Identity governance. What is it?
“My applications and services are within the Cloud, thereby enhancing agility for my business, customers and partners. However, how can I ensure that my environment is regulated, and access controlled appropriately”?
In the first of a series of 3 blogs around identity, Silversands Dave Ripley talks about identity governance.
Microsoft offers a number of tools within Azure Active Directory (Azure AD) for providing access to Azure AD-integrated applications (native or third-party SaaS) for all staff, in addition to granting access to external users (partners, suppliers, contractors, B2B, B2C). As you can expect, granting access in an unregulated way without controls can place any associated data at risk, especially where the following is true:
- There are too many users with privileged roles (Data/Service Admins).
- Access and controls are cumbersome to use because groups are unmanaged or fragmented.
- External user (guests) are invited into the tenant but are not well managed (i.e. removed when not required).
This is where identity governance helps, read on…
Identity Governance. So let’s elaborate
Identity governance provides policy-based, automated user identity management and access controls.
It provides security and regulatory compliance, by enabling enforcement, review, and auditing of ‘User Access’ processes.
So what does Azure AD identity governance provide?
Azure AD provides a toolset to help to control governance, all of which are included in the Azure AD P2 license SKUs. The toolset is made up of the following…
Entitlement management in Azure AD offers the ability to create collections (access packages) to group together sets of resources, which are normally individually assigned. These sets of resources can be applications, security or Office 365 groups, or SharePoint sites. The collections can be created to reflect roles within the business, thereby enabling efficiency in onboarding new staff (i.e. full-time, contractors), or indeed transient partners used during the lifecycle of a project or workstream.
When using entitlement management, the following areas should be agreed in advance:
- Who should be able to apply for the package? i.e. packages based on role will be tied to the role they represent
- Will the package require approval?
- Who will provide the package approval (For example – if based on a role, the Department Manager should be responsible for authorising)?
Key benefits of using Azure AD Entitlement Management are:
- Simplification of access management by allowing the requests to be validated by departmental managers i.e. those who should be more familiar with requirements of roles within their department.
- Enhances efficiency of staff/partner onboarding processes by minimising risks due to joiner, mover, leaver, and temporary staff movement/changes.
In addition to entitlement management, a supplementary tool named ‘Access reviews’ is also beneficial in enhancing ‘access lifecycle’. This works by providing a mechanism for regularly reviewing ‘access’ (i.e. membership of a group or access to an application).
Key areas which are pertinent to reviewing ‘access lifecycle’ typically are:
- Will the review include all users in a group, or just target guest users (i.e. transient or partners users)?
- Who should be authoritative for performing the review – group owners, the users themselves, or other specific admin staff?
- The review cycle once configured is automated, therefore each ‘reviewer‘ will receive an email which is configured to open a web page for carrying out the review
- How often should the review be configured to repeat?
Key Benefits of Access Reviews
The following are key benefits of Access Reviews:
Provides an automated method for ensuring access to services or applications are reviewed regularly by a responsible project owner or application manager, or another relevant person. If the users do not respond to the ‘access reviews emails’, these users are removed.
This automation mitigates the traditional and longstanding issue where groups are used for providing access to resources, but the group is never subsequently checked after a project is complete or when changes in circumstances dictate it (mover, leavers etc).
In the modern world where cloud access is utilised and if left unattested, this can lead to a huge risk of uncontrolled access, which in turn can lead to private data being exfiltrated due to retention of access unintentionally.
Privileged Identity Management (PIM)
The administration of services within the cloud are traditionally difficult to manage. Typically, most businesses opt to create a second account for administration of cloud resources which is configured for privileged access. This account is separate from the normal day-to-day account.
Whilst this configuration does provide some benefits to security, it also raises further risks in terms of issues due to two accounts and two passwords to remember. In addition to this, the inevitable issue due to uncontrolled access to services under no additional governance or change management practises is manifested.
This practise can lead to a new attack vector being exposed which could potentially lead to an account compromise (if not restricted by second factor and contextual validation).
Even if the account is protected from hijack, it is still able to be misused due to the uncontrolled high privileges it is granted, especially if not contested.
To mitigate the identified risk and to retain control under change management, it is advisable to grant privileged access for a time period only, as opposed to a static period. This is where Privileged Identity Management (PIM) is able to help by automating this process.
With PIM, the privileged users are able to request elevation to a specific role from a list that is available to each role. This request is then approved (or denied), and the user granted/rejected to use the relevant permissions. This request process would typically be aligned with an existing change management process to ensure that only the required level of access is available during a ‘Change Window’.
Key Benefits of PIM
PIM provides additional governance to an existing administration model by provided time-boxed access, allowing a business to control changes to its services under strict change control.
The acceptance can then be expired on a regular basis (annually, bi-annually, quarterly or monthly), specifically based on the services being governed.
- Provides some regulatory compliance under GDPR
Next – The modern workplace and how to make it secure
How can we help?
Silversands is a Microsoft Gold Partner of over 30 years standing, which specialises in Microsoft 365 delivered across cloud (Azure) and hybrid IT infrastructures. We provide consultancy, support and user adoption services and share our expertise in regular blogs and events.
If you need help and would like to have a chat about how Silversands might be able to help you, please complete the form below: