When compliance auditors turn their attention to Active Directory, they need to see that an organization has implemented an architecture that supports the level of access controls specific regulations require.
Courtesy of BigStock.com — Copyright: Ivelin Radkov
At their core, compliance regulations are intended to help organizations protect their most critical data and users. In every regulated business sector—healthcare, financial services, public infrastructure, transportation—controlling access to data and systems is one of the most important responsibilities of the organization. The penalties for failing to do so are high and can take the form of fines, lawsuits, reputational damage, and customer churn.
In this reality, protecting and monitoring Active Directory is a vital part of an organization’s strategy for managing security, ensuring continuous business operations, and meeting regulatory compliance requirements. Active Directory is a rich source of information for compliance auditors: It represents an accurate record of the access levels of users, providing insight into how secure an organization’s sensitive data is.Courtesy of BigStock.com — Copyright: Ivelin Radkov
While compliance regulations vary around the world, it’s useful to look at a few core compliance regulations in the U.S. to get a sense of the fundamental information and processes you need to maintain to satisfy auditors:
- SOX: The Sarbanes-Oxley Act (SOX) mandates that any publicly held company establish procedures to shield financial records from destruction, loss, and misuse in order to protect the company’s shareholders and decrease the possibility of corporate fraud. SOX also mandates that the company audits and reports on these controls.
- PCI: The Payment Card Industry Data Security Standard (PCI DSS) regulation states that any company that accepts card payments—through storing, processing, and transmitting cardholder data—must host this data securely using a PCI-compliant hosting provider. In order to be PCI-compliant, you must monitor all access to network resources, regularly test security systems, and maintain an information security policy.
- GLBA: The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, controls how financial institutions handle private customer information. GLBA’s Safeguards Rule mandates that all financial institutions create, execute, and maintain safeguards to protect customer information. Under the Safeguards Rule, financial institutions must identify operational risks to customer data, implement an information security program, and regularly audit the safeguards program.
- HIPAA: HIPAA, the Health Insurance Portability and Accountability Act, was initially created to protect healthcare coverage for people who lose or change their jobs and has now evolved into a set of standards for securing patient data. HIPAA dictates that any company that deals with protected health information (PHI) implements and adheres to physical, network, and process security measures. Electronically transmitted PHI, or e-PHI is protected under HIPAA’s Security Rule, and organizations must secure this information by identifying and protecting against threats.
- FISMA: The Department of Homeland Security established the Federal Information Security Management Act (FISMA) to protect government information, operations, and assets from all threats, natural or man-made. It also states that government agencies must implement tools to audit their information security programs, test security procedures, and perform periodic risk assessments.
- NERC: The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard provides a cyber-security framework for the identification and protection of Critical Cyber Assets that control or affect the reliability of North America’s bulk power systems. All bulk power system owners, operators, and users must comply with NERC-approved Reliability Standards. These entities are required to register with NERC through the appropriate Regional Entity. If your organization is a NERC-registered entity as a user, owner, and operator of the bulk power system in the United States, you are required to be NERC CIP Compliant.
- GDPR – The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It requires appropriate technical and organizational mechanisms to ensure the security and privacy of any personal data held by the organization.
Giving auditors what they want
When compliance auditors turn their attention to Active Directory, they need to see that an organization has implemented an architecture that supports the level of access controls specific regulations require. For regulated organizations, Active Directory’s role in demonstrating compliance fundamentally rests on one word—visibility.
Managing Active Directory effectively requires a mix of continuous monitoring, regular auditing, vulnerability and security posture management, and the implementation of best practices such as least-privilege access controls. These are the pillars of a secure AD deployment. They are also the pillars of a successful compliance program. Regulations such as HIPAA set a standard that requires companies to implement effective controls regarding access. AD is a rich source of information that is relevant for a compliance audit, and proper monitoring can provide insights into the status of user roles and privileges and any critical changes to the environment.
Specifically, organizations need to demonstrate visibility into the following—all of which can be gleaned from Active Directory:
- Modifications to group memberships: Changes to group memberships can happen for legitimate reasons. Employees are hired and fired, promoted and demoted—events that require changes to their access rights. But unexpected changes can also be a sign of malicious activity. The ability to monitor and audit Active Directory for any alterations to groups is vital for proving compliance.
- Changes to Group Policy: AD admins need to monitor any modifications to Group Policy to ensure that no account is granted inappropriate access to systems and that the security configuration of domain-joined computers is properly maintained.
- Account creation and deletion: The unauthorized creation or deletion of accounts—or the sudden use of an account that appears to have been previously orphaned—are sure signs of malicious activity. Creating accounts and using accounts of recently departed employees are tactics commonly used by threat actors to maintain persistence in a network after compromising an environment.
- Password changes: If the password for a user is changed at a time that is out of synch with a normal corporate-mandated update, the change might be a sign that an attack is underway. The ability to track this information helps uncover who has appropriate access to sensitive data.
Having visibility into these events is crucial for producing the type of audit trail necessary to investigate security incidents and demonstrate who has access to what information. Compliance officers need to know there is a process in place for managing and tracking changes in AD—especially changes that grant access to critical assets.
Ensuring compliance with regulations
To meet compliance requirements, organizations must fill gaps in their AD monitoring and auditing capabilities. With the right tool, organizations should be able to:
- Audit Active Directory changes: Compliance audits require organizations to know what changes are being made and who is making them. Imagine a user is added to a critical application group by something other than your organization’s provisioning account. Organizations should be able to define notification rules to automatically reverse unexpected changes to users, groups, computers, containers, and organizational units (OUs).
- Identify misconfigured Group Policy Objects: The right tool enables organizations to track and compare changes to GPOs and immediately roll back any modifications.
- Detect password changes: This capability enables organizations to undo any accidental resets and detect malicious behavior.
- Conduct vulnerability assessments: From the Payment Card Industry Data Security Standard (PCI DSS) to the HIPAA Security Rule, compliance regulations frequently call for organizations to identify and assess risks to critical data. Part of that assessment should include AD, particularly those used to elevate privileges and deepen a compromise.
Regulations often change in response to the dynamics of the governments that create them and the industries they are designed to protect. What will not change anytime soon, however, is the importance of protecting Active Directory as part of meeting regulatory demands. Without proper auditing and monitoring of AD, compliance efforts will always be at risk of failure.
About the author: Gil Kirkpatrick is the Chief Architect at Semperis. He is a long-time veteran of the commercial software industry and has focused on identity and access management products since the early 1990s. He has held technology leadership roles at HTS, NetPro, Quest Software, and ViewDS Identity Solutions, and is known as the founder of the Directory Experts Conference (later renamed The Experts Conference). Kirkpatrick is the author of Active Directory Programming, the original reference book for developers working with Microsoft’s Active Directory. He has been nominated as a Microsoft MVP for Active Directory and Enterprise Mobility for each of the last 15 years.