subject: Delegating Grants in IT – A Paramount Concern [print this page] Delegating Grants in IT A Paramount Concern
Security breach in IT administration is one of the most dangerous and the most dreaded problem faced by IT administrators. If you are an IT administrator, then it would be your prime concern to make sure that all your organizational user accounts, groups, computers and assets are completely secured and hard to be compromised by an internal or external system. This is one of the toughest tasks performed by an IT admin in a Microsoft Windows Server based IT infrastructure because even while working in a small organization there are many security risks faced by an IT admin.
But, the problem multiplies many a times when the number of heads in the company increases and so with the number of departments. In such a situation, the IT responsibilities for different departments are delegated to different people. This call for a highly specialized IT system to be in place as many domain admins (and Enterprise admins) enjoy complete administrative control of your IT infrastructure.
The nature of such administrative powers is very delicate. This is because if the administrative powers are rested with many individuals in the organization, then we are running a huge risk of a security breach as such a division of administrative responsibilities makes it very hard to keep in touch with all the administrators at once. Therefore such broad administrative powers should only be held by a few highly trusted and proficient individuals.
This would actually avoid security breaches and the chances of even a Single security incident jeopardizing the valuable information stored in the database of the company as well as the command centers. The accidental, inadvertent, intentional, coerced or acquired misuse of administrative authority can instantly bring a lot of concern to the entire IT infrastructure of the company; something one cannot afford at any cost.
In such circumstances it would be highly advisable to these organizations to immediately review their IT strategies and minimize the number of Domain Admins in their IT infrastructure. While performing such a task, one should avoid a mistake which most companies end up doing and have to re-strategize afterwards, which in-turn adds to the overall cost and time. This mistake would be to over-complicate the whole security system along with the delegation of grants to certain members of the organization.
The system to be put into place should be simple yet effective and revolve around an administrative delegation strategy wherein responsibilities for most of the common administrative tasks are delegated out. And, responsibilities for only the most vital of directory service management functions are assigned to the Domain Admins. In this manner, organizations can effectively yet significantly reduce the number of Domain Admins.
After the delegation of grants, the next step would be to assess these grants on a regular basis. One might argue this point by saying that such an assessment is a waste of time because delegation of grants is a one-time thing that does not require frequent checks. For such administrative grants in Active Directory, a daily assessment is a strong requirement while running a secure IT infrastructure. Active Directory remains the focal point of administrative delegation in a Microsoft Windows Server based IT infrastructure. And therefore, it is highly recommended to keep a constant tab on all activities undertaken in it as vastly powerful security grants for identity and access management are delegated to large numbers of IT personnel, at all varying levels, in different parts of Active Directory and by different individuals.
Administrative delegations too keep on changing with the changing business needs and one can't expect to have the same IT setup for a very long time. Therefore, in case of administrative delegation frequent changes in the setup, the lack of a single point of control, inadequate assessment capabilities and the sheer size of Active Directory deployments renders organizations clueless about who really has what access in their Active Directory.
Assessment of delegated grants on a daily basis gives the organizations the insight they need (into the various administrative entitlements delegated to their IT personnel) to adequately secure and protect their Active Directory deployments. It is for the above mentioned reason that assessments of delegated grants remain a top priority for the security of the IT infrastructure of an organization.
The last step in this process would be to verify whatever delegation has been done in terms of grant of administrative power to personnel. Every time delegations are made in Active Directory, there is no assurance as such, of the fact that these delegations were made in a secure manner to the intended personnel and in the most befitting environment. Thus security becomes a major issue which needs to be validated through verification by a higher and highly competent IT authority.
