Active Directory Consolidation: Phase 3

UpdateColin Bell (cpbell)April 4, 2013

Working High-Level WBSClarity, Governance, Change Management, and Documentation

1. Clarify transfer process and goals.2. Transfer knowledge from Engineering w.r.t. current monitoring and

management techniques.3. Establish Change Management controls inside IST w.r.t. NEXUS.4. Establish Service Management controls inside IST w.r.t. NEXUS.5. Establish IST based monitoring and audit capabilities to augment current

capabilities.6. Document future (ADS retirement plans)7. Transfer "ownership" and ultimate operational responsibility to IST.

Goal: Establish Service Management (NEXUS/APEX)

• Incident Management (in progress)• Change Management (draft in use)• Release Management

– NEXUSTEST/APEXTEST (in progress)– All DC’s => IST + decommission (in progress)

Goal: Document the Future(reschedule – now end April 2013)

• Develop roadmap for migration of services from ADS to NEXUS.– Actual ‘moves’ are out-of-scope.

• Document shared monitoring, auditing, and software management requirements.

• Document current and future roles and responsibilities for all stakeholders + established campus bodies.

Goal: Ultimate Operational Responsibility on IST

• Move to minimize the number of Domain Administrators in NEXUS.

• Consolidate top-level responsibilities in IST (as an infrastructure service).– “Handover the Keys” (ADAud2012 – MP5.0)

• Goal => MS2 – April 30, 2013

Goal: Meet Audit Requirements (1)

• Overall Strategy and Plan– Develop project plan and RAID log. Socialized

with project stakeholders. [ADAud2012-1.0-HP] (WNAG is in loop. Exploring new platform for WNAG. Need tools. QUESTION: how would CTSC like to be included? Email, SharePoint, Other?)

– Establish a management committee and leverage it as a forum to discuss and resolve critical project related decisions. [ADAud2012-2.0-HP] (Terms of Reference + Procedures drafted, seen by Management Group and WNAG. QUESTION: how should it now go to CTSC + UCIST?)

Goal: Meet Audit Requirements (2)

• Test Plans and Test Cases– Ensure test plan, scenarios, cases and results

are documented. [ADAud2012-3.0-MP] (Latest change request is forcing analysis of this: AD-CHANGE-REQUEST-2013.7 -> Privileged accounts on DCs for NetWrix.)

Goal: Meet Audit Requirements (3)

• Documentation of Rollback Plans– Ensure that each migration procedure defines

and tests a rollback plan. In cases where a roll-back is not required due to risk level, the decision is documented. [ADAud2012-4.0-MP] (many migrations completed in Phase 2 – continuing to use Change Management Procedure + documentation standards)

Goal: Meet Audit Requirements (4)

• Active Directory Governance and Operations– Determine roles and responsibilities and

communicate accordingly across IST, Engineering, and Security teams.[ADAud2012-5.0-MP] (Change Management Procedure normalizes work, RASCI Chart can now be built to formalize roles / responsibilities)RASCI = {Responsible, Accountable, Support, Consulted, Informed} [Goal => April 26, 2013]

Goal: Meet Audit Requirements (5)

• Migration Strategy Planning– Perform an analysis of application and

servers that leverage ADS. Develop a server / application migration plan.[ADAud2012-6.0-MP] (Already planned as part of the ‘Document the Future’ effort. See previous slide – rescheduled end April 2013.)

– Workstations complete. [March 2013]– Servers + Services [rescheduled end April 2013]

Goal: Meet Audit Requirements (6)

• Object Migration Approach [ADAud2012-7.0-MP]

– Perform analysis on accounts that have not been migrated.

– Review and clean up orphan accounts.– Review privileged accounts and analyze if

access is still valid after migration.– Perform analysis on accounts.– Inventory service accounts and use– … started => more questions than answers!

Goal: Meet Audit Requirements (7)

• Interoperability Requirements [ADAud2012-8.0-LP]

– Identify, document, and socialize WatIAM integration requirements with key stakeholders to ensure that all issues are identified and addressed.

– Security Architecture + Identity Management Roadmap will serve as the foundation for this. Is this an ongoing consideration?

Directory Object Audit / Review + Future Capabilities

• Analysis (w/ help from pmatlock’s NetID work)– NEXUS counts:

pure students (not on UW work term): 29821 alumni:            77527 expired:           128641 faculty:           2871 staff:             32547 retirees:          1413 applicants:        108484

– Staff #’s? Alumni #’s? Applicants? Students who are on co-op? Far more analysis is required to understand!

Goals and Insights:Object Analysis

• Verify: People who should not have access do not.

• Verify: People have the minimum privileges required to do their jobs.

• Implicit calculations of “Roles” from various Security Groups makes this a nightmare. Explicit is better than Implicit !

Questions: Object Analysis• How much analysis should we do now?• How much would a redesigned IDM help?• How much process re-engineering is

required?• What should a formal privileged account

creation process look like? Just ask for ! and !!-- is this really good enough?

Next Steps: Object Analysis• Complete accounting for ALL OU, Domain-

level, Forest-level admins.– Integrate findings with RASCI analysis

• Enterprise Architecture (up next) is crucial to understanding this. Document processes + systems, redesign for improvements. Lots more work required!

Next Steps: Object Analysis• Big piece of technology (NetWrix)

undergoing analysis via MAS Subgroup, used in ADS, and preliminary steps initiated for deployment on NEXUS through Management Group.

• NetWrix has potential to give us on-going audit + change reporting at AD Object level. Will help-- work smarter, not harder.

AD Governance: Next Steps• AD Steering Group meeting (2013-04-08)

– Will discuss progress / challenges there.– Will seek Steering Approval for “Waterloo

Active Directory Governance Body (WAD-GB)”

• Once through WNAG, Management Group, Steering … Then to CTSC + UCIST.

Waterloo Active Directory Governance Body (WAD-GB)

• A campus-wide ‘upper house’ to guide the future of AD on campus.

• Goal: “to provide a second tier of control at which campus entities can validate the work of technical staff and express their desires on matters of AD Governance”

• Essentially: let’s stay together… keep everyone empowered and at the table.

Waterloo Active Directory Governance Body (WAD-GB)

• 1 x Voting Position to the Faculty of Arts• 1 x Voting Position to the Faculty of Applied Health Sciences• 1 x Voting Position to the Faculty of Engineering• 1 x Voting Position to the Faculty of Environment• 1 x Voting Position to the Faculty of Mathematics• 1 x Voting Position to the Faculty of Science• 1 x Voting Position to the David R. Cheriton School of Computer Science• 3 x Voting Positions to IST with suggested representation from:

– Infrastructure– Networks– Security

• Others? Library? Colleges? Thoughts?

Dates• Start: Nov 2nd, 2012• MS1: Dec 19, 2012 (completed)

– “Transfer Keys” > IST in APEX + NEXUS at highest level.

• MS2: April 30, 2013 (at risk for slippage)– “Work Complete” > By this point IST is only

party working at top-level of APEX + NEXUS. Everything is documented.

Dates• MS3: June 14, 2013

– “Project Complete”• MS4: June 28, 2013

– “Project Closing Complete”