Greif enhances and automates security with One Identity Active Roles

My name is Luc De Smet, and I'm the senior manager of digital workspace solutions and security infrastructure team at Greif. Greif is a global leader in industrial packaging, and it's pursuing its vision to be the best-performing customer service company in the world. The company produces steel drums, plastic drums, fiber drums, corrugated sheets, cardboard, and various other industrial packaging products and services. In addition to that, Greif also has timber properties in the southeastern USA. Greif has a workforce of more than 14,000 employees, and they are operating in 248 facilities in 37 countries in the globe. We are concerned about various security risks, of course, just like any other company. Think about phishing attempts, malicious software, crypto loggers, et cetera. The greatest security concern for my team is making sure that the right people have the right permissions to manage Active Directory objects. Think about user accounts, AD groups, et cetera. Before we had Active Roles in place, we were using scripts, scripts to create user accounts, things like that. There was not a lot of automated workflows in place. It was more manual work, written procedures that an IT engineer had to follow. Now we're using Active Roles for more than 10 years. We automate it as much as we could. We believe that automation is key in working more efficiently as an organization. Next to that, we can also apply the necessary permission templates on our Active Directory so that we can centralize our permissions, and with a single click, we can add or remove permissions for different IT roles in our organization. It's no longer a manual task that we need to do. You're in control of your Active Directory and who can change what. Without Active Roles, you need to check everything manually. Active Roles gives us that tool, that centralized management tool to apply the permissions and policies on certain objects, and we have a full history log now as well. The history log will tell us who has changed what and when, and that is something we did not had previously. The deprovisioning and undo deprovisioning of user accounts is also something very valuable that we found. Accounts get deprovisioned. It's a normal process in an organization, but sometimes we do get the request to undo this deprovisioning. Active Roles gives us that possibility just with a simple click on a button to restore the entire account with all its membership, and it's restored. There is no extra manual work in this. The business benefit is, of course, whatever we can automate, the business no longer has to come to IT services for certain changes. Think about a new employee that joins the company, needs to be added to a distribution group. This is now all automated by using dynamic Active Directory groups. So it's not only a benefit for the business. It's also for IT. Whatever we can automate, we no longer have to do manually, so it's a win-win situation both for the business and for us. The combination of Change Auditor and Active Roles makes it actually perfect. We can put protection on very important AD groups, highly privileged groups. Think about your enterprise admin group, domain admin group. By putting protection via Change Auditor on that group in Active Directory, even if an IT engineer would have the permission to change the membership of that domain admin group, still change auditor would block that. For all the others objects, we have a full history in Change Auditor as well of what changes were made on these AD objects, so it gives us full visibility by using two tools. The integration is working perfectly. The visibility that change auditor gives us is definitely important but also the protection. Change Auditors gives you that extra layer of protection to protect highly sensitive AD groups, making sure that nobody can change that and that if there was an intrusion, that the attacker cannot gain control of your domain by giving himself domain admin permissions. Lessons learned that we have from implementing Active Roles-- if it's not yet in place, define your roles in your IR organization. What's the service desk level one engineer needs to perform, level two, level three, infrastructure level one, level two? These roles and permissions you can translate in access templates and permissions within your Active Directory. So you can give the engineer from an infrastructure team other permissions than a service desk level one engineer that just joined the company. So that's pretty important. And try to automate as much as possible. We're working in IT. Automation is key, and that's what we try to do, so using workflows and policies. Definitely look at that and implement it.