230 likes | 370 Views
Active Directory Consolidation: Phase 3 Update. Colin Bell ( cpbell ) April 4, 2013. Working High-Level WBS. Clarity , Governance, Change Management, and Documentation Clarify transfer process and goals .
E N D
Active Directory Consolidation: Phase 3 Update Colin Bell (cpbell) April 4, 2013
Working High-Level WBS Clarity, Governance, Change Management, and Documentation • Clarify transfer process and goals. • Transfer knowledge from Engineering w.r.t. current monitoring and management techniques. • Establish Change Management controls inside IST w.r.t. NEXUS. • Establish Service Management controls inside IST w.r.t. NEXUS. • Establish IST based monitoring and audit capabilities to augment current capabilities. • Document future (ADS retirement plans) • Transfer "ownership" and ultimate operational responsibility to IST.
Goal: Establish Service Management (NEXUS/APEX) • Incident Management (in progress) • Change Management (draft in use) • Release Management • NEXUSTEST/APEXTEST (in progress) • All DC’s => IST + decommission (in progress)
Goal: Document the Future(reschedule– now end April 2013) • Develop roadmap for migration of services from ADS to NEXUS. • Actual ‘moves’ are out-of-scope. • Document shared monitoring, auditing, and software management requirements. • Document current and future roles and responsibilities for all stakeholders + established campus bodies.
Goal: Ultimate Operational Responsibility on IST • Move to minimize the number of Domain Administrators in NEXUS. • Consolidate top-level responsibilities in IST (as an infrastructure service). • “Handover the Keys” (ADAud2012 – MP5.0) • Goal => MS2 – April 30, 2013
Goal: Meet Audit Requirements (1) • Overall Strategy and Plan • Develop project plan and RAID log. Socialized with project stakeholders. [ADAud2012-1.0-HP](WNAG is in loop. Exploring new platform for WNAG. Need tools. QUESTION: how would CTSC like to be included? Email, SharePoint, Other?) • Establish a management committee and leverage it as a forum to discuss and resolve critical project related decisions. [ADAud2012-2.0-HP] (Terms of Reference + Procedures drafted, seen by Management Group and WNAG. QUESTION: how should it now go to CTSC + UCIST?)
Goal: Meet Audit Requirements (2) • Test Plans and Test Cases • Ensure test plan, scenarios, cases and results are documented. [ADAud2012-3.0-MP](Latest change request is forcing analysis of this: AD-CHANGE-REQUEST-2013.7 -> Privileged accounts on DCs for NetWrix.)
Goal: Meet Audit Requirements (3) • Documentation of Rollback Plans • Ensure that each migration procedure defines and tests a rollback plan. In cases where a roll-back is not required due to risk level, the decision is documented. [ADAud2012-4.0-MP](many migrations completed in Phase 2 – continuing to use Change Management Procedure + documentation standards)
Goal: Meet Audit Requirements (4) • Active Directory Governance and Operations • Determine roles and responsibilities and communicate accordingly across IST, Engineering, and Security teams.[ADAud2012-5.0-MP](Change Management Procedure normalizes work, RASCI Chart can now be built to formalize roles / responsibilities)RASCI = {Responsible, Accountable, Support, Consulted, Informed}[Goal => April 26, 2013]
Goal: Meet Audit Requirements (5) • Migration Strategy Planning • Perform an analysis of application and servers that leverage ADS. Develop a server / application migration plan.[ADAud2012-6.0-MP](Already planned as part of the ‘Document the Future’ effort. See previous slide – rescheduled end April 2013.) • Workstations complete. [March 2013] • Servers + Services [rescheduled end April 2013]
Goal: Meet Audit Requirements (6) • Object Migration Approach [ADAud2012-7.0-MP] • Perform analysis on accounts that have not been migrated. • Review and clean up orphan accounts. • Review privileged accounts and analyze if access is still valid after migration. • Perform analysis on accounts. • Inventory service accounts and use • … started => more questions than answers!
Goal: Meet Audit Requirements (7) • Interoperability Requirements [ADAud2012-8.0-LP] • Identify, document, and socialize WatIAM integration requirements with key stakeholders to ensure that all issues are identified and addressed. • Security Architecture + Identity Management Roadmap will serve as the foundation for this. Is this an ongoing consideration?
Directory Object Audit / Review + Future Capabilities • Analysis (w/ help from pmatlock’sNetIDwork) • NEXUS counts: pure students (not on UW work term): 29821 alumni: 77527 expired: 128641 faculty: 2871 staff: 32547 retirees: 1413 applicants: 108484 • Staff #’s? Alumni #’s? Applicants? Students who are on co-op? Far more analysis is required to understand!
Goals and Insights:Object Analysis • Verify: People who should not have access do not. • Verify: People have the minimum privileges required to do their jobs. • Implicit calculations of “Roles” from various Security Groups makes this a nightmare. Explicit is better than Implicit !
Questions: Object Analysis • How much analysis should we do now? • How much would a redesigned IDM help? • How much process re-engineering is required? • What should a formal privileged account creation process look like? Just ask for ! and !!-- is this really good enough?
Next Steps: Object Analysis • Complete accounting for ALL OU, Domain-level, Forest-level admins. • Integrate findings with RASCI analysis • Enterprise Architecture (up next) is crucial to understanding this. Document processes + systems, redesign for improvements. Lots more work required!
Next Steps: Object Analysis • Big piece of technology (NetWrix) undergoing analysis via MAS Subgroup, used in ADS, and preliminary steps initiated for deployment on NEXUS through Management Group. • NetWrixhas potential to give us on-going audit + change reporting at AD Object level. Will help-- work smarter, not harder.
AD Governance: Next Steps • AD Steering Group meeting (2013-04-08) • Will discuss progress / challenges there. • Will seek Steering Approval for “Waterloo Active Directory Governance Body (WAD-GB)” • Once through WNAG, Management Group, Steering … Then to CTSC + UCIST.
Waterloo Active Directory Governance Body (WAD-GB) • A campus-wide ‘upper house’ to guide the future of AD on campus. • Goal: “to provide a second tier of control at which campus entities can validate the work of technical staff and express their desires on matters of AD Governance” • Essentially: let’s stay together… keep everyone empowered and at the table.
Waterloo Active Directory Governance Body (WAD-GB) • 1 x Voting Position to the Faculty of Arts • 1 x Voting Position to the Faculty of Applied Health Sciences • 1 x Voting Position to the Faculty of Engineering • 1 x Voting Position to the Faculty of Environment • 1 x Voting Position to the Faculty of Mathematics • 1 x Voting Position to the Faculty of Science • 1 x Voting Position to the David R. Cheriton School of Computer Science • 3 x Voting Positions to IST with suggested representation from: • Infrastructure • Networks • Security • Others? Library? Colleges? Thoughts?
Dates • Start: Nov 2nd, 2012 • MS1: Dec 19, 2012 (completed) • “Transfer Keys” > IST in APEX + NEXUS at highest level. • MS2: April 30, 2013 (at risk for slippage) • “Work Complete” > By this point IST is only party working at top-level of APEX + NEXUS. Everything is documented.
Dates • MS3: June 14, 2013 • “Project Complete” • MS4: June 28, 2013 • “Project Closing Complete”