[MUSIC PLAYING] Obviously, Active Directory Security is central to any organization's security model. Without securing the Active Directory environment, all the other things kind of become secondary.
We've seen integration of Active Directory from network to VMware to pretty much every major application in any environment, any organization that has been Active Directory integrated. And what this means is it's very easy for users to authenticate Active Directory and then get into their application or have access to external applications through federation because of that Active Directory authentication in the first place.
The single sign-in makes it really easy because they hit that internal website. They automatically get authenticated into it. Through federation, they hit that external size application or that cloud application, they're automatically authenticated into it.
And so what that ends up meaning is that if you own the Active Directory environment on-prem, then you have that control of everything else. Without the security of the Active Directory environment being tight or at least something that is a focus in organizations, they're more prone to having security issues because the attackers know that if they get control of Active Directory, or least an account with privileges in Active Directory, then they can gain access to data. They can also gain access to persistence.
So I'd say a lot of customers aren't doing enough to actually tighten up their environment. The challenge has been first of all, a lot of organizations just don't know what they don't know. They have this fear or understanding that the security element is this massive thing that isn't well understood.
A lot of organizations have people that worked on Active Directory since Active Directory has been installed in that environment or have been working AD for several years, and they're focused on keeping the environment up and running. And that's a big challenge because in addition to that now, they have the security element that they've got to figure out. Which may be new or may take them in a different direction. And the security component can be an entire job in and of itself, and it often is.
So we have seen organizations do a better job going through and looking at the privilege groups, which is the Domain admins, administrators, enterprise admins, and removing the accounts and potentially groups that don't belong there. And looking at service accounts and reducing the rights of those, making sure that their admin account passwords actually do get changed. Going through and looking through the policies and setting those to have better security settings.
But ultimately, there's a lot of other things that should be done as well by looking at curbless delegation and making sure that that's configured not to be set to unconstrained delegation which is much more open and more broadly available to the attacker if they're able to compromise an account that has that to something like constrained delegation which really has a more restricted profile. So the answer is unfortunately, not enough. But I will say that it's getting better than it has been.
03:01