探花大神

Microsoft鈥檚 Active Directory (AD) has been a mainstay of information systems for over 20 years, but it was intended for a different era of computing and business requirements. Its persistence affects IT鈥檚 agility, impacts security posture, and limits IT鈥檚 capacity to provide the best-of-breed tools that employees expect. The cost of modernizing AD to Microsoft鈥檚 specifications can be startling; however, inaction raises operating costs at the expense of IT鈥檚 agility and efficiency.

Admittedly, it can be difficult to convince managers that a problem exists or that change is warranted. This article will explain how to align IT鈥檚 desire to move beyond AD with the interests of decision makers. It outlines the impact AD can have on your organization and equips you with the negotiation skills necessary to 鈥済et to a yes.鈥� Let鈥檚 start by outlining the trouble with AD.

The Full Cost of AD鈥檚 Legacy

There are hard and soft costs associated with continued reliance on AD. 

Hard costs can include hardware, networking, licensing (including broad adoption of Microsoft security services), and facilities expenditures. You鈥檒l also continue to encounter end user requests that are difficult to implement due to AD鈥檚 limitations, which can lead to further hard costs in the form of hardware, networking, and licensing for other products. 

The indirect costs vary and may be harder to quantify; they can reduce your flexibility, cause cultural resistance, and even make it more difficult for your organization to obtain cyber insurance coverage.

AD Isn鈥檛 a Business Enabler

AD wasn鈥檛 intended to manage anything other than Windows devices within a main office or set of satellite locations. This is not how modern organizations operate.

Today鈥檚 workplaces consist of cross-OS endpoints and work happens everywhere. AD doesn鈥檛 provide single sign-in (SSO) for cloud apps and network resources without additional components, lacks modern authentication and phishing resistance, and has no built-in conditional access (CA). AD is built around the network perimeter versus emphasizing the significance of every asset, resource, and even access requests.

Its technical limitations also make on/offboarding users more cumbersome and prone to human error. There鈥檚 no automation of group memberships, and entitlements are all manually assigned. It鈥檚 very easy to overprovision users, and even waste licenses, due to the nature of inherited group permissions. IT efficiency is limited by AD鈥檚 lack of automation and difficulty in handling modern workflows. 

The end result is that IT isn鈥檛 responsive to business requirements; or worse, it actually impedes them.

High IT Infrastructure Costs

Maintaining the status quo can become expensive, and costs will rise as your organization outgrows your current datacenter鈥檚 capacity to serve business needs. You should account for:

• Spending for network overhead, including hardware upgrade, support agreements for firewalls, and switches
• Patching VPN solutions, which have become a favored entry point of attackers
• Paying for business-grade high-speed internet, which can be excessive in rural areas.
• Installing back-up power and failover solutions
• Planning for and executing disaster recovery
• Addressing special hazards fire protection and costly HVAC equipment
• Implementing physical security controls
• Paying additional costs for Microsoft鈥檚 server core licensing when you upgrade server hardware
• Deploying point solutions and increased management overhead

Paying the Price for Lock-in

Microsoft has designated AD as a legacy technology that must be secured and protected. Only the most Premium SKU of its Entra ID cloud directory service provides the security controls that it recommends to protect identities and provide strong access control. Additional products like Defender for Identities are suggested to detect lateral movement by attackers from Microsoft鈥檚 cloud services to your AD instances. 

In short: keeping AD means adopting a big reference architecture.

Industry experts have also raised concerns about Microsoft and abusing the term 鈥渓egacy鈥� at the expense of its customers instead of fixing AD鈥檚 . These systems can be complex to license and administer, potentially increasing IT headcount and salaries at market rates. Soft costs restrict choice and limit flexibility.

Technologies like Entra ID are mostly purchased as bundles with productivity software, creating a vertically integrated stack out of Microsoft鈥檚 services. Consider how people work, how they鈥檙e willing to work, and the frustrations they might feel when flexibility is lost. There鈥檚 a 鈥渃ulture鈥� around tools and platforms, and that could stall migrations, despite pressure from the top.

(HBR) found that 59% of employees indicate that, 鈥渢heir collaboration tools are not aligned with how their teams prefer to work.鈥� HBR recommends that IT should empower users to have a say in choosing applications that will impact how they work. 

探花大神鈥檚 AD modernization can be easier to implement and learn. Image credit: 探花大神. Data is based upon what 探花大神 customers have experienced.

Compliance and Cybersecurity Issues

California has instituted privacy laws, California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), where violators are subject to civil penalties. This may just be the beginning, because U.S. national standards are often derived from the states. California laws mirror the European Union鈥檚 General Data Protection Regulation (GDPR), which is enforced when breaches occur. Courts may have to step in to determine when and how future penalties are imposed and what level of due diligence will be expected from data custodians.

It鈥檚 also important to consider and communicate how any disruption to business operations would have adverse effects on revenues and, ultimately, the reputation of your organization.

No Security Controls, No Insurance

The insurance industry knows these costs, and is expecting greater diligence with a baseline of security controls. Identity is becoming the new perimeter to prevent data breaches, and it鈥檚 being heavily emphasized by insurers, along with many others. Underwriting is beginning to consider how potential customers handle evolving adversarial tactics and techniques. They鈥檒l also examine if they鈥檝e been breached before 鈥� a preexisting condition. Failure to manage cyber risks can impact insurability, and AD isn鈥檛 up to the job for today鈥檚 IT environment.

