Mitch Denny posts today about how he believes that network security sucks. In particular centrally managed network security sucks. It's too difficult and time consuming for users to get access to things they need. The reason: poor support for delegation and federation in Active Directory, and a poor understanding of tools to manage Active Directory.

I can't say that I'm particularly convinced by the argument (what little there is). I see two main issues that need to be addressed. Firstly, who is actually responsible for the availability and security of the network. Secondly, what are the technological and process limitations holding back effective security management. Let's look at these two issues.

The first issue: who's responsible for the network. In a centrally managed network, it's those "systems administrators" at the centre. In today's larger networks there are an almost infinite number of settings, configurations, users and security requirements. To manage this complexity we implement a baseline (for example, a Standard Operating Environment or SOE for a desktop), and we then manage and track changes to that baseline. When things inevitably go wrong, the situation can be remedied much faster because there are a large number of factors with known values. Contrast this to desktops or servers where the user can do anything and you need to troubleshoot a problem. You simply have no idea what the current configuration of the system is without spending an inordinate amount of time.

Whilst it's certainly possible to delegate permissions to users, what is delegated must be manageable. Delegation is in fact, required, to some extent. Users must be able to access documents on shared folders. They must be able to change some settings on their PCs. You can allow them to reset their passwords, view/send mail on another user's behalf, and recover previous versions of documents they may have accidently deleted. Beyond that, you can allow them to add new users or machines to the domain, provision new websites and even change security group membership. The rights you can delegate to your users are almost limitless. What is required is that this delegation is manageable. You want the user to have some understanding of what they doing, and you want the user to be able to follow standards and procedures. You don't want the user to be performing adverse actions because ultimately it's you, as the systems administrator, who bears responsibility for their actions.

In most large organisations, this manageability aspect is a problem. Administrators simply can't keep track of every user, every security group, every delegated permission, and who has access to every system. Sometimes they can't even keep track of who's left the company! Because of this, they are risk-adverse. Once they've given away a right, they can't keep track of it and they can't take it back. And so they only wish to delegate a permission if they are inordinately comfortable that it's not going to impact adversely on them. That makes it difficult for Joe User to get the access that they feel they should have.

And this leads to the second issue: the technological and process issues holding organisations back from effective security management. Managing complexity would be easier if organisations had better provisioning and deprovisioning tools, and if organisations had better tools to get an overview of the state of permissions within the network. A provisioning tool could give a user permission to perform certain actions. It could keep track of what permissions had been delegated, giving systems admins a one-step overview of the configuration of security, and it could remove granted permissions and system access in one step as well.

But most organisations have poor non-computerised processes, especially in the deprovisioning space. And almost non-existent processes to document which users have what permissions. In order to automate provisioning/deprovisioning and reporting, the business needs to spend some time determining exactly what processes they're going to have, and develop appropriate workflows, and train users on how to use it once implemented. This isn't exactly cheap, quick or easy, especially since it'll cut across every business unit within the company rather than being purely an IT project. With so many other pressing projects that organisations need to work on, this type of thing is almost always on the backburner.

Conclusion: IT management (centralised or decentralised) needs to be modelled on the business, but some form of centralisation is going to be there in just about every mid to large sized organisation. And so centrally managed IT is thus a necessity. Complaining that it's a hindrance that is unnecessary is not helpful. Active Directory (and eDirectory) both have sufficient capability to delegate rights. This isn't the cause of centralised IT holding back users. The problem holding companies back is a lack of processes to manage delegation, and a lack of automated tools that will make managing the resulting complexity a manageable burden for those whose responsibility it is to keep the network available and secure: the systems administrator.

Well, that's my $0.05 anyway. :-)