Outsourcing Active Directory

I came across a discussion, recently dealing with outsourcing Active Directory; and it got me thinking: Why not?

In very large organizations the IT department is divided into specialist areas: Infrastructure, Desktop Support, Server, Application and Active Directory Services. Regional and local sites make requests from HQ  for a new user to be added to Active Directory, which can take a few days to complete; because they need to follow of the controls for a safe AD. Why not simply have a third-party administer AD, while the strategy and design of AD remains within the company?

There seems to be 2 parts of the puzzle here:

  1. Firstly, the math; does it make economic sense to do outsource Active Directory.
  2. Secondly, risk; how much risk is the company willing to accept?
  3. The follow up question organizations should ask if they are entertaining this idea is; what is the ROI vs the risk?

The Report to Executives should include sections about the following:

  1. How much money would be saved
  2. What the contractual obligations and SLAs would be for the third party administering the Active Directory (and their consequences for not meeting or breaking them)
  3. The contract should included the permission to audit their IT; allow an annual PEN test, including social, on their infrastructure; and their notification policy of attempted breaches.
  4. Besides the economic value of outsourcing Active Directory what are the psychological repercussions to staff and clients on a daily basis — staff cuts, morale,etc — and if a breach occurred — marketplace reputation, liability.
Part of the key to undertaking this project would be to classify the importance of AD contents; beyond the name and security and distribution groups the users belong. Will the other fields be used as well? Department, telephone numbers, address, manager (reports to).
Side note: I don’t know why and I’ve never seen any documentation on it beyond this, but there is a  CarLicense attribute in AD, that doesn’t appear in the GUI, but does when looking at the user properties.
Keep in mind that some breach scenarios may be the same if the Administration of AD were internal, but some are exclusive to External parties. some examples include: a rogue employee giving access to unauthorized users (intentionally or not), sending confidential information to another unauthorized, hacking.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.