I came across a discussion, recently dealing with outsourcing Active Directory; and it got me thinking: Why not?
In very large organizations the IT department is divided into specialist areas: Infrastructure, Desktop Support, Server, Application and Active Directory Services. Regional and local sites make requests from HQ for a new user to be added to Active Directory, which can take a few days to complete; because they need to follow of the controls for a safe AD. Why not simply have a third-party administer AD, while the strategy and design of AD remains within the company?
There seems to be 2 parts of the puzzle here:
- Firstly, the math; does it make economic sense to do outsource Active Directory.
- Secondly, risk; how much risk is the company willing to accept?
- The follow up question organizations should ask if they are entertaining this idea is; what is the ROI vs the risk?
The Report to Executives should include sections about the following:
- How much money would be saved
- What the contractual obligations and SLAs would be for the third party administering the Active Directory (and their consequences for not meeting or breaking them)
- The contract should included the permission to audit their IT; allow an annual PEN test, including social, on their infrastructure; and their notification policy of attempted breaches.
- Besides the economic value of outsourcing Active Directory what are the psychological repercussions to staff and clients on a daily basis — staff cuts, morale,etc — and if a breach occurred — marketplace reputation, liability.