Active Directory Security Improvements (ITCRB) CIO Council Update September 5 Tuesday 2:00 – 2:15 p.m. Smith 561

Purpose and Intended Outcome 9/14/2018 Purpose and Intended Outcome Purpose Update CIO Council on the Active Directory (AD) Security Improvements Project Obtain feedback on the Vision and Plan Intended Outcome CIO Council understands the Vision, Scope and Status of the AD Security Improvements Project Project Team understands any concerns and advice that the CIO Council members have about the project

Agenda Vision Plan and resources Current status Active Directory shared service Questions and feedback

Vision: Active Directory Security Improvements The Vision for Active Directory Security Improvements To significantly increase the security and resiliency of the University’s Active Directory environment by reducing complexity, cost, and the number of successful attacks. Objectives Guiding Principles Key Performance Indicators Design a reference architecture for University Active Directory Build a University Active Directory offered as a shared service Establish and deploy the Active Directory using standards from Microsoft and standards bodies (e.g. NIST) Focus on the data and the risks, not just Active Directory itself Active Directory is a service that must meet the needs of users, including application owners Collaborate closely with Schools to understand the effort required to move into the shared service and provide assistance wherever possible Allow local control and decision-making where we can Incorporate principles of automation to ensure scalability and cloud readiness Utilize published security standards and recommendations as baseline Design audit, monitoring, and alerting in accordance with ITIL and ITSM Schools know and understand the design and value of a shared architecture Existence of shared architecture and documented plan for onboarding of Schools Number of Schools whose AD instances can be demonstrated to meet the Microsoft/NIST standards

Plan and resources Our plan involves four key actions: Resources: Perform a gap analysis of each Active Directory and remediate critical issues Build a reference architecture for Active Directory Design and implement a shared University-wide Active Directory Investigate and implement, as appropriate for the University, Microsoft’s “Red Forest” architecture Resources: Virtual team of seven people from HUIT including members of IAM, Messaging and Collaboration Technologies (MCT), Information Security Representatives from each school Vendors (Microsoft and other Active Directory experts)

Current Status Event Status Notes Finalize MS SOW Complete ADH SOW signed RedForest in review Hire Architect/Engineer positions On Target One position hired (start 9/11/2017) Second position in interview state RMAS AD Audit RMAS/HUIT/Schools efforts are coordinated Identify initial schools for Gap Analysis HKS/HLS have agreed to be participants Begin Gap Analysis Expected dated in early October Build reference architecture Initial Architecture defined. Planned internal, Steering Committee, external reviews Investigate/implement Red Forest Pending Determine value of Red Forest – if we move forward, Schools will need to dedicate resources for work to join Red Forest Define financial/ operational model for FY20+ Ongoing Initial talks underway for running AD service

Active Directory shared service University Active Directory Shared Service Delivered as: Platform As A Service (PAAS) Needs: University wide adoption Requires: support from CIOs and buy in from IT departments

Questions and feedback