Implementing secure access in an organization can be compared to taking on a home renovation project. There are times when rolling up your sleeves and doing it yourself (DIY) makes perfect sense, and then there are times when calling in the professionals is the wisest course to take. When it comes to implementing tiered access, which approach should you take?
What is the Tiered Access Model?
First, we must understand what we are trying to accomplish by understanding what the tiered access model is. Brian Desmond describes it as a method to reduce risk of privilege escalation in his article How to Mitigate Privilege Escalation with the Tiered Access Model for Active Directory Security. While Microsoft has ‘retired’ the tiered access model in favor of the enterprise access model, tiering is used to implement both models, so we will continue with the term tiered access model. For a more in-depth comparison of the tiered access model with the enterprise access model, my colleague Burke Matsuo delves deeper into this subject in his article The Evolution of Active Directory Red Forest | The Shift To Enterprise Access.
The tiered access model segregates administrative and privileged access into multiple distinct levels. These typically are broken down into a minimum of three tiers: Tier0, Tier1, and Tier2.
- Tier 0 — Privileged Access and Control Plane within Microsoft’s Enterprise Access Model (EAM)
This tier encompasses all assets that provide direct control of security and identity infrastructure. Common examples are Active Directory (AD), Public Key Infrastructure (PKI), Microsoft Entra ID, Identity and Access Management (IAM) tools, and management systems for Tier 0 assets. - Tier 1 —Management and Data/Workload Plane within Microsoft’s EAM
This tier includes all servers, and any applications or cloud services that provide significant access to critical business data. - Tier 2 — User Access and App Access within Microsoft’s EAM
This tier involves all administrative access or indirect control over client computers and related devices.
Implementing a tiered access model provides isolated administrative and privileged access based on risk level and trust boundary. It aligns with the principles of least privilege and Zero Trust and prevents privilege escalation attacks.
A key factor in a tiered access model is an understanding of the clean source principle. The clean source principle dictates that any user, device, or system that can exert control over a tiered system must be managed to the same level of assurance. For example, with the three systems below in Figure1, if A controls B, and B controls C, A also transitively controls C. If system C is a Tier 0 asset, systems A and B must also be Tier 0 assets.
Figure 1
In a tiered access model, lower tiered admins and devices must not have control over higher tier assets. A critical part of the tiered model is the implementation of technical controls that prevent privileged credentials from intentionally or accidentally crossing tier boundaries. Examples of these controls are privileged access workstations (PAWs), conditional access policies, and group policies.
With an understanding of how the tiered access model functions and the importance of technical controls in securing privileged access, organizations must consider the best approach for implementation.
In-House (DIY) Implementation
In-house implementation allows organizations to leverage their existing talent and institutional knowledge, which can result in a tailored approach that aligns closely with company-specific requirements and culture. For organizations with experienced staff and less complex environments, handling the project internally can maximize cost efficiency and ensure that control remains within the company.
However, it’s important to weigh these benefits against potential challenges that can arise. Below are some common challenges faced by internal teams taking the DIY approach:
- Complexity and Technical Debt: Just as older homes often hide outdated wiring or plumbing, legacy AD environments can conceal years of technical debt. Obsolete designs, inconsistent admin practices resulting in complex organizational unit (OU) structures and conflicting Group Policy objects (GPOs). When coupled with legacy systems and protocol use, addressing these issues internally can be like opening a wall and discovering surprises that require specialized skills to fix.
- Risk of Human Error: With home projects, many times you only have the evenings and weekends to do the work. The same is true within companies. Many times the individuals responsible for implementing larger projects are still doing their ‘day job’ and trying to fit in larger initiatives like tiered access. This can lead to misconfigured permissions, incorrect tiering assignments, or lack of enforcement of boundaries.
- Lack of Specialized Expertise: Not only have the standards and technologies changed throughout the years, but the security risks have become much more advanced with threats like Kerberoasting, AS-REP roasting, and NTLM relay attacks. These evolving threats highlight the importance of up-to-date expertise when implementing security controls.
- Maintenance and Consistency / Undocumented Processes: Many times, organizations have enough time to handle the initial implementation, but then immediately move on to other projects. This results in a lack of automation, manual and infrequent audits, and eventually there is configuration drift. Another common result is missing or partial documentation; this often leaves future teams struggling to maintain or update the environment.
