Due to the complexity and hybrid nature of today’s environments, managing security policies across both on-premises and cloud resources was a popular topic of discussion at the recent 2019 Micro Focus Cybersecurity Summit. Many organizations find themselves challenged with enforcing security policies and access controls consistently across their entire infrastructure.
Back in the days when IT was an on-premises affair, managing your security policy was relatively simple. Most network administrators started using Microsoft’s Active Directory (AD) Group Policy capabilities back when it was introduced in Windows 2000. More than likely, you are still using Group Policy to secure and configure both users and devices to this day.
But everything is more complicated today.
The single domain, collective Windows resource assumption doesn’t cut it in today’s hybrid-IT environment. Not only are most enterprises managing multiple domains and forests, they are moving workloads to the cloud in record numbers. They’re also using non-Windows resources such as Linux servers (which can be set up and taken down more easily than Windows servers and don’t have costly licensing fees) to run virtual machines—sometimes hundreds at a time, across many departments. They’re using SaaS apps such as Office 365, Salesforce, Box, and dozens of others. Workers are no longer confined to Windows PCs—they’re working remotely on Chromebooks, Macs, and a variety of smartphones and tablets. None of these machines or systems are natively covered by Microsoft’s AD and Group Policy. They all have their own unique security policies and configurations. Your IT department might be able to manage them with some clever scripts, but it’s far from easy and mistakes and loopholes abound.
Hackers love fragmented policies.
Hackers don’t want to waste their energy on a tight, well-fortified network. They’re looking for a weak link in the chain—a place where they can lurk undetected for weeks or months while they poke around to find valuable data to steal. They’re looking for a vulnerable account like that of the HVAC contractor for Target, whose credentials were used to steal the data of 41 million customers.
Nothing makes a hacker happier than an environment where one hand doesn’t know what the other is doing. A disorganized array of security policies is just what the hacker ordered. For example, an administrator might make a simple mistake in configuring security settings and no one else would know. The error is never detected, let alone fixed, so it becomes a security breach waiting to happen.
In addition, many policies allow administrators to override corporate rules, which they sometimes do for convenience. Do they really need to use a new 15-character password every single time they go to work on a particular server? Probably not. So they’ll nix that rule for now—just temporarily, of course. Then they’ll forget to change it back.
It happens more often than you might think, and for the hacker it’s a golden opportunity. By default, Admin accounts often come with access to sensitive information, such as customer and employee Social Security numbers, corporate deals-in-the-making, or intellectual property secrets. Hackers seek out weak Admin accounts and then pounce when they find one that they can easily break into.
If you have a bevy of administrators (of all sorts) configuring thousands of apps, servers, and virtual machines and answering to no one, you’re creating an interstate highway with entrances and exits clearly marked for hackers.
The good news is that there is a way to take control of your security policies – ensuring consistency and normalization of policy. Micro Focus has a number of solutions that help customers better manage their security policies across their complex, hybrid enterprise:
- Micro Focus AD Bridge for extending AD controls to Linux, UNIX, and cloud resources
- Policy Compliance Assessor to assess cloud readiness and migrate GPOs to Intune
- Universal Policy Administrator to centralize enterprise and cloud policy management
I invite you to learn more about our new, innovative policy management solutions and how they can completely transform your IT organization.
So, in case you missed our Cybersecurity Summit in Dallas this past June, you can hear from experts Tim Sedlack and Danny Kim in their session, The Path to Universal Policy Management, on-demand, even if you didn’t attend the conference. You can also download the white paper, Achieving Security in a Cloud-Based World.
Identity & Access Mgmt