Overcoming Active Directory Administrator Challenges

23rd February 2018
|

Overcoming Active Directory Administrator Challenges

The central role of Active Directory in business environments

Deployment of and reliance upon Active Directory in the enterprise continues to grow at a rapid pace, and is more often becoming the central data storage point for sensitive user data as well as the gateway to critical business information. This provides businesses with a consolidated, integrated and distributed directory service, and enables the business to better manage user and administrative access to business applications and services.

Over the past 10+ years, Wanstor has seen Active Directory’s role in the enterprise drastically expand, as has the need to secure the data it both stores and enables access to. Unfortunately, native Active Directory administration tools provide little control over user and administrative permissions and access. The lack of control makes the secure administration of Active Directory a challenging task for IT administrators. In addition to limited control over what users and administrators can do within Active Directory, the database has limited ability in reporting on activities performed therein. This makes it very difficult to meet audit requirements, and to secure Active Directory. As a result, many businesses need assistance in creating repeatable, enforceable processes that will reduce their administrative overhead, whilst helping increase the availability and security of their systems.

Because Active Directory is an essential part of the IT infrastructure, IT teams must manage it both thoughtfully and diligently – controlling it, securing it and auditing it. Not surprisingly, with an application of this importance there are challenges to confront and resolve in reducing risk, whilst deriving maximum value for the business. This blog will examine some of the most challenging administrative tasks related to Active Directory.

Compliance Auditing and Reporting

To satisfy audit requirements, businesses must demonstrate control over the security of sensitive and business-critical data. However, without additional tools, demonstrating regulatory compliance with Active Directory is time-consuming, tedious and complex.

Auditors and stakeholders require detailed information about privileged-user activity. This level of granular information allows interested parties to troubleshoot problems and also provides information necessary to improve the performance and availability of Active Directory.

Auditing and reporting on Active Directory has always been a challenge. To more easily achieve, demonstrate and maintain compliance, businesses should employ a solution that provides robust, custom reporting and auditing capabilities. Reporting should provide information on what, when and where changes happen, and who made the changes.

Reporting capabilities should be flexible enough to provide graphical trend information for business stakeholders, while also providing granular detail necessary for administrators to improve their Active Directory deployment. Solutions should also securely store audit events for as long as necessary to meet data retention requirements and enable the easy search of these events.

Group Policy Management

Microsoft recommends that Group Policy be a cornerstone of Active Directory security. Leveraging the powerful capabilities of Group Policy, IT teams can manage and configure user and asset settings, applications and operating systems from a central console. It is an indispensable resource for managing user access, permissions and security settings in the Windows environment.

However maintaining a large number of Group Policy Objects (GPOs), which store policy settings, can be a challenging task. for example, Administrators should take special care in large IT environments with many system administrators, because making changes to GPOs can affect every computer or user in a domain in real time. However, Group Policy lacks true change-management and version-control capabilities. Due to the limited native controls available, accomplishing something as simple as deploying a shortcut requires writing a script. Custom scripts are often complex to create and difficult to debug and test. If the script fails or causes disruption in the live environment, there is no way to roll back to the last known setting or configuration. Malicious or unintended changes to Group Policy can have devastating and permanent effects on an IT environment and a business.

To prevent Group Policy changes that can negatively impact the business, IT teams often restrict administrative privilege to a few highly-skilled administrators. As a result, these staff members are overburdened with administering Group Policy rather than supporting the greater goals of the business. To leverage the powerful capabilities of Group Policy, it is necessary to have a solution in place that provides a secure offline repository to model and predict the impact of Group Policy changes before they go live. The ability to plan, control and troubleshoot Group Policy changes, with an approved change and release-management process, enables IT teams to improve the security and compliance of their Windows environment without making business-crippling administrative errors.

Businesses should also employ a solution for managing Group Policy that enables easy and flexible reporting to demonstrate that they’ve met audit requirements.

