- Digital Workplace
- Security
- Professional Services
- News
These days, everyone is working on limiting the risk of a threat to their IT security becoming a reality. Preparedness and various systems help us along the way, but once the enemy is at the gates, the damage spreads like wildfire. However, adding one more element which separates the IT infrastructure into isolated layers can drastically limit both attacks and damage.
This concept is referred to as AD Tiering and it is a new standard feature of the security tenders we submit to our customers. It is a well-known scenario: a so-called high-risk user’s PC falls victim to an attack and then it all goes downhill from there. The traditional attack typically starts on an internal PC. A user clicks something he should not have and after that, the bad guys take over the PC. The classic example is that the CEO’s secretary or an IT support user is hit. When the bad guys install their hash value (their key) into the machine, they can use it to provide approval from the domain. Before long, the company’s AD is under attack because the damage occurs as a lateral movement through which their presence is spread throughout the company’s entire environment. However, when you apply tiering, you can ensure that they cannot jump from layer to layer. The sensitive IT resources are separated in specific layers away from the server layer which is also isolated and then next comes the AD layer itself, which is also isolated into its own layer.
The Students have the power
Jesper A. Frederiksen, Head of Security at Danoffice IT emphasizes the value of AD tiering especially when it comes to large and more complex organizations: “Who has the highest number of permissions within the organization? Management, the board of directors, the IT manager? It is in fact not the case although one would think so. For instance, if you have a lot of employees who rotate job functions in the organization, these employees will obtain more and more access permissions as time goes on and they move about. Practically speaking, we often see the student help in the organization being the ones with the most access permissions in the organization because they shift positions within the organization quite often. If they have been compromised and there is no AD tiering or another form of limitation, it is nearly impossible to limit the spread. Being able to stop any lateral and horizontal movement is the be all and end all,” he says.
How Do We Move On?
We would never put them all in one box even if we could. When it comes to IT security, that is simply not even an option. The processes are comparable, however, the differences in the IT environment from company to company are significant. Bjørn Mikkelsen explains the process:” Whether it is a small or a large organization the technical piece is pretty simple. Obviously, it requires specialists, but we have the best of those and we manage the division. The next step in the process is adoption and implementation and that is where the heavy lifting comes in,” he says and adds: ”If the company has two administrators, we will handle it right away. It becomes more complex when you are dealing with a large organization with a Help Desk and similar units because this will mean that the permissions are distributed differently. That said, we can roll this out in all kinds of businesses.”
