5 challenges in a hybrid AD environment and how to tackle them

"It was the intern."

A few years ago, a popular streaming service sent out a test email with the subject "Integration test email #1" to all its subscribers. The message: “This template is used by integration tests only” was mistakenly sent out by an intern. The streaming service posted a tweet admitting it was the intern's mistake as a damage control measure and stated that they're helping them through it. Following the tweet, there was an avalanche of responses and jokes online that lightened things up. Regardless of whether it was an actual error or a clever marketing gimmick, this does occur in organizations and exposes a serious underlying problem of access control. IT teams are responsible for enforcing role-based access within their organization. Had this been reviewed, the intern would not have had access to sensitive customer information that was not required for their duties, and an error of this magnitude could have been avoided.

Organizations often face issues in access controls and privileges like the scenario above when they manage user identities across multiple platforms. A hybrid AD environment combines the traditional on-premises AD with the cloud-based AD services like Microsoft Entra ID (formerly known as Azure AD). Organizations may opt for a hybrid AD setup for a number of reasons, such as:

• Legacy system support during cloud migration
• Compliance requirements for control over sensitive data
• Disaster recovery and availability improvement to ensure business continuity

A hybrid AD environment allows organizations to reap the benefits of both types of identity management solutions. They can maintain control over their critical resources and use cloud services for scalability and meet their business requirements. However, it also comes with a set of challenges. Let's take a look at a few hurdles organizations may face should they choose this route, and how they can overcome them.

1. Identity synchronization

Keeping user identities synchronized between AD and Microsoft Entra ID allows users to use a single set of credentials to access all IT resources like web applications and local systems regardless of where they are hosted. Changes made in one environment must be reflected in the other to maintain consistency and keep access privileges up-to-date. This can be a challenge when organizations rely on error-prone manual processes or when change management isn't streamlined. This results in issues like duplicate identities, password synchronization failures, and data inconsistency.

Take the example of a financial analyst, John Doe, working in a bank that operates with a hybrid AD environment. The bank may host applications like financial modeling tools on their on-premises environment (for security reasons) and use cloud-based communication channels. If there's a synchronization issue, Doe may not be able to derive the data from the modeling reports or share them across to his colleagues through a collaboration tool. Despite having the correct access privileges, Doe is unable to fulfill his responsibilities. Inconsistency in access rights also affects customer-facing services like online bank services or transactions. When these incidents occur, the IT team takes a big hit with an influx of support tickets, impacting their productivity as well.

What's the fix?

Tools like Microsoft Entra Connect can ensure that changes made in one environment are accurately reflected in the other. ManageEngine offers an in-house AD management tool that is equipped to bridge the gap between the two environments through automation. The IT team at Doe's workplace can use orchestration templates and define a sequence of tasks to be executed under specific conditions. Doe's user account is granted access permissions on the AD. Through orchestration, the permission level can be automatically be extended to his Microsoft Entra ID, allowing him to share the details of the report with his clients or colleagues.

2. Security

One of the primary challenges in a hybrid AD environment is addressing security risks and maintaining consistent policies across both environments. Weak authentication practices, insufficient monitoring, and a failure to review and update access controls are some reasons an organization may face security threats.

Zylker is an e-commerce website that sells household appliances and gadgets. It operates in a hybrid AD environment as part of its business continuity and disaster recovery (BCDR) plan, maintaining cloud-based applications to ensure uninterrupted operations in the event of on-premises infrastructure failures. Due to an access control misconfiguration, a terminated employee's account was still active with access to sensitive customer data. Through this account, a cybercriminal was able to enter the cloud-based platform and obtain payment details like credit card numbers, as well as PII like names, addresses, and contact information of hundreds of customers.

Credential-based attacks can occur to anyone, and this crisis could have been averted if Zylker had taken necessary proactive security measures. To course-correct, Zylker must now:

• Follow the principle of least privilege and impose granular role-based access controls.
• Implement authentication methods like MFA.
• Encrypt sensitive data for data confidentiality, integrity, and availability.
• Enhance monitoring and logging capabilities to detect and respond to suspicious activities and unauthorized access attempts promptly.
• Conduct IT housekeeping to remove inactive accounts.

ManageEngine's AD management tool uses a Disable/Delete policy that identifies dormant accounts, removes their privileges, moves them to a location configured by the IT admin, and deletes them. It also monitors risks and assigns a risk score based on NIST guidelines to identity potential identity risk indicators. The solution calculates the severity of risk and provides remediation measures that help organizations gain visibility into their AD health and risk posture.

3. Hybrid identity management

Providing a seamless user experience often poses a challenge when organizations use on-premises and cloud-based IAM solutions. A common issue faced by users is inconsistent access. For example, some applications may require separate authentication upon login while others support SSO, causing confusion amongst users. They may also face authentication failures and access denials, disrupting productivity.

Hybrid identity management involves monitoring user authentication, access control, and security policies. For a unified authentication experience, organization must implement processes like SSO or passwordless authentication across all applications. Also, they must review and optimize access control policies. Self-service solutions are a great way to streamline user account management. Users can manage their account settings and preferences while the organization can retain visibility and control over identities.

4. Data residency and compliance

In a hybrid AD environment, meeting regulatory compliance requirements like GDPR, HIPAA, and other industry-specific standards becomes more challenging, since organizations must comply with regulations for both on-premises and cloud-based data. Failure to do so may result in heavy financial losses and affect the organization's credibility.

For instance, an IT firm that manages operations for a hospital in California would have to abide by multiple regulations including HIPAA, California Consumer Privacy Act (CCPA), and the Confidentiality of Medical Information Act (CMIA). One of the core principles for HIPAA is policy and process implementation. Let's say they are transitioning from legacy systems to cloud-based applications to improve patient care and streamline services. An undocumented change in access control policies in the AD or the addition of a new device in a BYOD setup without prior verification can threaten the hospital's cybersecurity posture and lead to a compliance violation.

To prevent this, the IT firm can utilize a UBA-driven change audit tool that provides a unified view of all activities occurring across on-premises and Microsoft Entra ID environments. Each time an action is carried out, say, a new user is added to a group or a high-privileged user account makes a password reset attempt, the tool monitors the changes and notifies the respective authorities. These tools also provide extensive reports on regulatory standards like HIPAA, allowing the IT team to spot and troubleshoot any vulnerabilities in advance. Additionally, the team must work with hospital staff to establish identity governance practices for activities like provisioning, de-provisioning, and access reviews.

5. Skill gap

Setting up and managing a hybrid AD environment requires a fairly deep understanding of on-premises AD, cloud-based AD, and the tools required to connect them. Further, the IT team must be equipped with the knowledge to troubleshoot issues with synchronization, access controls, and any other technical challenges that may arise. A lack of expertise in troubleshooting can result in prolonged downtime, security and compliance risks, increased support requests, and negative impact on operations.

Naturally, providing the IT staff with adequate training comes at a cost. Organizations must factor in expenses related to development initiatives and ongoing support when transitioning to a new environment. While tools like ADManager Plus help the IT team unify their administrative tasks into a single console, they still require foundational understanding of best practices in security, IAM, and change management. IT leaders can encourage certification programs and conduct training sessions with domain experts to help staff upskill and enhance their understanding of new technologies.