User Provisioning, Re-provisioning and De-provisioning

Most employees require access to several systems and applications, and each programme has its own account and login information. Even with today’s more advanced processes and systems, employees often find themselves waiting for days for access to the systems they need. This can cost businesses thousands of pounds in lost productivity and employee downtime.

To minimize workloads and expedite the provisioning process, many businesses view Active Directory to be the commanding data store for managing user account information and access rights to IT resources and assets. Provisioning, re-provisioning and de-provisioning access via Active Directory is often a manual process. In a large business, maintaining appropriate user permissions and access can be a time-consuming activity, especially when the business has significant personnel turnover. Systems administrators often spend hours creating, modifying and removing credentials. In a large, complex business, manual provisioning can take days. There are no automation or policy enforcement capabilities native to Active Directory. With little control in place, there is no way to make sure that users will receive the access they need when they need it.

Additionally, there is no system of checks and balances. Administrative errors can easily result in elevated user privileges that can lead to security breaches, malicious activity or unintended errors that can expose the business to significant risk. Businesses should look for an automated solution to execute provisioning activities. Implementing an automated solution with approval capabilities greatly reduces the burden on administrators, improves adherence to security policies, improves standards and decreases the time a user must wait for access. It also speeds up the removal of user access, which minimizes the ability of a user with malicious intent to access sensitive data.

Secure Delegation of User Privilege

Reducing the number of users with elevated administrative privileges is a constant challenge for the owners of Active Directory. Many user and helpdesk requests require interaction with Active Directory, but these common interactions often result in elevated access for users who do not need it to perform their jobs. Because there are only two levels of administrative access in Active Directory (Domain Administrator or Enterprise Administrator), it is very difficult to control what users can see and do once they gain administrative privileges.

Once a user has access to powerful administrative capabilities, they can easily access sensitive business and user information, elevate their privileges and even make changes within Active Directory. Elevated administrative privileges, especially when in the hands of someone with malicious intent, dramatically increase the risk exposure of Active Directory and the applications, users and systems that rely upon it. At Wanstor we have found through our years of experience of dealing with Active Directory that it is not uncommon for a business to discover that thousands of users have elevated administrative privileges. Each user with unauthorized administrative privileges presents a unique threat to the security of the IT infrastructure and business. Coupled with Active Directory’s latent vulnerabilities, it is easy for someone to make business-crippling administrative changes. When this occurs, troubleshooting becomes difficult, as auditing and reporting limitations make it nearly impossible to quickly gather a clear picture of the problem.

To reduce the risk associated with elevated user privilege and make sure that users only have access to the information they require, businesses should seek a solution that can securely delegate entitlements. This is a requirement to meet separation-of-duties mandates, as well as a way to share the administrative load by securely delegating privileges to subordinates.

Change Auditing and Monitoring

To achieve and maintain a secure and compliant IT environment, IT administrators must control change and monitor for unauthorized changes that may negatively impact their business. Active Directory change auditing is an important procedure for identifying and limiting errors and unauthorized changes to Active Directory configuration. One single change can put a business at risk, introducing security breaches and compliance issues.

Native Active Directory tools fail to proactively track, audit, report and alert administrators about vital configuration changes. Additionally, native real-time auditing and reporting on configuration changes, day-to-day operational changes and critical group changes do not exist. This exposes the business to risk, as the IT team’s ability to correct and limit damage is dependent on their ability to detect and troubleshoot a change once it has occurred.

A change that goes undetected can have a drastic impact on a business. E.g. someone who elevated their privileges and changed their identity to that of a senior member of the finance department could potentially access company funds resulting in theft, wire transfers and so forth. To reduce risk and help prevent security breaches, businesses should employ a solution that provides comprehensive change monitoring. This solution should include real-time change detection, intelligent notification, human-readable events, central auditing and detailed reporting. Employing a solution that encompasses all of these elements will enable IT teams to quickly and easily identify unauthorized changes, pinpoint their source, and resolve issues before they negatively impact the business.

Maintaining Data Integrity

It is important for businesses of all sizes to make sure that the data housed within Active Directory supports the needs of the business, especially as other applications rely on Active Directory for content and information.

Data integrity involves both the consistency of data and the completeness of information. For example, there are multiple ways to enter a phone number. Entering data in inconsistent formats creates data pollution. Data pollution inhibits the business from efficiently organizing and accessing important information. Another example of data inconsistency is the ability to abbreviate a department name. Think of the various ways to abbreviate “Accounting.” If there are inconsistencies in Active Directory’s data, there is no way to make sure that an administrator can group all the members of accounting together, which is necessary for payroll, communications, systems access and so on. Another vital aspect of data integrity when working with Active Directory is the completeness of information. Active Directory provides no control over content that is entered natively. If no controls are in place, administrators can enter information in any format they wish and leave fields that the business relies upon blank. To support and provide trustworthy information to all aspects of the business that rely on Active Directory, businesses should employ a solution that controls both the format and completeness of data entered in Active Directory. By putting these controls in place, IT teams can drastically reduce data pollution and significantly improve the uniformity and completeness of the content in Active Directory.

Self-Service Administration

Most requests made by the business or by users require access to and administration of Active Directory. This is often manual work and there are few controls in place to prevent administrative errors. Active Directory’s inherent complexity makes these errors common, and just one mistake could do damage to the entire security infrastructure. With the lack of controls, the business cannot have just anyone administering Active Directory.

While it may be practical to employ engineers and consultants to install and maintain Active Directory, businesses cannot afford to have their highly-skilled and valuable employees spending the majority of their time responding to relatively trivial user requests. Self-service administration and automation are logical solutions for businesses looking to streamline operations, become more efficient and improve compliance. This is achieved by placing controls around common administrative tasks and enabling the system to perform user requests without tasking highly skilled administrators.

Businesses should identify processes that are routine yet hands-on, and consider solutions that provide user self-service and automation of the process. Automation of these processes reduces the workload on highly-skilled administrators, it also improves compliance with policies since automation does not allow users to skip steps in the process. Businesses should also look for self-service and automation solutions that allow for approval and provide a comprehensive audit trail of events to help demonstrate policy compliance.

Final thoughts

Active Directory has found its home as a mission-critical component of the IT infrastructure. As businesses continue to leverage it for its powerful capabilities as a commanding repository, Active Directory is a vital part of enterprise security. Therefore, administrators must be able to control, monitor, administer and protect it with the same degree of discipline currently applied to other high-profile information such as credit card data, customer data and so forth. Because native tools do not enable or support the secure and disciplined administration of Active Directory, businesses must look for solutions that enable its controlled and efficient administration. These solutions help make sure the business information housed in Active Directory is both secure and appropriately serving the needs of the business.

Read More

Reasons why business leaders need to consider outsourcing their IT service desk to a specialist provider

14th December 2017
|

Service Desk Operatives smiling

At Wanstor we have recently been talking to a number of existing and potential customers about their IT service desk support. Our discussions have highlighted a number of major trends which IT departments and business leaders were not aware of putting pressure on IT service desk resources. For example:

  • Employees are more mobile than ever before, meaning things break at different locations
  • Employees attitudes to work are changing from a place where you go, to something you do as and when required
  • Different business departments wanting access to cloud services
  • More and more applications are being developed and used in day to day business
  • Data management becoming a serious headache as employees and customers demand access to it 24/7
  • More and more devices being used – leading to security and patch management issues in terms of the right levels of resourcing and making sure users are safe at all times from potential attacks
  • New technology and new devices are being launched all the time – What is the best way to offer support?
  • Growing operational costs of supporting a sprawling mixed vendor IT infrastructure
  • End users complaining about the time it takes to solve issues through the IT service desk

Traditional IT help desks used to service the business during opening hours and at fixed locations, however this is no longer good enough. IT support staff are now required to be multi skilled across a range of technologies and provide support to staff at different locations 24/7.

As business technology has become increasingly complex, the need for dedicated IT support services has grown. Typically the IT help desk has provided end users with little more than basic trouble shooting and issue management services. In the past when technology was made by only a few manufacturers, staff could easily be trained and appear knowledgeable about computers and IT infrastructure. However as business has become more reliant on technology, a standardised and documented helpdesk approach is needed, one which offers a consistent set of services and protocols for help desk staff. Over the past decade, IT help desk staff have started to become hindered by the sheer speed at which enterprise technology has evolved. There are a number of trends that have made it increasingly difficult for traditional IT help desks to provide the kinds of support that end users need:

These trends include:

  • Improvements in users personal IT has changed perceptions and expectations of what IT can help them with in their working lives. The user experience of smartphones and laptops is significantly better than even 5 years ago. What’s more, many of the leading technology providers provide consumers with a high standard of customer service (Just think of the apple store). So, when they call up their company’s IT service desk, they quickly become frustrated by untrained staff, staff who do not keep lines of communication open or inefficient processes which they have to go through to get a simple problem fixed.
  • Most of the modern workforce have been using advanced technology for the majority of their lives. Many employees are now capable of resolving minor troubleshooting problems and are also used to looking for answers online through search engines. Quite often, the IT help desk is a last resort for more complex problems, meaning IT help desk staff must be prepared to resolve more difficult issues.
  • As technology has evolved users are using a variety of software and applications in their business lives. Today, the typical business will be using 100’s of applications, with staff constantly connecting to the network with different kinds of personal and mobile devices. Expecting the service desk to monitor and support this complexity alone is problematic, as every user has a different IT need in terms of software and applications.
  • Employees want to work when they want to not when they are told to. This change in mindset with regards to work alongside the widespread acceptance of cloud technology and mobile devices, means business users are now able to access company content from their smartphones or laptops at any hour of the day. Most of the time this is hugely beneficial to the user and the company, allowing workers to be productive whilst out of the office. However, when they have problems logging onto the system, or syncing a document to their device, they need support instantly. When an IT help desk is closed at weekends or after 5pm, the service simply does not match up to user and business requirements.
  • More pressure is being placed on IT helpdesks. Staff turnover is constant as many internal IT helpdesk staff simply cannot cope with the demands being made of them. The HDI regularly states that the staff turnover rate on IT service desks is as high as 40% with many staff who do not leave complaining of stress and stress related illnesses. Such a high staff turnover means internal IT service desks often have extremely large training bills as they are constantly struggle to train and retain skilled staff members alongside many positions remaining unfilled.

The issues identified above have led many businesses to explore alternatives to the traditional in-house IT support approach. At Wanstor we believe the aim is not to replace the talent firms already have. Rather, the goal should be to extend and enhance in-house IT staff, by letting them focus their attention on high value strategic activities, whilst using a mix of outsourced staff and technology to support wider business and IT goals for highly intensive administration tasks.

At Wanstor we believe by enhancing internal IT services teams with improved help desk technology and outsourced IT service desk teams for high volume/admin heavy tasks, businesses can fill the skills, cost and user satisfaction gaps which exist and achieve the best possible ROI from their technology. The main reasons many business leaders are talking to Wanstor about outsourcing their IT helpdesks are:

Improved communication – Focussed on the specific needs of the business and end users

Training – Outsourced IT service desk staff specialise in providing customer support for a wide range of technologies. This means that they are trained with the latest versions of software solutions. They can also be trained to help with a business’s specific technology set up.

Cost savings – Many IT outsourcing companies provide contracts that give businesses the option to only pay for the services they need and use. An internal IT service desk is a fixed cost in terms of people and technology which needs to be provided even when the business does not require large volumes of IT support. By moving to a pay as you go IT service model, it has been proven through many extensive studies that operational costs of IT service desks can be cut by over 20% in many cases.

Outsourcing part of your IT support service will only be successful if the solution and partner you choose aligns with the specific needs of your business. It is essential that business and IT decision makers develop a plan of requirements and expectations before they engage with an IT partner. By taking the time at the outset to decide what the business actually needs from an IT support partner you can decide on whether you are looking for a partner to resolve repetitive problems like resetting passwords, or are looking for a close partnership where your IT help desk is fully supported by an external team and best in class technology.

