Securing the Microsoft Active Directory (AD) identity store is the major step in protecting an organization from modern attacks, including ransomware, supply chain threats and account takeover. A common thread that connects most of the recently publicized potential breaches is the compromise of credentials whose authentication is governed by AD. The AD is one of the crown jewels in an organization, as it stores critical information such as users, groups, computers, applications, policies, contacts and, of course, the login credentials of the resources and applications that are being accessed. First released in 1999, AD is undoubtedly legacy technology; nonetheless, it is still the de facto identity infrastructure within most modern companies. With over 90% of Fortune 1000 companies using AD,1 it isn’t surprising to see this directory service being targeted by adversaries — making it a renewed priority for security teams to protect this crown jewel asset.
Today, a huge majority of endpoints are authenticated by Microsoft AD or Microsoft Azure AD. Microsoft has recently recommended that organizations shift to Azure AD to negate its onpremises AD vulnerabilities, like Golden SAML attacks. However, even if organizations move to Azure AD, which might take years, they still have to protect both their on-premises AD and Azure AD with limited visibility into who the users are, what they are up to, what the attack path looks like and how the AD/Azure AD security posture is changing. And for organizations that get into a merger or divestiture, how can they merge or separate the identities and the identity stores during and after the M&A or divestiture exercise?