Active Directory Consolidation Aids Security

Case Study: Biggest Challenge Is Getting Administrators' Buy-In
Active Directory Consolidation Aids Security

Consolidating Microsoft Active Directory isn't just a technical challenge, but a personnel one as well. Just ask Steve Way, a divisional IT director at Johnson Matthey, the British specialty chemical maker that employs 10,000 people at 120 locations in 30 nations.

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Way had to deal with dozens of network administrators - "masters of their own universe," as he puts it - who felt their jobs were being downgraded when Johnson Matthey decided to reduce from 34 to one the number of Microsoft Active Directories the company would maintain.

Johnson Matthey, which last fiscal year had £10.7 billion ($16.8 billion) in revenue, began the eight-month migration to a single Active Directory two years ago to gain better control over identity and access management as the company moved to a cloud-based e-mail system.

"The biggest challenge was persuading local administrators that their lives hadn't ended because they no longer were the main administrator," Way says. "They said, 'We're not going to be able to do our jobs.' Actually, what they meant was, 'You're taking away my power.'"

Worldwide Road Show

To dispel those jitters, Johnson Matthey held a worldwide road show - with stops in Asia, Europe and the United States - to explain why the company was moving to a single Active Directory and inform the administrators that, for the most part, their jobs would hardly change. As they did before the migration, the administrators continued to set up new computers, add new employees and devices to networks and grant users access to data on their sites. "We got them onboard, and the migration went smoothly," Way says.

Johnson Matthey's IT leaders say employing a single Active Directory allows for better integration of existing systems, heightens security and more effectively facilitates communication and collaboration among locations. Active Directory authenticates and authorizes users and computers in a Windows network, assigning and enforcing security policies for all computers and installing and updating software.

The company used three products from Dell: Migration Manager for Active Directory to consolidate to a single directory; ActiveRoles Server to manage identities; and ChangeAuditor for Active Directory to track and provide alerts on configuration changes.

Way estimates the project would have taken four years to complete if Johnson Matthey had migrated to a single directory manually, rather than the eight months using commercial products.

Five Enterprise Administrators

With a single directory, five managers have been designated as enterprise administrators, with overall administration rights. But that doesn't mean they have unlimited access to data.

"We set it up so that they cannot help themselves to the subdomains where the users are," Way says. "They can do everything they need to do, including granting rights to the people down below. But because we removed them from certain Active Directory groups, and barred them from access, they cannot actually get to the data below them." In fact, no employee - including the CEO and CIO - can access all of the data stored on Johnson Matthey systems.

But the single directory facilitates secure collaboration, making it easier to grant the right people access to and the ability to share the right data. "We're a company that relies on its intellectual property," Ways says. "We do a lot of research and development. We need to share knowledge. [Before the directory migration], we were very bad of being able to find people to be able to collaborate to solve problems. And we were very good at reinventing things. We had a number of scientists applying for patents to find out that we already had the patents for the thing we just invented.

"To get that knowledge sharing going, we needed to have a system whereby we could control identity and access in a role-based way rather than individual way. And, to do that is by accessing a single Active Directory."


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network