You need Just-In-Time (JIT) reasonable access for all relevant parties working with your Azure assets! Read along here as Magnus Mårtensson, CPO in Devoteam M Cloud Denmark and Microsoft Regional Director, walks you through the complex and powerful world of Privileged Identity Management (PIM).
In this article I bring you along for a deep dive into the specifics of Azure Active Directory Privileged Identity Management (PIM) and why it matters more than you think.
Giving the wrong levels of access to your Azure assets and service environments is probably the leading cause of Cloud headaches. It is responsible for all kinds of downstream trouble including, but not limited to:
- Environment drift – when anyone can modify any setting they presume should be modified. This leaves you with differing environments when you need them for testing.
- Bad actor – when an employee is disgruntled, malicious, or maybe even is spying on your company.
- Human error – when someone for example accidentally picks the wrong database to run a change script on and were only able to do so because they had too much access in the first place.
- Stolen credentials – via stealthy social engineering like phone or email scamming or stolen hardware.
What you need is Just-In-Time!
As professional people, we do not want to make mistakes. And the best way to avoid making mistakes is to limit the risk of making them. At the same time, you need enough access to do your job at exactly the moment you need to, or else efficiency suffers, and your workday becomes cumbersome. What you need is for employees to have Just-In-Time (JIT) access, in the form of “least privilege” access, to perform only the specific tasks they themselves need to do.
In most cases, JIT means that a person does not have very much access at all. That means: no access to privileged roles that provide high security access, such as modifying production environments, or accessing production customer data. When someone needs access to a privileged work task, however, it is possible to elevate a dormant role to perform work in the protected areas.
“Least privilege” is a principle that states a person should have access to what they need to do their job, but no more. Bothering employees with having too much access as permanent assignments will often lead to mistakes that can carry a very high cost. This is not only very unnerving for employees, but usually leads to dissatisfaction, high employee turnover, data breech, and other negative outcomes. While people must be enabled in a timely manner, and need to feel empowered to do their job, my experience is that they do not want to have much more access than needed.
Nobody wins when everyone has access…
An old customer of mine had hundreds of customer databases. One database per customer environment. Because the company did not have a setup that enabled JIT and least privilege, they granted too much access to too many employees. It was bad to the extent that they in fact granted permanent database-server level access to support staff, including new hires, to 200 or more databases! Keep in mind that an ordinary support case would only require temporary access to just one database. As you can imagine the security situation, the data protection compliance, and the surface area for making a rookie mistake was horrible. Situations like this are so dangerous and completely unacceptable in any modern company.
The correct and powerful tools to stay safe and sound in your company while being empowered to effectively do the job and success is paramount. Enter stage left: Privileged Identity Management in Azure Active Directory.
What is AAD PIM?
The Microsoft Azure Active Directory (AAD) is the identity and access service underpinning all of Azure and many other services from Microsoft. In fact, a while ago Microsoft’s new “Windows Azure” Platform did not yet support any Active Directory services. We used to sign into Azure with non-corporate Microsoft Accounts to access corporate resources, because it was the only option available. AD services in the Cloud emanated instead from the Microsoft Exchange evolution we know as Office 365.
When the Cloud AD service for office workers had hundreds of millions of daily sign-ins, the same service was also added to and modernized Microsoft Azure. Today we have one cloud-based Active Directory service in the Cloud called AAD to govern access to all Microsoft services.
The Privileged Identity Management features (PIM) of AAD are part of the premium service offering, which means they require a “P2 license”, which is a higher cost per user. The obvious question is if it is worth the extra cost? The answer is indisputably – YES!
Why PIM is well worth its cost
PIM allows you to set up access that is not permanently active, but instead access that a user is eligible to activate when needed. A worker can have the admin access they need – to perform high security maintenance – only when the role assigned to them is activated. There are many features in PIM that make this a dream to work with:
- Activation can require a logged justification from the user asking for access.
- All PIM activation activity is traced and support audits.
- Requests to elevate can have required manager review with the option to approve or deny the action. Even denied requests are of course audited.
- You can even connect a work item ID to an elevation request.
- When you activate an eligible role, it may be required to provide Multi Factor Authentication (MFA), for example using your mobile phone, to complete the request. This adds one additional level of security exactly where it is needed and prevents access with stolen account credentials.
Security when using PIM drastically increases, and user risk of making mistakes is drastically decreased.
