The next time auditors come to examine your network infrastructure, expect them to take a closer look at how you manage and secure Active Directory.
"With Sarbanes-Oxley, Gramm-Leach-Blilely and other regulations taking effect, companies must take a more formal approach to internal controls," said Sean Peasley, principal in the Audit and Enterprise Risk Service at Deloitte and Touche LLP.
Admins also use Active Directory to manage network configuration changes and assign access rights to individual users.
With so much network management taking place within a single service, said Peasley, "It is imperative to make sure Active Directory is secured and controlled. If you lose that information, there is now the potential for fines and consent orders."
SOX, HIPAA and GLBA, which regulates how organizations can use and store personal information, are compelling security officers to step-up their IT controls.
Active Directory has long been neglected by IT and business auditors, said Larry Brandolph, infrastructure technology management team lead at Cigna Corp., an employee benefits company based in Philadelphia, Pa.
"Most IT and business auditors don't understand what Active Directory provides," said Brandolph. Auditors "are focusing their time on tracking/auditing at the application levels, but are forgetting that Active Directory is used as an authorization/authentication product. Given all the regulator requirements today, at some point AD needs to get on the auditor's scopes."
Cigna has been running Windows 2000 Active Directory since December 2000. The company plans to upgrade to Windows 2003 Active Directory in 2006.
Throughout the health care industry there's a need for a built-in mechanism for managing Active Directory log files, Brandolph said, adding that Cigna is reviewing software options to help it track more closely the addition and removal of objects on its network, including NetPro's ChangeAuditor.
ChangeAuditor belongs to a class of software that monitors, tracks and reports changes to file and printer services, hubs, routers and switches--anything that can be added to and taken off the network through Active Directory. (The suite also includes software for managing policies in Active Directory and a product, DirectoryLockdown, which is designed to fend off denial-of-service attacks and security breaches.)
Products like those from NetPro and other security management software firms automate the tracking of problems and performance, said Deloitte and Touche Audit and Enterprise Risk Service senior consultant Manny Fernandes. "Other companies don't necessarily have the tools to provide that level of functionality," said Fernandes.
NetPro CTO Gil Kirkpatrick said his company's products are designed in part to help security officers comply with the best practices prescribed by the IT Infrastructure Library. ITIL was created for the British government and is said to be the global standard for service management. ITIL calls for the preservation of confidentiality wherever appropriate, the maintenance of data integrity and the availability of network assets. ITIL also stipulates that transactions are not denied erroneously and that the network complies with government regulations, contracts with partners and clients and with internal controls.
"Compliance and security are now tied at the hip," said Kirkpatrick. "Most of the regulatory compliance problems are concerned [with IT security]."
To comply with new regulations and maintain high performance security officers need to have multiple layers of defense and security, and the segregation of duties on the network.
"Rather than one big bucket of privileges, you have to have appropriate level of access," Fernandes said. "You want to have very few people logging in to an application--only those with the appropriate skills and competencies."