Originally published by Oasis Security.
Written by Roey Rozi, Director of Solution Architecture, Oasis Security.
Active Directory (AD) has been around forever—and for good reason. If you’ve got a big on-prem setup, it’s the go-to for managing users, permissions, and access. But here’s the catch: AD wasn’t built for today’s hybrid and machine-driven environments, where on-prem meets cloud, and machine identities outnumber human ones by 20 to 1. That’s where things can get messy.
AD’s design revolves around human users, with a focus on single passwords and simple group structures. But machines have different needs:
- Multiple Credentials: Machines often need multiple API keys or service accounts, which AD isn’t natively designed to support.
- Lifecycle Complexity: Unlike human users, machine identities don’t follow predictable lifecycles. Old service accounts stick around, permissions pile up, and security risks increase.
Why You Can’t Ignore AD Hygiene when securing NHIs?
Picture this: Your team has been syncing AD with Entra to keep cloud apps running smoothly. Everything’s fine until… an important cloud app suddenly goes offline. After hours of panic and troubleshooting, the problem turns out to be an old service account no one even remembered existed.
Sound familiar? You’re not alone. Whether you’re balancing on-prem and cloud or moving to the cloud, neglecting AD hygiene can lead to security risks, wasted time, and plenty of frustration.
We get it—AD hygiene doesn’t exactly scream “top priority.” But here’s the thing: bad hygiene in a hybrid world can spiral into bigger problems:
- Security Risks: Stale accounts and over-permissioned users are basically an open invitation for attackers.
- Sync Issues: Forgotten dependencies can mess with your Entra sync, leaving apps or services out of commission.
- Waste of time: Tracking all this manually? It’s exhausting, error-prone, and way too slow to keep up. As Gartner stated in IAM Hygiene: Laying the Groundwork Through Continuous Discovery (published August 20, 2024): “Manual discovery involves assessing account repositories and tracking identity data using nonautomated methods. This is an obvious candidate for automation, which requires scripting skills every IAM program should have.”
- Nested Groups and Hidden Permissions: AD’s nested group structure makes it incredibly difficult to untangle permissions and track who (or what) has access to what.
- Scattered Logs and Fragmented Visibility: In order to understand the entire picture, one has to ingest 100’s of GBs of logs from both Entra and from AD Domain Controllers, which requires expertise and complex engineering.
- Ownership Ambiguity: Service accounts often lack clear ownership, making them harder to track, secure, and manage.
The Hidden Problem with Hybrid Setups
Hybrid environments are tricky. They come with built-in challenges:
- Lingering Permissions: Old accounts don’t disappear—they stick around, quietly creating risks.
- Invisible Connections: A “retired” account might still be keeping a critical app alive.
- Governance Nightmares: Scaling manual processes across hybrid environments? Not happening.
One of our retail customers learned this the hard way. Over 30% of their “inactive” accounts were actually powering important apps. Without realizing it, they almost shut down vital operations during cleanup.
It’s Time to Rethink AD Hygiene
Active Directory doesn’t have to be a burden. You can clean it up, keep it secure, and actually make it work for you—whether you’re on-prem, in the cloud, or somewhere in between.
About the Author
Roey Rozi, Director of Solution Architecture at Oasis Security, brings over a decade of experience in cyber operations across various environments, from onprem to hybrid. Specializing in the research, protection, and exploitation of complex systems, Roey’s expertise spans network security, IAM, and endpoint protection. Known for his deep technical knowledge and passion for sharing insights, Roey actively engages in technical discussions and thought leadership within the cybersecurity community. In his spare time, he is a dedicated competitor in Cryptography CTFs, continuously honing his skills and staying at the forefront of cyber defense challenges.
0 Comments