At Wanstor we recommend all businesses do 5 things before they engage with and decide on an outsourced IT service desk partnership. They are:

  • Discuss what is going wrong with your existing IT helpdesk team and see if there are any process or people improvements which could be made to alleviate pressure and improve the service required back to the business
  • Interview a selection of end users and find out what they want/expect from an IT service desk and then evaluate if you already have the skills/capabilities to satisfy those user demands or if you definitely need some help
  • Have a vision of what you want the IT service desk to look like. Can you provide that vision with internal staff or do you need expert outside help to reach your IT and business goals. If you do want external IT support what does your ideal IT partner look like and what services should they provide?
  • Engage with a partner who can support your vision and has the expertise and experience to turn it into reality. Your partner should be able to advise you on what is realistic, and you should expect them to be able to guide you to a degree.
  • Set KPIs to judge whether your partnership is successful, it is highly valuable to measure progress. Conduct regular customer satisfaction surveys to find out whether your business users are now happier with the service they are receiving.

In summary, the traditional IT help desk model is redundant. Business technology has moved on and is still moving through its various lifecycles at a real pace. As a result, traditional IT help desks are simply unable to cope with the increased demands being placed on them. At Wanstor we believe the future IT service desk model is a hybrid one. One which uses internal IT teams for strategic high value IT programmes of work and an external provider who can look after all of the operational IT demands from users such as patching, password re-sets, application updates and making sure the right security is in place. Get the internal/external IT service provider mix right and your business could benefit from access to highly trained staff as and when it needs them, lower operational costs and improved end user satisfaction levels.

To find out more about Wanstor’s vision of the IT service desk of the future download our whitepaper here.

Read More

Is your digital transformation working? Putting the basics in place

3rd November 2017
|

Digital Transformation

In the current business environment, it’s not enough to automate processes and increase efficiency. To succeed, companies need to be unique and truly differentiate themselves from the competition. Your customers are demanding a more personalised service, and their expectations about the service they receive from your business continue to rise every day. To meet rising customer expectations around their business, and stay competitive, companies need to move to a relationship/value based interactive model with their customers. This increasingly means starting with the customer impact first on any business project, initiative or budgetary spend. This is where digital strategies start and digital transformation can happen. Many businesses have started ‘digital’ programmes of work, but have not yet seen the rewards of their efforts.

At Wanstor we believe there are 4 things businesses should do before embarking on a digital transformation strategy. Under no circumstances is it good enough to dip a toe into digital transformation. Instead business leaders should either commit to a digital transformation programme of work fully or decide when they are going to commit to it. In summary – undertaking a digital transformation programme to execute a digital strategy is not an easy task and half-hearted approaches simply won’t work.

So what are the 4 things all business leaders should do if they want to successfully execute ‘digital’?

Take the time to develop a strategy

The strategy phase of the digital transformation process should help a business define and understand the problems it wants to solve and how it is going to solve them. The old way of working in business is to start with existing problems and requirements then develop a solution. This approach still has value, but only deals with problems that exist today, rather than looking at potential problems/pitfalls in the future. At Wanstor we recommend when building a digital transformation strategy, businesses should instead focus on outcomes and end goals if they are going to be successful. Ask questions such as – What does success look like? What customer experience do we want to create? What story do we want to tell to the business and customers?

Think about the key themes of your transformation and the experience you want to deliver. For example, a restaurant owner may want to personalise the dining experience further. Now the restauranteur has captured a vision of what they want to do, they now require a programme of work to help achieve the set vision. This is where digital comes into play. The restauranteur wants to create an actionable strategic vision that wraps around business objectives. To do this, they first of all need to identify gaps across people, processes, technology and offerings, and then create a roadmap to success. As well as having a clear plan, it is important that any digital initiative is completed at speed so as to stay ahead of the competition and improve the time to benefit ratio of projects which will affect the business and provide a customer with an improved experience.

