Planning a Deployment
This chapter describes the decisions you need to make during the planning phase of a deployment and summarizes what’s involved in deploying identity management, privilege management, audit and monitoring service, and Agents. It includes simplified diagrams that highlight the steps involved.
Because of its multi-tier architecture and storage requirements, most of the information in this chapter applies to planning a deployment of audit and monitoring service. If you are only interested in deploying identity and privilege management without auditing, you should scan What’s involved in the deployment process for relevant topics and continue to Installing Verify Privilege Server Suite and updating Active Directory.
Why Planning is Important
Deploying IBM Security software on Windows affects how users access local applications and remote services. These changes will become a critical part of your IT infrastructure and the management of your organization’s resources. Therefore, it is important that you plan and test your deployment strategy and validate the results before placing IBM Security software components into a production environment.
After you deploy IBM Security software in a production environment, the rights and roles you define will control whether users can log on and what they can do on specific computers if they are allowed to log on. Because preventing users from accessing critical resources or services can affect business operations, you should analyze the requirements of your environment as thoroughly as possible before moving from a pilot deployment into production.
Identify Identity, Privilege Management, and Auditing Goals
As discussed in Managing Windows computers using IBM Security software, you have the option of focusing your deployment on identity and privilege management, or on audit and monitoring service, or on a combination of the two. If you plan to install components for identity and privilege management together with audit and monitoring service, you can use roles and role assignments to control which users and groups are audited and under what circumstances auditing takes place. You can also capture detailed information about what happened after a user selected a role with domain administrator privileges or started an application using a service account.
During the planning phase, you should decide on the goals of your deployment—identity and privilege management, audit and monitoring service, or both—because that decision affects all of the other decisions you need to make. If you plan to include audit and monitoring service, you should also start to identify who and what you want to audit, any roles where no auditing should be done, and any roles that will require auditing.
Decide on the Scope of the Installation
Before you deploy any of the audit and monitoring service infrastructure, you should decide on the scope of the installation and whether you want to use a single installation for your entire Active Directory site, or separate installations for different geographical areas or functional groups.
The most common deployment is a single audit and monitoring service installation for each Active Directory forest, so that auditors can query and review information for the entire organization. However, if your Active Directory site has more than one forest, you might want to use more than one audit and monitoring service installation. If you want to use more than one audit and monitoring service installation, you should determine the subnetwork segments that will define the scope of each installation.
In Active Directory, a site represents the collection of Internet Protocol (IP) addresses that describe the physical structure of your network. If you are not familiar with how Active Directory sites are defined, you should consult Microsoft documentation for more information.