Companies often have extended, complex Active Directory infrastructures that have been expanded over time to encompass different domains, potentially creating security issues when they move to a new AD environment. A new AD migration and consolidation offering from identity-based cybersecurity provider Semperis is designed to tackle this problem head-on, streamlining the transition process while ensuring organizations' security posture.\n\nThe offering combines a new Migrator for AD product with a suite of existing Semperis capabilities designed for security-centric AD migration.\n\nAD migration involves the process of moving or transitioning from one Active Directory environment to another. This could mean migrating from an older version of Windows Server to a newer version, consolidating multiple AD forests (group of AD domains connected hierarchically) or domains into a single forest or domain, or even moving from on-premises AD to cloud-based services like Azure Active Directory.\n\nActive Directory migration risks\n\nExisting products lack security layering in the migration process, which leads to configuration drifts, unmanageable multiforests risks, and attack surface proliferation, claims Michael Masciulli, managing director of migration products & services atSemperis.\n\n\u201cOur solution includes comprehensive AD security and recovery capabilities to provide a critical safety net that is often overlooked but highly valued in the migration process," Masciulli said.\n\nThe new Semperis migration program is being offered as an on-premises deployment, but the company plans a SaaS release, and anticipates offering term and perpetual licensing. Semperis did not disclose a release date for the SaaS version, or details on pricing.\n\nThe migration system brings together a variety of products from Semperis\u2019 existing armory, including Purple Knight, Forest Druid, Active Directory Forest Recovery (ADFR), and Directory Services Protector (DSP).\n\nWhile Purple Knight and Forest Druid are used in premigratory preparations for vulnerability assessments and attack path analysis, respectively, while ADFR is used as a pre- as well as post-migration tool to clone the AD environment for testing and recovery purposes.\n\nDSP monitors all source and destination AD environments to track changes and roll back unintended changes (with ADFR) up to the attribute level.\n\nExisting techniques need modernization\n\n\u201cWe help organizations design their AD infrastructure to meet modern security standards, monitor for existing indicators of exposure (IOEs) and compromise (IOCs), indicators of attacks, and other vulnerabilities including password spray, Golden Ticket, and Kerberoasting attacks,\u201d Masciulli said. \u201cWe also mitigate the risks of migration by creating an exact copy of the production AD to test the migration beforehand, monitor for new vulnerabilities, and quickly roll back any unintended changes.\u201d\n\nThe new offering will also monitor the destination AD to stop configuration drift before it starts and continuously assess the new environments for IOEs and IOCs, Masciulli added.