As organisations move into the cloud, a risk – if not addressed early on, is the correct access control implementation across the Azure landscape. From initial Proof of concepts to testing in the cloud, sometimes the Role-based Access Control model utilised when starting off, might not be the correct and most effective for the organisation.
One of the vital steps in the Azure Cloud Adoption Framework, is planning your access control methodology. Engaging with people in the organisation with roles such as security, compliance, IT administration and the enterprise architect(s) would assist in confirming the appropriate model to adopt.
Azure vs Azure AD Security
It is important to understand that there are two key implementations of your Azure estate when it gets to assigning permissions. This is the distinction between Azure AD and Azure. The Microsoft diagram below illustrates the difference the best.
All users live inside Azure AD, however they have different roles in Azure AD and in the Azure Account (infrastructure).
There is a lot of Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the built-in roles, Azure AD also supports custom roles. Use custom roles to select the role permissions that you require, try avoid too many custom roles as this creates additional overhead.
By way of an example, you could create a role to manage particular Azure AD resources such as applications or service principals. You can refer to Microsofts’ Understand Azure Active Directory role concepts for a more detailed understanding.
Azure AD has required single user assignments to be done against an Azure AD role, but have launched supporting Azure AD groups to be assigned to Azure AD roles. This has been released during 2021. This helps immensely in a growing or large organisation. See additional documentation Use Azure AD groups to manage role assignments.
As your cloud estate grows it is recommended to keep your management of the access controls relatively simple to avoid more difficult management due to complexity.
The Top 3 Tips to make your Access Control easier in Azure are:
- Use management groups for organisation-wide access control
- Use subscriptions and resource group-based for finer grain access
- At all costs, avoid user-assigned role assignments, use Azure AD groups instead
Management groups are logical groups for Azure subscriptions, allowing you to organize subscriptions and resources into a hierarchy of management groups. The logical groups can be used to apply governance controls with tools as Azure Policy and implement Role-Based Access Controls (RBAC) to the management group structure. All child resources(subscriptions and child management groups) of a management group automatically inherit the RBAC controls and Azure policies applied on the management group level.
Management Group Organisation
As part of Microsofts’ Cloud Adoption Framework, a guide for management group and subscription organization, you are provided with a set of hierarchy design recommendations and considerations for management groups and subscriptions.
Using Privilege Identity Management (PIM)
Microsoft has several offerings to support identity management in Azure including Azure Active Directory (AAD), Azure Active Directory Identity Protection and Azure AD Privileged Identity Management (PIM).
PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions in your Azure estate. Some of the features it provides are:
- Just-in-time privileged access to Azure AD and Azure resources
- Time-bound access to resources using start and end dates
- Ability to have approval to be complete to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate PIM
- Get notifications when privileged roles are activated
PIM can be applied on Management Groups as well and can be used to give eligible users(via Groups) ability to elevate themselves to roles such as Owner or Contributor. This way you can now provide elevated privileges to specific function groups, and provide least-privilege to all users by default.
Azure and Azure AD supports Privileged Identity Management (PIM):
- Azure AD
- Can assign PIM against User or Group for a role
- Can assign PIM against a user or Group against a Scope for a role.
Working with our customers we’ve seen how the lack of governance can result in a large administrative burden for support teams and complexity which is hard to unstitch. This results in unmanaged risk and long change control cycles to remediate the deployment to a governed approach.
PIM is very powerful to delegate access when required, when coupled with the approval process the risk is further reduced as malware cannot automate itself through permanent open access. The risk is not removed entirely and PIM provides significant reduction is risk due to just in time approved access and short approval windows with token timeout settings.
Our customers get the best benefit through early engagement and planning sessions. Analogous to building a house, it is much quicker and efficient to build a new house than to renovate an existing one. Unstitching an environment that has had poor governance is a highly time intensive and slow moving process. Try get your governance guard rails and definitions correct as early as possible.
As you can now understand, there are various ways to help protect, manage multiple subscriptions, and thousands of users easy with the tools provided by Microsoft. Again, it is important to consult with all the relevant stakeholders in the organisation on the methodology you would want to adopt, and address concerns and take all input into consideration.
It is important to have the model documented and most importantly be able to educate your users and, especially, elevated users on what will be implemented and how to use the privileges responsibly.