8 min read time

Achieving Security in a Cloud-Based World: The Path to Universal Policy Administration

by in Cybersecurity

Back in the days when IT was an on-premises affair, managing your security policy was relatively simple.

Your network administrator used—and undoubtedly still uses—Microsoft’s Group Policy, which works with Active Directory (AD) to secure and configure both users and devices.

Achieving Security in a Cloud-Based World The Path to Universal Policy AdministrationWhen all your devices were Windows PCs and all of your users were Windows users, everything worked great. Of course, your admin still had to make a lot of decisions. Group Policy has approximately 4,500 settings and security is not a given. But as long as they had the good sense to take precautions—such as renaming the Administrator account, disabling anonymous and guest accounts, turning on event logs to detect a breach, and a few other things—you were usually pretty well covered.

But, the single domain, collective Windows resource assumption doesn’t cut it in today’s IT environment. Not only are most enterprises managing multiple domains and forests, they are moving workloads to the cloud in record numbers. They’re also using non-Windows resources such as Linux servers (which can be set up and taken down more easily than Windows servers and don’t have costly licensing fees) to run virtual machines—sometimes hundreds at a time, across many departments. They’re using SaaS apps such as Office 365, Salesforce, Box, and dozens of others. Workers are no longer confined to Windows PCs—they’re working remotely on Chromebooks, Macs, and a variety of smartphones and tablets.

None of these machines or systems are natively covered by Microsoft’s AD and Group Policy. They all have their own unique security policies and configurations. Your IT department might be able to manage them with some clever scripts, but it’s far from easy and mistakes and loopholes abound.

The Trouble with Scripts

Although it’s very time-consuming, IT can create automated policy scripts to configure logins and other security settings for machines and applications outside of the Microsoft environment. Each app or server must be configured separately—and there is no guarantee that the policy scripting language is the same across these various resources.

Enterprises often have up to 1,000 apps. That adds up to a lot of time and effort configuring them. And then, you still need to set up all of those outside servers and mobile devices.

Hackers Love Fragmented Policies

A disorganized array of security policies is just what the hacker ordered. For example, an administrator might make a simple mistake in configuring security settings and no one else would know. The error is never detected, let alone fixed, so it becomes a security breach waiting to happen For example, the recent Colonial Pipeline hack, the ransomware hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password.

It happens more often than you might think, and for the hacker it’s a golden opportunity. By default, Admin accounts often come with access to sensitive information, such as customer and employee Social Security numbers, corporate deals-in-the-making, or intellectual property secrets. Hackers seek out weak Admin accounts and then pounce when they find one that they can easily break into.

If you have a bevy of administrators (of all sorts) configuring thousands of apps, servers, and virtual machines and answering to no one, you’re creating an interstate highway with entrances and exits clearly marked for hackers.

Compliance Nightmares

Fragmented security policies can also compromise compliance.

You might need to enforce several policies at once: your company-wide corporate policy; separate policies for financial, medical, or other sensitive data; plus very specific policies for complex systems, such as the manufacture of an airplane fuselage.

These policies have to be applied in the correct, top-down order. If an admin in the fuselage plant makes a change in the policy that’s specific to his servers, it could cause a security policy collision—a conflict that shuts down one or more of the policies in operation. Suddenly, you find yourself technically out of compliance and possibly in danger until the conflict is resolved.

The more policies and policy silos you have within your organization, the more complex and complicated the reporting mechanisms for your compliance team. And the more people you have managing separate security policies, the greater the chances that something will go wrong. If just one administrator slips up, you can face a heavy fine, as well as a very public black eye if anyone outside the organization finds out.

As concerns about data privacy mount, new laws with stricter provisions are being passed, such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act. Managing the variety and context of all your security policies becomes less feasible and more vulnerable every day.

A Better Way: Universal Policy Administration

Micro Focus AD BridgeMost enterprises have made large investments in AD and agree that it is foundational for managing users and policies, but they haven’t found a way to leverage those investments across their infrastructure. Micro Focus AD Bridge enables you to extend the structure, control, and enforcement you get with AD so that your Group Policy no longer applies to the Microsoft infrastructure alone.

Centrally managing both Windows and non-Windows resources, both on-prem and in the cloud within a single pane of glass and with a single identity improves efficiency. It enables you to skip the manual, fragmented management processes and scripts by unifying how you manage authorization and authentication across your entire environment. Utilizing the same identity to access every system simplifies your entire identity and access management strategy.

You can reduce the risk of a breach or failed audit by implementing consistent security controls and auditing. Being able to access audit logs and reports that automatically include all your resources can improve overall visibility and streamline the process of meeting governance and compliance mandates.

With today’s technology, there’s no reason to let a mishmash of security policies lead you to a security breach or compliance violation. With NetIQ Universal Policy Administrator (UPA), you can control all your policies from a single console using a very familiar tool: Microsoft Active Directory.

We have extended AD capabilities so that they no longer apply to Microsoft alone. Whether you’re using Linux devices, SaaS apps, mobile devices, virtual machines, or containers, you can pull all of them into the UPA system and place them under centralized policy management.

You will still have multiple security policies, but managing them will be infinitely easier. Any conflicting policies can be quickly and easily resolved, because you’re managing them from a central location. NetIQ Universal Policy AdministratorYou can resolve any conflict in policies and avoid the hours of writing scripts that are incomprehensible to anyone but the person who created them. Instead, you will utilize UPA to manage the rules across your entire system.

That’s a great benefit for IT. Learning the ins and outs of outside security policies can get complicated fast. People in IT silos develop their own little niches of expertise, which often don’t get passed on when the enterprise experiences employee turnover. Group Policy through AD, on the other hand, requires little to no specialized training or know-how. Most IT professionals already know how to use it. Everyone speaks the same language. UPA helps to simplify the unified policies by translating various policy mechanisms into a simplified policy language, which can then be applied to the endpoints in the multiple silos.

UPA also saves time and hassle associated with compliance. You can update all of your policies in one place and document what was done when, and by whom. Compliance audits will be much easier and regulators will be impressed with how organized you are. Additionally, UPA identifies policy conflicts and collisions before a policy is deployed, helping you to prevent potential security lapses.

You will also improve security by avoiding the mistakes and loopholes created by fragmentation. With UPA, you can create company-wide management standards. For example, you could institute a workflow that requires a second manager to approve and validate changes to a security policy before they are deployed. That type of policy can stop policy administrators from skirting the rules and keep your organization safe and compliant.

If someone does try to bend the rules or makes a configuration error, you’ll see it on a central dashboard. Then you can quickly contact the admin and fix the problem before it causes any serious damage.

The NetIQ Advantage

In a world of escalating security breaches and expanding compliance regulations, it makes no sense to expose your organization to heightened risk with decentralized and disorganized security policy management.

With NetIQ Universal Policy Administrator you can be certain that your security rules are enforced throughout the enterprise at all times. And you can easily make compliance changes or correct any misconfigurations from a single, central console.

Instead of having IT technicians who write complex scripts for a multitude of outside applications and having no oversight of their work, you can simply use AD in conjunction with NetIQ UPA to control your policies—just as you have always done within Microsoft. Every server, app, or device that you move to the cloud is scrutinized in advance to ensure security, compliance, and compatibility.

As your company moves more workloads to the cloud, you need a security policy solution that moves with you, not against you. Micro Focus makes the transition easy and gives you the visibility and control that a 21st-century workplace demands.

Learn more:

Have technical questions about NetIQ Group Policy Administrator, Policy Compliance Assessor, Universal Policy Administrator, or AD Bridge? Visit our User Discussion Forum. Keep up with the latest Tips & Info. Do you have an Idea or Product Enhancement? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.


Identity & Access Mgmt