Design with the customer experience in mind

Designing any solution to a problem in a digital world should always start with the customer in mind. This means thinking about how customers and staff will interact with technology to improve the dining experience for example. First of all think about focusing on the experiences you want to create for your end-users, not the requirements of the solution. Also consider how you can change the way employees engage and collaborate and the way customers interact with your business. Your goal here should be to build the right experience, and allows your staff and ultimately your customers to reach their end goals e.g. a more efficient front of house operation resulting in a better customer dining experience.

Put the right pieces in place

Having a strategy and a design is a great start to your digital transformation. But if you can’t assemble the right pieces – people, propositions, processes and technology you actually haven’t got anything apart from random parts. At this stage it’s time to start unifying the team, the processes and ultimately start shaping the experience. E.g. A restaurant wants to make online bookings easier on its website. To accomplish this, they need to connect the different points of the customer journey with the booking system. What does the customer do when they land on the restaurants website for example? How easy is it to find the booking application? How is the booking data relayed to the restaurant they want to book a table in? Do staff at the restaurant understand the booking system and the customer’s requirements when they book?

It doesn’t matter how many systems need to be involved, it should all be seamless and easy for the customer who should feel like they are accessing one single system. At Wanstor we usually find for processes like ‘restaurant booking’ most restaurant businesses already have the right pieces of technology and parts of the process, but it’s joining them together that is quite often the problem. The key to success is leveraging all disparate systems, services and existing technologies to power elements of the digital ecosystem. Quite often a simple gap analysis of where you are now vs where you want to get to, highlights areas which need to be joined up or require work for integration. By putting the disparate pieces together ‘digital’ can actually start to become a reality.

Get ready for success

The final piece of the digital transformation puzzle is getting and keeping everything running smoothly. Regardless of your deployment method, you will want to implement a plan for continuous management and support. This starts with a dedicated digital transformation team who can help implement governance and a plan to keep your ‘digital’ roadmap and architecture up-to-date at all times. For IT they should consider adding a shared support structure, along the lines of a shared services centre, with skills across a variety of disciplines, such as change management, process optimisation, and agile management, so they can build repeatable processes that are supported by a dedicated group of experts. If you don’t have these skills in-house, you should find a managed service partner who can supplement the team with these skills.

In summary at Wanstor we usually see digital transformation programmes failing or not delivering the benefits they promise as teams, people, processes and technologies are disconnected. By following the 4 steps above you should have by now, grasped that digital transformation is not just about technology but about business change. Those businesses which put together the right strategy, design, and processes in place will ultimately achieve their digital transformation goals.

At Wanstor we believe ‘digital’ can bridge many business and technology gaps. By bringing together a top-down business approach with bottom-up operational experience ‘digital transformation’ adds customer, employee, and operational value by leveraging disparate products, services, and existing technologies, to create, build, and manage digital ecosystems.

By using digital transformation programmes to innovate and improve, businesses can create a long-term competitive advantage. One that creates improved customer loyalty, more customer spend and reduced business operating costs.

Read More

WannaCry Ransomware Attack

16th May 2017
|

WannaCry Ransomware Attack

On the 12 of May 2017, a massive ransomware attack called WannaCry was unleashed and it has ended up disrupting business operations for both public and private organisations on multiple continents, with the NHS in the UK probably being one of the highest profile victims to date.  If you are infected, you will find this flavour of ransomware to be highly virulent, spreading rapidly across your corporate network.

Read More

Lindt turn to Wanstor for their outsourced IT Services

21st March 2017
|

Lindt Outsourced IT Services

Lindt & Sprüngli have turned to Wanstor, a recognised provider of IT Services for retail, in order to provide them with a range of outsourced IT Services to help them manage their technology and provide them with a reliable platform as they look to grow their business within the UK. Those services include complete IT Support, 24×7 monitoring and helpdesk services, point of sale support, onsite IT Support, full asset management and lifecycle services, as well as assistance with their new shop openings.

Read More
Wanstor
124-126 Borough High Street London, SE1 1LB
Phone: 0333 123 0360, 020 7592 7860
IT Support London from Wanstor IT Support London