The risks of moving with the front line
There are a few downsides with PIM to that you should be mindful about. One glaringly obvious one is that some of the features of PIM are still in preview in Azure, which means that they do not yet have a service-level agreement (SLA) from the supplier, Microsoft. Can you then use those features in your production areas?
Many enterprises today have taken that step, but only you can assess if that is appropriate for you and your company. The positive spin on this is that the feature set of PIM is already rich and expanding, allowing you fine-grained control of user access management. Moving with the front line can generally be very beneficial and well worth the risks.
The downside to the fine-grained control offered in PIM is that companies commonly find themselves challenged to make PIM work for them instead of becoming an administrative nightmare, or a roadblock for employees wanting their jobs.
An automation silver lining?
But the automation story for PIM is still evolving and improving in this very moment. In fact, automating PIM configurations have moved from being an Azure concern only into becoming a broader Microsoft concern for all service offerings.
This transition takes time, and in the meantime you as the end-user of PIM do not yet have a fully completed automation story. Downsides aside, AAD PIM is incredibly powerful and very well worth getting into and using to empower your organization. My recommendation right now for PIM is to proceed carefully yet resolutely and take advantage of PIM for your organization!
How to use PIM – a deep dive
Slightly more technically then, how does PIM work? Here is the high-level overview. First, an administrator with enough access, sets up PIM for a user. There is also an option to set up PIM for security groups and assigning many users as members to them that all get the same PIM configuration. I will leave that optimization for the next post. When a user has eligibility to activate a role, they need to make a request for activation. The request can be configured to require written justification upon activation, and it is time limited – automatically revoked.
Additionally, which is a great feature mentioned above, it can be set up to require MFA to complete an activation. When the request is complete, and if approval is required, an email is sent to the responsible manager, who can review, approve, or deny the request. If the request is approved, the requester is notified of the approved access. The activation is ready to take place. The employee now has an approved activation request and can proceed to activate the role and access that comes with it. After work is completed, either the access expires on its own, or can be deactivated. This is particularly useful, because the reason for having permanent access is often that “we don’t have a process to manage revoking it”. All this activity is logged and can be audited.
Your guide to mastering PIM:
In essence the following challenges with PIM need to be overcome for you to successfully leverage the service:
- Learning how to configure PIM access effectively and correctly. Again, the group management options are particularly good, but the automation story is currently lacking.
- Understanding the scenarios for PIM, where it makes a good difference, and how different configurations of the same can target different scenarios. Both examples are equally valid, supported by PIM, and quite different from each other:
- Access to Global Administrator Role – the highest AAD role – probably always needs to be justified, approved, and MFA secured. Each time this access is needed it must be for a specific reason, maybe even tied to a work order number.
- Managing user accounts – Create new users, assign them an O365 license, and assign SharePoint permissions is an administrative role that is also protected. This role, however, can possibly be activated without manager approval. It is still audited of course, and MFA can be required to protect employee data. Making a single activation to receive all three roles required, AAD User Administrator, License Administrator, and SharePoint User Administrator, just-in-time when needed, is certainly very beneficial.
- Adapting your organization to learning to live with just-in-time roles and being effective doing so. There can be initial resistance when the company tightens security – “am I not trusted” – and “I don’t like change”. If PIM is loosely configured, it might not be as secure as required, but if it is very tightly configured it may be seen as an obstacle to being effective. The organization needs to adapt here, and PIM configurations need to be tweaked until they suit you well!
Change is rarely comfortable
That last point warrants some additional consideration. It is a story old as time – Who moved my Cheese* – where we need to be reminded that people generally do not respond very well to change. It is in the best interest of any company not to be careless with permanent access to critical systems.
As pointed out, all bad things that can happen due to too much access, including data theft and security breaches, will eventually happen. It is only a matter of time, and you cannot afford that to happen! You have to think of your business value weighed against the uncomfortability of change. Of course, business value wins. At the same time, we need to be mindful that these changes may be hard won. Changing how people work is sensitive.
Getting started with PIM
There are a few straight forward steps to take to get started toward safer and more sound access control with PIM.
- Start a small POC with a few users.
- Build the business case motivation for the AAD P2 licenses.
- Prepare the upskilling for employees along with the motivations why this change is.
Good luck and stay safe and sound in the cloud!
Azure Active Directory Privileged Identity Management AAD PIM: