November 11, 2021
But, I need Administrator access….
Security blog series By Dwayne Natwick
How do we plan for using the Principle of Least Privilege?
In our growing cloud infrastructure, there are users that need access to resources at an administrator level. How we plan, manage, and monitor these administrator roles will have a direct impact on the security of our cloud infrastructure.
When designing and scoping the company roles for IAM, the principle of least privilege should always be at the forefront of the discussion. This is the concepts that any user or resource only has access to the applications, resources, and information that they require to perform their specific job duties. Anything above that poses a vulnerability and potential threat to the company that sensitive information could be leaked to those that should not be allowed to view.
The scope of IAM is to manage that any user, group, or resource has been properly assigned roles and access that adheres to this principle. This should be properly documented by job title with role assignments, and the roles should be reviewed regularly with department owners to verify that the assignments are still accurate and valid. When we discuss creating users and groups in a later chapter, we will discuss options for creating role assignments in a dynamic, auto-assigned manner, and how to automate the review of these roles.
What is Privilege Identity Management (PIM)?
A major area of Identity Governance that we need to manage is privileged access based on administrative user accounts. As we continue to add and activate these administrative roles within our tenant, we begin to increase the attack surface that someone that gains unauthorized access to a compromised account may have elevated privileges.
As Identity and Access Administrators, it is our duty to protect and defend this layer through utilizing the concepts of zero-trust and principle of least privilege to assign and manage these administrator accounts. You should have a clear strategy with defined job tasks for every administrator user account to plan for proper assignment of these roles. This strategy should include meeting with stakeholders and discussing the roles that each department member requires to complete their job tasks. In addition, you should be monitoring the activity of these accounts and verifying the continued requirement for users to have these privileged access roles.
To enforce the concepts of zero-trust, you have the capability to assign Conditional Access policies to these accounts. To address and protect privileged assignments, Azure AD provides Privileged Identity Management within the Identity Governance solutions.
Privileged Identity Management provides just-in-time privileged access to users. Since users are only provided active administrator roles for a short window of time, this reduces the attack surface and potential for these user accounts from causing exposure to privileged access from an attack. Privileged Identity Management provides an approval and justification process for activating privileged role assignments, which includes notifications when a role is activated and an audit trail of these activations.
Privileged Identity Management (PIM) requires an Azure AD Premium P2 license. To assign PIM to member accounts, each user must have this license. However, for guest users that require privileged access with PIM, five guests can be assigned PIM roles for every one Azure AD Premium P2 license that you have in your tenant.
PIM can be accessed directly by searching for Privileged Identity Management or can be found in the Azure AD Identity Governance tile.
How do I manage PIM?
Privileged user access should be regularly reviewed to verify that a user's elevated access is still required. Since these are elevated access assignments, the review of these should be done on a consistent basis as identified by the company. Unused and unnecessary privileged assignments should be removed. Automated removal should also be configured for users that are no longer with the company or have changed departments within the company.
Once you review and create the Access review, you can review the access reviews in the manage PIM dashboard. Additional information on creating access reviews can be found at this link: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.
What are the benefits to using PIM and Access reviews?
Implementing Privileged Identity Management provides multiple benefits, many that we already have mentioned. To summarize, PIM creates just-in-time elevated privileges that are only active for the time needed and then placed back into an available and inactive status. This decreases the attack surface and available administrator accounts that an attacker can leverage to do damage.
In addition, access reviews can be put in place to review and audit the need for these roles to be available to users. If users do not respond to these review requests, you can automatically remove the PIM role assignment from the user, again decreasing the available attack surface.
The final benefit to consider is that PIM role assignments are fully audited. At any time that a role assignment is created, Global Administrators and PIM Administrators are notified. They are also notified when one of these assignments are activated and the access review activity is easily monitored from the PIM dashboard.
For more information on Privileged Identity Management, please review the Microsoft Docs link here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.
In the next post, we will discuss managing and protecting our data from threats and vulnerabilities.
In the next post of this series, we are going to discuss zero trust as we protect the identity and access layer of our defense in depth security posture.
For more information on how to utilize Microsoft tools for security, compliance, and identity protection and governance, visit the Opsgility training calendar or contact us to schedule a consultation.
Dwayne Natwick Cloud Architect Lead