Active Directory tiering

Active Directory (AD) tiering is a security architecture model that isolates administrative accounts by function and privilege level: Tier 0 covers domain controllers and identity infrastructure; Tier 1 covers servers and applications; Tier 2 covers endpoints and standard workstations. Absent AD tiering was cited alongside absent PAM controls as a GDPR Article 32 failure by the ICO in both the Capita (£14m) and Advanced Computer Software (£3.07m) monetary penalty notices.

In both ICO enforcement cases, the lack of AD tiering allowed attackers to escalate privileges from a compromised lower-tier account to domain-controller-equivalent access, producing the impact that triggered the GDPR breach notification. NCSC guidance on AD tiering is the reference document the ICO applied as its Article 32 baseline in both decisions.

For enterprise security architects and compliance teams, the ICO decisions mean that NCSC's AD tiering model is now a compliance obligation for UK-regulated organisations, not merely a security recommendation. The Stryker MDM wipe provides the complementary operational illustration: while Stryker's specific failure was at the MDM control-plane level, the underlying principle is identical — privilege levels within administrative tooling must be isolated and bounded to limit blast radius.