An AD-centered approach to enterprise IAM

[MUSIC PLAYING] Hi, I'm Todd Petersen with One Identity, and today we're going to talk about Active Directory centered identity and access management. So let's turn to the whiteboard. First off, let's talk about AD and Azure AD. They're everywhere. So according to Microsoft, 95% of the Fortune 1000 has Active Directory in their environment. And 85% has Azure Active Directory, and that's growing very quickly. So bottom line is you have Active Directory and/or Azure Active Directory environment. And if you don't, you don't have to watch this video, but you probably do. So Active Directory and Azure Active Directory everywhere. They're also pretty much necessary for most people's operations. If you want to use Exchange, if you want to use Office 365, if you want to use Excel, you want to use SharePoint, you can't do any of that without an account in Active Directory or Azure Active Directory, depending on which one you've got. Also for many, many organizations, it's the authoritative identity for people. When you ask, which directory or which account is the most important within your organization, a lot of people will say it's the Active Directory account. That's how we decide who somebody is and what they're allowed to do. And it's really key in people's digital transformations. Most of the digital transformation is going on or moving to Azure or moving to Office 365, and you can't do that without the Azure Active Directory being involved, migrating from your on prem to Azure or adding Azure to everything. So this hybrid AD environment is super important to pretty much everybody out there, and identity and access management is super important to operating within any environment, particularly in Active Directory and Azure active directory. So the things that have to happen for you to access what you need within this environment are three things. First, is request. Somebody has to ask for you to be given access to what you need to do your job or for someone else to be given the access, and then fulfillment. Often called provisioning. Somebody has to go in and setup your account in Active Directory in Exchange, and Azure Active Directory, et cetera and then certification. Somebody, usually the boss, has to go in on a periodic basis and say, yes, I certify or I test that the access this employee has Active Directory or Azure Active Directory or whatever is what I say it is and that it's appropriate. So let's walk through a typical workflow of how this happens, usually within an Active Directory environment. We've got a new employee here, this employee needs access to Active Directory so they can get into a change. So somebody is going to make a request and say let's put this person in Active Directory. And then somebody, in IT usually, is going to fulfill that request or provision that request, but that's only going to put them in Active Directory and in the correct groups. To put them in Exchange, you're going to have to do another request you have to make a another action. Maybe another person in IT goes in and does that. So you've got this stuff going on across everything that needs to be touched. Also, periodically, somebody is going to have to go in and certify that access. So the boss is going to go in and say, yeah, I approve that this person's access is actually what it says it is, and that's all fine and good. So that's pretty convoluted for the Active Directory environment, but then you have to repeat it for Azure Active Directory. Request, fulfillment, certification, that extends to Office 365, request fulfillment certification, then you have a whole bunch of non-Windows systems with the same thing going on. Request fulfillment certification for say, Salesforce. Request fulfillment certification for Box or for [INAUDIBLE], or for Workday, or whatever. And then if you have legacy systems like Unix or Linux, again, request fulfillment certification. So you've got this stuff happening over and over again, it's happening inconsistently, it's happened with a lot of different people. So the consequences of this is things take a lot of time. If you can't tell, this is a clock. So things take a lot of time. Things are expensive. You're repeating effort, and the bottom line is, you're going to end up with a lot of risk, because these things are not necessarily done correctly. They're done inconsistently. There's room for human error, there's just all kinds of things that can go wrong in this environment. So basing your Identity and Access Management on Active Directory can overcome a lot of these things if you do it in the right way. So let's clean the board off and talk about what those ways are. So the first would be to automate that provisioning process, that thing that you have to do where an IT guy goes in and does this in AD and then another guy goes and does it in Exchange. Another guy goes in and does this in Azure Active Directory in Office 365. What if you could automate all of that, put it in a single Workflow, so the new employees added to the HR database, and then that tells something to go out and provision all that stuff accurately. So that can be done through a One Identity solution called active roles. Bottom line is when the person is added to the HR database, the provisioning action happens across the AD, Exchange, Azure AD, Office 365, that entire environment happens automatically. You can then extend that provisioning that AD based stuff to other systems. For example, Unix and Linux through a solution called authentication services. So now, when you provision somebody in AD, you're also provisioning them in Unix and Linux. So you've automated the provisioning and you've extended the scope across more things, but there's even more ways you can expand that. Through some newer technologies,