrad from One Identity. And I figure it'll be a good time to discuss how some of our different products can really complement each other. So, Dan, I know you're familiar with Change Auditor. How does Active Roles complement Change Auditor? Yeah, I was a Change Auditor customer years ago, and I used it extensively along with some other Quest products like Recovery Manager. But then Active Role's adding that to your Active Directory, your mix of tools that you use. There's a little bit of overlap, but at the same time, it gives you the ability to-- What kind of overlap? Well, for one thing, you've got an auditing overlap. Anytime you go through Active Roles to make a change to something, Active Roles audits that. So it's interesting it's stored in the database. Change Auditor is more of a native auditor. And then with Change Auditor and Active Roles integration, you get the best of both worlds. So in Change Auditor, there's a little button, I'm sure a lot of you've seen, that says Active Roles integration. And all that really does is it tells Active Roles any time somebody makes a change in Active Roles to send that event data to Change Auditor, as well. It gives you a double look at that. What is the best things you could do to help protect your Active Directory with Active Roles? I do it from a perspective privilege. I've done things with group memberships for instance. So there's a function in Active Roles called dynamic groups. It came out in 5 dot something a long time ago. And it lets you build groups dynamically based on either real attributes or virtual attributes. So virtual attributes are great because not everybody can even see those. So I can build group memberships dynamically. So if you take something like maybe the Domain Admins group-- I wouldn't say you'll make the Domain Admins group dynamic, but you could nest a group in the Domain Admins group that is dynamic. Then I can build that dynamically. Then I can actually take Change Auditor and the protection functionality, and I can lock that group membership-- lock the members attribute of that group membership. How often do you see your customers deploy Change Auditor to identify and help create policies that can be used by Active Roles? Well, that's kind of an interesting thing because Change Auditor gives you the capability to see before you build a permissions model, what are people trying to do? So instead of just assigning mass permissions or over-positioning, in a lot of cases you can use Change Auditor to go out and look at that. I've seen it used that way in a few different instances-- both from a privilege perspective and even from what users are attempting to do to keep an eye on that. And how does One Identity go above and beyond just what you can do with Active Roles around least privileged access? Well, if you think about least privilege or even words like zero trust, Active Roles-- I've seen implementations where customers were using privileged access management solution, a PAM solution. And one of their use cases was to manage Active Directory. So their proposal was to use a PAM solution. And within PAM solutions, you have something called session management. And an admin-- a field admin, an OU admin, what have you-- would launch a session to, say, a jump box. And from that jump box, they would be able to run ADUC and manage Active Directory. Well, that's kind of a roundabout way to do it. And we would propose something like Active Roles in that PAM solution, as part of that PAM solution, so that they don't need that jump box to do that, and it's fully proxied and permissioned into AD. And then you still get all the auditing that Change Auditor does, as well, natively. So it audits all those native permissions, all those native changes, and you don't have to deploy this elaborate proxy architecture. And PAM plays a very significant part of that, as well. Because I actually use my PAM solution to provision into Active Roles anytime somebody needs a group membership change. So I don't have to do things like populate the Domain Admins group or populate the Schema Admins group. I can have accounts that are pooled and managed by my Safeguard appliance. So when somebody goes and checks one of those out, it won't have any permissions at the time at checkout. But when the checkout is actually approved, then it'll provision again to the right groups for them to use at the time. And then, when it's done, it'll reverse the whole process. And then all of that is audited by Change Auditor along the way. So I've heard you talk a lot about PAM. Are both Active Roles and Safeguard part of that privileged account management portfolio? Active Roles is a part of a AD security portfolio. So in an AD security portfolio, you would have Active Roles doing your delegations and your administration. And then, as part of that, you would have PAM managing things like service accounts and controlling permissions on anything with elevated credentials-- things like you and I as a day-to-day sysadmin would need to do our job. We would simply check those out and use them as we needed to. It's part of the overall AD security perspective, because those accounts are very critical. Especially in a Windows environment, where things like residual hashes can be left in the environment, we want a PAM solution to nullify that. Great. Thanks, Dan. I appreciate the time today.