Companies often have extended, complex Active Directory (AD) infrastructures that have been expanded over time to encompass different domains, potentially creating security issues when they move to a new AD environment.
A new AD migration and consolidation offering from identity-based cybersecurity provider Semperis is designed to tackle this problem head-on, streamlining the transition process while ensuring organisations’ security posture.
The offering combines a new Migrator for AD product with a suite of existing Semperis capabilities designed for security-centric AD migration.
AD migration involves the process of moving or transitioning from one Active Directory environment to another. This could mean migrating from an older version of Windows Server to a newer version, consolidating multiple AD forests (group of AD domains connected hierarchically) or domains into a single forest or domain, or even moving from on-premises AD to cloud-based services like Azure Active Directory.
Active Directory migration risks
Existing products lack security layering in the migration process, which leads to configuration drifts, unmanageable multiforests risks, and attack surface proliferation, claims Michael Masciulli, managing director of migration products & services at Semperis.
“Our solution includes comprehensive AD security and recovery capabilities to provide a critical safety net that is often overlooked but highly valued in the migration process,” Masciulli said.
The new Semperis migration program is being offered as an on-premises deployment, but the company plans a SaaS release, and anticipates offering term and perpetual licensing. Semperis did not disclose a release date for the SaaS version, or details on pricing.
The migration system brings together a variety of products from Semperis’ existing armory, including Purple Knight, Forest Druid, Active Directory Forest Recovery (ADFR), and Directory Services Protector (DSP).
While Purple Knight and Forest Druid are used in premigratory preparations for vulnerability assessments and attack path analysis, respectively, ADFR is used as a pre- as well as post-migration tool to clone the AD environment for testing and recovery purposes.
DSP monitors all source and destination AD environments to track changes and roll back unintended changes (with ADFR) up to the attribute level.
Existing techniques need modernisation
“We help organisations design their AD infrastructure to meet modern security standards, monitor for existing indicators of exposure (IOEs) and compromise (IOCs), indicators of attacks, and other vulnerabilities including password spray, Golden Ticket, and Kerberoasting attacks,” Masciulli said.
“We also mitigate the risks of migration by creating an exact copy of the production AD to test the migration beforehand, monitor for new vulnerabilities, and quickly roll back any unintended changes.”
The new offering will also monitor the destination AD to stop configuration drift before it starts and continuously assess the new environments for IOEs and IOCs, Masciulli added.