Drifting is a driving technique where the driver intentionally oversteers, with loss of traction, while maintaining control and driving the car through the entirety of a corner. Using drift is a good technique in auto racing and is cool to watch. In IT, not so much.
The concept of configuration drift is often discussed in relation to software development, or desktop operating system configurations in Windows, Linux, or Mac. Configuration drift for user policies happens when user entitlements and access to resources change gradually over time. Policy management is critical when it comes to maintaining consistent security policy enforcement. It gets even more important within deeper levels of an organization’s applications and infrastructure. This is why IT administrators in charge of systems such as Microsoft Active Directory (AD) could use a solution that helps them more easily manage Group Policy Objects (GPOs) in both on-prem and cloud-based environments.
In spite of an organization’s best efforts, configuration drift occurs often. An administrator may apply a new security setting to a domain and forget to apply the setting to other domains in the organization. The result creates inconsistencies from one domain to the other. With the push to hybrid IT and adoption of cloud, this problem can be exacerbated.
A new analysis of security risks in cloud deployments found that companies are facing an increased risk of more advanced attacks and struggling to control and managed their IT infrastructure. The Cloud Cyber Resilience Report from Accurics describes how default policy configurations related to identity management are causing security issues.
Infrastructure-as-Code (IaC) is a method to provision and manage IT infrastructure through the use of source code, rather than through standard operating procedures and manual processes. IaC is increasingly being used in cloud deployments. In this latest report, Accurics said this issue was the first time they’d seen identity and access management (IAM) defined through IaC in production environments. Previously, IAM had been implemented in runtime. The report found that 35% of the IAM drifts identified in this latest report originated in IaC. This is an odd finding since IaC should help maintain consistency in the infrastructure deployment process.
The consequences of configuration drift may vary significantly, ranging from being a minor nuisance, a policy variance that can be exploited, or result in a violation. But it’s fair to say that InfoSec Governance and Internal Audit departments are looking for these inconsistencies to minimize risk exposure.
With Universal Policy Administrator (UPA), you can control user policies from a single cloud-based console using a browser. If you have multiple platforms in your ecosystem (e.g., Linux, Unix, Mac, AD, O365, Azure, SaaS apps, mobile devices) you can pull all of them into the UPA and place them under centralized policy management. Comprehensive Conflict Analysis reporting and audit coverage/reporting can help identify and control configuration drift of your user policies. This helps you reduce risk by ensuring consistent security controls and auditing capabilities across your environments.
If you are in an organization that has a Microsoft-first philosophy (Active Directory, AzureAD), you can leverage your existing investment in AD and GPOs to centralize policy management with UPA. However, UPA’s target scope isn’t limited on just the Microsoft ecosystem. It can cover the entire enterprise in future releases for a complete policy orchestration solution.
To learn more about UPA and mitigate policy drift, take advantage of these resources:
- Path to Universal Policy Customer Facing Presentation
- Five Steps to Implement a Universal Policy Strategy Customer Webinar Recording
- White Paper: Achieving Security in a Cloud-Based World: the Path to Universal Policy Management
- UPA Datasheet
- White Paper: Managing Policies in the age of Multicloud
- Webinar: Explore the Path to Universal Policy Management
Have technical questions about NetIQ Group Policy Administrator, Policy Compliance Assessor, Universal Policy Administrator, or AD Bridge? Visit our User Discussion Forum. Keep up with the latest Tips & Info. Do you have an Idea or Product Enhancement? Submit it in the Idea Exchange. We’d love to hear your thoughts on this blog. Log in or register to comment below.
Identity & Access Mgmt