While transitioning to Azure, there are plenty of things to take care of. This are the topics from governance like tagging, naming convention, hierarchy, through more technical like network addressing to finally put it all in the landing zone. All the steps have to be carefully evaluated in order to ensure that the designed cloud architecture reflects the needs, requirements and company’s specifics. As cloud model is identity centric, first of all you need to ensure the security of the identities within cloud environments.
Of course there are couple of possibilities how to provision new identities in the cloud or how to transition or synchronize the existing ones. Here, I would like to concentrate on important considerations for Azure roles and permissions.
1 – Break Glass Account
Consider adding so called break glass accounts (the cloud-provisioned accounts) in case of identity synchronization failures. Such cloud-only accounts should act as contingency plan, in the situation when you have identities, which you sync to your cloud IAM. To ensure minimizing other (than synchronization) potential failures, it is worth to avoid enforcing the use of MFA or conditional access for such accounts. Also, this type of account should not be used for any daily or administrative tasks. The access to such accounts must be strictly limited to group of administrators (with sufficient level of cloud knowledge. The break-glass account’s pure purpose is a contingency. Worth to consider enabling monitoring of this accounts activity – just in case it is misused.
2 – Minimum number of Global Administrators
The number of Global Administrator roles should be kept to bare minimum. This is the role with tremendous permissions, and should be used only occasionally in the production environments. Just to fulfil the tasks which explicitly requires this level of elevation. Worth to remember, that Global Administrator role is granted on the level of Azure AD. However, this role can elevate the permissions to User Access Administrator granted in the realm of RBAC. From this stand point, it is just a moment before gaining control over all resources. Therefore, the Global Administrator role should be used with the greatest caution.
3 – Just enough permissions
Everyone is probably familiar with the term the least privilege. Sure, this is truly applicable for the cloud. But, in everything the right balance should be maintained. The principle for the least privilege can be complemented with the statement of just enough permissions. While building the roles and permissions model you should keep in mind, what permissions are required to fulfil the daily task by the IT crew, and grant them. However, bear in mind that with some of the services available in Azure like PIM, not all permissions and roles must be granted permanently. This especially applies to privileged roles, which should be handled with proper due diligence.
4 – Maintainability and security of Azure roles and permissions
Azure roles and permissions will not be complete without taking care of security topic. While taking about just enough permissions and right balance, we should focus on simplicity. Maybe you have heard about the KISS (Keep it Simple Stupid) rule? This fits good to the picture of maintainability and security of the roles and permissions. Of course we can granulate the permissions to the lowest level, but every such approach must be reasonable and having reference in the particular requirements or business specifics. If it is done just because it is possible, then it will bring more problems.
With complex permissions and roles model, we need to think about ramifications. The more complex the model is, the more demanding it is for maintenance and security. When people are not able to fulfil their daily duties, or due to high rate of segregation of duties they have to wait for small task to be finished. Then we can expect workarounds, which will lead to lowering the security of the environment and having gray areas.
While designing the permissions and roles model, try to simplify it as otherwise it may be challenging (if not in some cases almost impossible) to maintain and secure it properly. Additionally, do not forget about effectively securing privilege access. This article may help.
5 – Monitor privileged identities
Monitoring of Azure roles and permissions is important aspect of day to day business. You are definitely familiar with infrastructure or applications monitoring. However, you should not forget about intensively observing behaviors in scope of logon to your public cloud environment. It is not only about collecting the proper logs, but also about ensuring how to collect the knowledge about how your users interact with the environment to gain advantage. Also crucial is not only monitoring but being notified in the right moment and knowing how to react or remediate the risk. With the analysis and insights based on Microsoft experience (implemented into services engines), you may be able to faster identify anomalies and quicker or properly react to them.
6 – Review Azure roles and permissions regularly
Another consideration should be to regularly review the granted permissions. It is necessary to ensure that users granted the permissions, still require them. Of course, you should not forget to manage users and groups within your environment. The accounts for users need to be provisioned and decommissioned properly. However, in parallel you should take care of the permissions granted for existing, as well as decommissioned, users . Alongside, there should be an appointed personnel responsible for doing the review. I will not elaborate on the details of doing access review. On Microsoft website you can read more about planning for access review deployment.
7 – Customize role only for less permissions than in built in roles
Last but not least, customized roles. Currently in Azure, both Azure AD and RBAC have plenty built-in roles. However, if you do not find the role matching your particular needs, you can create your own role. Here, I suggest to do it cautiously. Why? Firstly, the platform is constantly evolving. Your custom roles may rely on configurations which may be modified. Then your role may stop working. Secondly, try to utilize existing built-in roles as much as possible. Please note that you can attach multiple roles to single identity. However, if available roles are not suiting your needs, then the custom role may be the best choice. But bear in mind, to create the role with lower permissions that in existing roles. Also try to avoid doing ‘combo’ roles. Containing permissions from a few built-in privilege roles. It may be hard to maintain.
Protect your fortress
So, quite a long elaborate. And probably I did not cover all the nuances. While working with identity in the public cloud you should treat it as one of the barriers that protects your environment against uninvited guests. Therefore awareness of Azure roles and permissions is crucial step.