Consultant-Led Implementation
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
While hiring consultants like Ravenswood involves upfront costs, the long-term benefits can be substantial. While consultants may lack deep company-specific knowledge, their broad experience across industries brings valuable perspective to each project. Just as a professional contractor brings advanced equipment and expertise to a renovation, consultants leverage specialized tools and proven methods to ensure your tiered access model is secure and sustainable:
- Specialized Expertise: For consultants, this is their job. As an example, Ravenswood consultants are Microsoft-certified experts with extensive experience in designing, configuring, and securing core services such as AD, Microsoft Entra ID, Public Key Infrastructure (PKI), and Identity and Access Management (IAM). Consultants are versed in both legacy and cloud-hybrid environments and stay current on emerging threats and mitigation strategies to keep your environment secure.
- Comprehensive Evaluation and Strategic Design: Building something on top of a risky foundation will only cause long-term problems. Ravenswood’s Active Directory Health Check offers a thorough review of hundreds of configuration, security, and operational settings. This process identifies misconfigurations and vulnerabilities and provides a detailed report with prioritized recommendations and helps ensure the design addresses existing and future security concerns.
- Implementation of Best Practices: Consultants bring repeatable experience in deploying industry-leading security models across diverse environments. This experience promotes consistent application of best practices, including adhering to the clean source principle, strict enforcement of tier boundaries, least privilege access, and the use of PAWs for secure administrative access.
- Streamlining and Automation: Consultants can assist with simplifying complex Organizational Unit (OU) structures and Group Policy Object (GPO) designs to improve manageability and minimize conflicts. They can also automate critical IAM processes such as user provisioning and deprovisioning, reducing manual effort, and improving consistency.
- Compliance and Long-Term Strategy: By creating simple solutions that comply with rigorous standards, consultants can ensure your systems and processes are protected in an ever-changing regulatory environment. They also assist in developing long-term strategies that accommodate growth and evolving technologies, including cloud integration with Microsoft Entra ID.
- Use of Specialized Tools: With a basic set of tools, many DIY projects are achievable. However, there are times when a specialized tool can make a significant difference, either by enhancing the quality of the outcome or dramatically reducing the time and effort required. Whether it is custom PowerShell modules or advanced security tools like Microsoft Defender for Identity and Microsoft Sentinel, consultants bring deep knowledge and hands-on experience with these tools.
- Documentation: Comprehensive documentation from consultants acts like a set of blueprints for your identity infrastructure. It not only details the design but also the reasoning behind each decision, making future maintenance and upgrades far easier—even for those who weren’t part of the original project.
Comparing the Options
When planning a tiered access implementation, organizations often face a key decision: whether to manage the project internally or engage external consultants. Each approach offers distinct advantages and challenges, depending on the complexity of the environment, available expertise, and long-term goals. The table below outlines the key differences between in-house and consultant-led implementations to help guide that decision.
Conclusion
Deciding between an in-house (DIY) strategy or engaging external help can significantly influence both the effectiveness and efficiency of deploying a tiered access model. When deciding, companies should carefully evaluate the scope and complexity of the project and honestly assess whether their internal resources possess the necessary expertise and bandwidth to execute a secure and effective tiered access model implementation.
- Does my in-house talent have the skills, tools, and experience to handle the full scope and complexity of this project?
- Do they have the time dedicated to this project, allowing them to do the work correctly and completely?
- If it is implemented incorrectly, what is the probable outcome? Worst case outcome?
For example: If you are hanging an interior door in your house and it isn’t done correctly, whether due to lack of expertise or time, the worst that happens is that an interior door doesn’t close correctly. If you are replacing an external door and it isn’t done correctly, there can be significant issues that arise. You hope that it is only the weather and bugs that make their way into your house until you can resolve the issue.
Just as a DIY home project can run into trouble without the right tools or experience, attempting to deploy a tiered access model without expert guidance can result in costly rework, increased risk, and long-term technical debt. By leveraging proven frameworks, automation, and thorough documentation, professionals ensure that every “door” in your identity infrastructure is properly secured, and that your organization is protected against both current and emerging threats.
Take the next step:
- Assess your current posture: Are you confident your tiered access controls are robust and up to date?
- Request an Active Directory Health Check: Ravenswood’s experts will thoroughly review your environment, uncover hidden risks, and provide actionable recommendations tailored to your needs.
- Schedule a discovery call: Not sure where to start? Connect with Ravenswood Technology Group for a no-obligation conversation about your goals, challenges, and the best path forward.
With deep, hands-on experience in securing Tier 0 assets and a proven track record across industries, Ravenswood brings the specialized expertise needed to safeguard your environment against evolving threats. Don’t leave your most critical systems to chance—leverage the value of true expertise.
Contact Ravenswood Technology Group today to get started on your journey to a more secure and resilient identity infrastructure.