These trends are converging to dramatically upend the economics of cyber incidents. Fortunately, there are steps that you can take to start the process to achieve better security with your manager鈥檚 buy-in, trust, and clear alignment with corporate goals. 

Understanding Objections

Unfortunately, many managers possess a solid grasp on the threats posed by cyber criminals, but don鈥檛 feel the urgency. It can seem as if there’s never a 鈥済ood time鈥� to get started. 

You may encounter objections, including:

• A misunderstanding of fiscal costs
• A perceived lack of urgency
• Undervaluing anything that鈥檚 not directly associated with 鈥渢he business鈥�
• The notion of 鈥渨e don鈥檛 click on emails鈥� serving as sufficient security
• Executives (or owners) who micromanage but don鈥檛 understand technology very well

These scenarios all come down to how some managers fail to view IT as a function of the principal business 鈥� it appears ancillary. IT needs to learn to market to the people establishing the budget that it鈥檚 not an ancillary function. Your challenge is 鈥済etting to yes.鈥�

Getting to Yes

鈥淭hose who defer doing something about cybersecurity have elevated other interests or concerns above it. Using a 鈥榞etting to yes鈥� approach means understanding their interests,鈥� said Dr. Art Hochner, professor emeritus of management at the Fox School of Business at Temple University. Dr. Hochner specializes in teaching negotiation skills to thousands of students. 

He continued, 鈥淢aybe they are sold on the idea, but don鈥檛 have time to implement, don鈥檛 have a good grasp on what exact steps to take, or would benefit from some hand-holding along the way. The key is to find out what they see as their key interests 鈥� e.g., meeting deadlines, managing their time, knowing how to avoid pitfalls and large expenses, etc.鈥� 

That can鈥檛 be done by trying to sell them on technology alone. For a more effective negotiating strategy, Dr. Hochner recommends following these steps instead:

• The Jedi mind trick: Make it their idea. Your end goal should be for the decision makers themselves to believe that migrating is vital to their interests, versus a 鈥済ood to have.鈥� For instance, Hochner noted that the best car salespeople were the ones that allowed him to take vehicles out for a test drive to sell himself. 鈥淸I] didn鈥檛 need them to tell me anything much. But, of course, I wanted to buy a car, so I took the time to seek them out,鈥� he said.
• Listen: Your initial task is to actively listen and learn why they鈥檙e deferring action. Hochner recommends asking them why directly and then, 鈥渏ust shut up and listen 鈥� you can learn a lot by staying silent.鈥� The , where only your organization鈥檚 risks are emphasized, isn鈥檛 going to be successful.
• Guidance: Transform excuses into guidance by helping them define their interests. For example, respond to excuses such as, 鈥淚 don鈥檛 have the time,鈥� with a collegial mindset that respects their interests but moves the ball down the field:
  • What would help you find the time?
  • Is there something I could do to help you clear your schedule?
  • Can we agree on a specific time for us to reconnect? 
• Social proof: Show them what your peers or competitors are doing and ask questions such as, 鈥淒o you want to know more about how they were able to do it?鈥�
• Empathy: Utilize emotional intelligence by emphasizing that your organization isn鈥檛 alone in its constraints and experiences, but that there鈥檚 a 鈥渨ell-worn path鈥� to achieving better security and IT efficiency. Consider sharing endorsements from people that they may know.
• Reciprocity: Think of something meaningful that you have to offer such as a free consultation that could trigger a 鈥渞eciprocation response鈥� that evokes an obligation to give something of value back to you.
• Liking: According to Hochner, 鈥淪how them how much you are like them. People don鈥檛 care how much you know until they know how much you care.鈥�
• Authority: Establish yourself as a trustworthy messenger. For example, consider the tactic of admitting any known flaws and weaknesses before the other party seizes on those. IT teams should emphasize and establish risk-based programs that are defensible and can demonstrate success.
• Consistency: Leverage their past statements to move them to actions consistent with their prior commitments. 鈥淪mall steps enable you to get a series of yeses, leading to a real commitment,鈥� Hochner said.

Additional Resources

University of Pennsylvania professor of organizational behavior Dr. Karren Knowlton recommends reading:

• 鈥淪witch,鈥� by the Heath Brothers
• 鈥淒rive,鈥� by Dan Pink
• 鈥淟eading Change,鈥� by John Kotter

Migrate Away from AD with 探花大神

探花大神鈥檚 Open Directory Platform provides a smooth path to migrate off or modernize AD, once you鈥檝e succeeded in aligning IT鈥檚 and management鈥檚 interests. Active Directory Integration (ADI) has configuration options that will enable you to determine where and how you want to manage users, groups, and passwords. It also provides a migration tool to transfer identities.

Cross-OS device management is a critical component to control and protect modern IT infrastructures. 探花大神 pairs the ability to manage every endpoint with an open directory platform to secure every identity and resource. This unified approach delivers strong access control while consolidating your tools for increased IT operational efficiency. and find out if it鈥檚 the right option for your organization鈥檚 journey away from AD.

Our customers tell us that asset management is also important for security and IT operations. 探花大神 is enhancing its platform to unify SaaS, IT security, and asset management.

Learn more about how admins will be able to consolidate security, asset, device, access, and identity management with 探花大神 and how those features go hand in hand.