Why CISOs Are Rethinking Their Trust in Active Directory Security
For years, Active Directory (AD) has been the gold standard for identity and access management. It’s embedded in the DNA of enterprise IT, the engine behind logins, device authentication, and the digital workplace. But as cyber attackers grow more sophisticated, many CISOs are asking a difficult but necessary question:
Can we still trust Active Directory as the foundation of our security architecture?
It’s not that AD itself is broken. It’s that the model around it, and how most organisations secure it, is no longer sufficient for the threats we now face.
Active Directory: Centralised and Dangerously Exposed
AD was built for a different era. A time when users were inside the network, devices were trusted by default, and attacks came from the outside. But today’s reality is radically different:
- Attackers don’t break in. 86% of breaches involve stolen credentials.
- Endpoints are everywhere. Devices, users, and apps span across offices, homes, and cloud services.
- Insider risk is greater than ever. Lateral movement and privilege escalation often happen post-compromise.
While AD is essential for most organisations, it’s also dangerously exposed.
When Trust in AD Becomes a Liability
CISOs aren’t losing trust in AD security; they’re losing confidence in the assumptions that underpin it.
In a high-profile ransomware attack on a British business earlier this year, it’s been suggested that attackers used stolen credentials to exfiltrate the AD database, move laterally across the network, and deploy ransomware. If this is the case, the attackers didn’t need to break AD; they simply exploited its inherent openness.
Other UK retailers were also hit in similar campaigns. While each incident varied in severity, in every case, attackers targeted AD because once it’s compromised, every system, user, and asset downstream is exposed.
Traditional Defences Rely on Too Much Trust in Active Directory Security
Firewalls, VPNs, Conditional Access, and endpoint detection all play a role. But they operate on the assumption that what happens inside the network is inherently safe.
AD traffic is often left unprotected or encrypted in ways that can still be decrypted by attackers already inside the network. VPNs and VLANs segment traffic, but they don’t cloak it. TLS may encrypt it, but with keys on endpoints or in memory, attackers can extract and decrypt it later.
Rethinking the Trust Model
The idea of implicit trust in the network, in endpoints, or even in users has eroded. CISOs are shifting toward zero trust models, but many overlook the one system that should never be implicitly trusted: Active Directory.
Zero trust means nothing gets access without verification. But how often is AD traffic itself verified? How often is its visibility controlled? How do you prove that AD policy enforcement hasn’t been tampered with?
That’s why forward-thinking CISOs are rethinking Active Directory security, not at the identity level, but at the traffic level.
Certes DPRM: Bringing Deterministic Control to Active Directory Security
Certes Data Protection and Risk Mitigation (DPRM) offers a new approach. By applying cryptographic segmentation and deterministic policies to AD traffic, Certes ensures:
- AD traffic is cloaked: LDAP, Kerberos, and DNS are invisible to anyone outside the trust zone.
- No keys on endpoints: Even compromised devices can’t leak what isn’t there.
- Post-quantum readiness: Certes uses algorithms designed to withstand quantum decryption.
- Audit visibility: Security teams get real-time telemetry and proof of enforcement, without decrypting sensitive data.
This turns AD from a soft target into a hardened, cloaked system that can’t be exploited, even if an attacker is already in the network.
Active Directory Security Must Evolve with the Threats
Rethinking trust in AD isn’t about abandoning a cornerstone of enterprise IT. It’s about recognising that the trust model must evolve as threats change.
AD will always be central to identity. But it shouldn’t be a blind spot.
CISOs who assume breach, segment critical services, and enforce traffic-level controls are the ones who recover faster, protect their data, and pass audits when the inevitable cyber incident occurs.
The Most Dangerous Assumption Is That You’re Safe
If AD traffic is visible, it’s vulnerable. If it’s vulnerable, it’s a liability. That’s why security leaders should be asking, “Who can see our AD, who can use it, and how can we make sure they can’t abuse it?”
Certes DPRM gives them the answer.
Learn how Certes protects Active Directory with zero-access, post-quantum ready enforcement.
Request a demo or speak to our team.