The roadmap to successful mergers and acquisitions: What you need to know about AD consolidation
As competition hots up, companies are aiming for more transformational change in a crowded market, with many turning to mergers and acquisitions of other players in a bid to achieve that. This shows no signs of slowing down in 2022 and beyond, with 92 percent of corporate respondents anticipating the same or an increase in the deal volume over the next 12 months according to Deloitte.
Whilst the overarching focus is on the financial side, the work going on under the surface to make these mergers a success is monumental, and fraught with difficulties due to the business demands for rapid change. While sometimes overlooked, the role of IT teams during M&As is pivotal in ensuring there is no disruption when it comes to accessing or sharing resources.
In order to achieve this, we must look into the consolidation or migration of Microsoft Active Directory -- a database and set of services that connect users with the network resources they need to get their work done. It is paramount for companies to quickly integrate the two existing systems together as fast as possible during the M&A process, to ensure business processes can continue without disruption.
Many IT teams face major challenges in achieving the rapid technology integration demanded by a merger or acquisition. Preventing user disruption, protecting customer and business data from security incidents and tracking all the moving parts of people coming and going are all high on the agenda. This itself creates a major security hole for all the parties involved, that if not mitigated hackers can easily take advantage of.
These challenges can seem overwhelming, but with the right planning and tools, they don’t have to be. Having a roadmap planned out before a migration is key, and the next five levels should be on every company’s mind when looking to achieve a successful and secure AD migration.
Identity
Identity is at the heart of authentication, and then authorization. Identity is associated with NTFS permissions, with SharePoint, with SQL Server and with access to all resources in the Active Directory domain -- that is why identifying where organizational identities are being used is crucial.
The clean source principle requires that all security dependencies, such as identities, should be as trustworthy as whichever object -- a server, a domain, a device -- an organization is trying to secure. In an Active Directory migration, IT teams need to think about who has access to the object to begin with. That is because, if those permission sets move over to the target during an Active Directory migration, then the access migrates with them. At the same time, companies should consider migrating Active Directory to a clean slate to avoid carrying old or unknown dependencies to the new AD if they are looking to improve their security posture during a migration.
Another aspect to consider is passwords. They are a big part of identity, and it is important to know who has access to them in the source environment before migrating. An Active Directory migration is an opportune time to evaluate the passwords that are migrating to the new environment and the last time they have been changed.
Groups
Groups are good for security, until they are not. Groups are convenient in order to manage permissions in one place. But how about tracking their lifecycle? Getting a handle on the governance and consolidation of groups early on during a migration will prove a great advantage later on.
Active Directory migration is also the ideal opportunity to focus on examining and deleting obsolete groups -- depending on the time and tools available. In addition, merging duplicate groups can raise serious security concerns, as it can result in more people having access to certain data than before. Addressing these duplicates and rectifying them before migration is key to avoid any permission challenges in the future.
Applications
Thinking which applications will be affected by your Active Directory migration is not an easy task. Mostly, the answer has to do with the authentication a company’s applications require.
One of the biggest challenges during a migration is identifying which applications are using AD to begin with. It is a matter of looking at these different applications and identifying the authentication within these applications.
At the same time, Group Policy Objects should not be overlooked. If an organization is relying on Group Policy Objects (GPOs) for a long time, there is no telling what state they are in. Migrating them blindly to a new AD is another way to introduce the risk of obsolescence and potential vulnerability to an otherwise pristine environment and trimming out the dead wood now is better than migrating it unexamined.
Data
Active Directories are filled with data, and whenever we have data, we should be thinking about permission. In most cases, if we are thinking of data exfiltration, the attacker obtains access to the object through an account that already has it.
As a result, it is important to audit which users have access to data and how frequently they use it. By examining usage over time, access can then be regulated through groups. Additionally, the business owner can periodically attest to the need for each user to have continuing access and ensure the right people have access to the right data anywhere and anytime.
Devices
Which tools are being used during an Active Directory migration? Do they require to temporarily disable the firewall? Knowing the answer to these questions can highlight potential risks that we might be unwillingly exposing ourselves to during a migration. For example, older tools had pre-requisites for remote connectivity which can weaken the security posture, and if we are migrating for security reasons, we should avoid any risks of that, even temporarily.
Choosing Active Directory migration tools that do not require to disable security properties on either the source or destination server during the migration project will save you of many headaches. It is not necessary to weaken a server and configuration when migrating to a more secure environment.
The point is that Active Directory migration in a hurry is a bad idea. A lot of doors swing open during an Active Directory migration or consolidation project. But the faster your migration, the greater the risk that vulnerability will slip in undetected, such as issues surrounding SID History. Planning in advance and mitigating any risks that can arise before a migration will help you achieve the expected benefits from M&As and ensure a smooth transition process of AD environments.
Photo Credit: bleakstar/Shutterstock
Bryan Patton is CISSP and Quest Strategic Systems Consultant.