At least once a year, every large organization needs to revisit and test their disaster recovery plan, to see if the organization has an issue with infrastructure. As part of this plan, the bank has several applications that are mapped as critical; one of them is the active directory. Active directory is the identity repository used in 90% of organizations worldwide, to manage user groups, access permissions and other settings. When you come to work in the morning, and you type your username and password to get authenticated, 90% of the time that’s the active directory. Gartner refers to it as a tier 0 application, meaning it has no option for downtime, and recovery needs to be extremely fast. Whenever a disastrous scenario occurs in the active directory, Microsoft tackles it by publishing a white paper, describing the steps to take in order to recover the environment. Since a whitepaper is not something to look at while disaster is crippling your organization, you can have a Microsoft engineer work with you prior the disaster and prepare recovery procedures in case of a disaster. When I was CTO at a service company, one of the customers did a test with Microsoft to see what the recovery procedures should look like. The conclusion was that it would take several days to recover the environment. Imagine what happens if a bank has to shut down for such a long time. That’s not something that a bank, or any large organization, can allow. The bank approached Gartner and asked their analysts to provide potential solutions in the market to orchestrate the recovery, but nothing was satisfying, and it got us thinking. The recovery process is very complex and time consuming, and requires manual efforts. But what if we could fully automate the recovery process to solve the problem? The IT knew they would encounter huge damages if they could not recover their networks. We realized it was a huge opportunity that could impact any organization in the world, so we decided to go for it.
What’s unique about Semperis?
Today we provide a solution to two main problems. We divide the active directory disaster into two main categories: The reason we separate the two is because in the first scenario, you can reuse windows, and in the second scenario, you cannot reuse the operation system as you will need a new server. We have a solution for both problems. We can install the environment without relying on the operating system, three clicks and you’re done. The second problem we solved is day to day disasters, or “mini hiccups”, as we call them, changes done to the active directory that cause certain applications to become non-operational. For that, we have a solution that tracks changes in real time and provides a simple comparison of states in the active directory and reverts to a previous state in a single click.
What is the potential damage for a compromised organization?
This depends on the organization. In most known recent cases that went public, (most try not to go public), in Merk’s case, when they got hit by a wiper, they lost about 300 million dollars because they were down for at least 2 weeks. They estimated the damage as one of the biggest disasters in the global pharmaceutical industry.
How do you see the future of active directories?
I see several things already today. The world is becoming hybrid, which means that you will have your directory services in the data center and also at least one service in the cloud, and multiple directory services in the cloud. It’s interesting that, according to Microsoft publication on the trends of usage of Azure AD, 80% of the entities that exist in the Microsoft cloud come from the data centers. The first thing to protect in the data center is the active directory because that’s the source of the data. Semperis provides recovery, auditing, notifications and reporting for the active directory. What that means to our customers is that no matter what hits them, they can see what happened and quickly bounce back. The next step is extending recovery and notifications of the cloud entity service providers, with the extension of entitlement management, helping to answer the questions, not just who did what, but also who can do what. Another very important trend you can expect is permission mapping, so you’ll be able to look at a user account and know exactly what they can or cannot do in the data-center (AD) and in the cloud through its many services and applications.
Final Note
I would like to invite identity experts to the upcoming Hybrid Identity Protection Conference we are hosting in NY on November 5-6th, 2018. It’s a vendor-agnostic conference where the brightest people from the industry from a variety of companies, including Microsoft, IBM and HP, are coming to share thoughts about what is happening in the enterprise identity space.