Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Organizations can leverage Microsoft Azure for tooling in an identity and access management (IAM) program, but it requires clear objectives and goals for each capability within the program. This piece covers these and provides IAM best practices and metrics for measuring success or surfacing potential problem areas.
Microsoft has evolved and enhanced its approach to identity with the move to cloud services. In past years, organizations would deploy a suite of separate tools for identity governance, access management and privileged identity management. For some organizations
and use cases, these can now all be covered with Microsoft’s Azure AD security features.
For example, Azure AD functionality can help automate and simplify cloud IAM for the following areas:
Goals and metrics for each of these are addressed below.
READ: Centralized IAM Best Practices
The human resource management system (HRMS) should be the central source of truth for the workforce. When employees are hired and HR adds them into the HRMS, they should also be created automatically in Azure AD. When changes occur, such as the employee’s
name or manager, HR should update the employee information in the HRMS, and these changes should be automatically synchronized in Azure AD. When the individual is no longer employed by the organization, this too should be automatically reflected in
both the HRMS and Azure AD.
At the time of this writing, Azure AD natively supports Workday and SAP SuccessFactors. It is important to note if you use another HRMS, additional steps may be involved.
Identity lifecycle goals and metrics are shown in Figure 1.
People in the workforce should have access to the resources they need to complete their job duties. This access should be automatically provisioned based on their job role or through aspects of their work, i.e., through a combination of role-based access
control (RBAC) and attribute-based access control (ABAC). Manual provisioning of applications and access should be minimized.
AD has long supported RBAC through group membership. Azure AD introduces dynamic groups, where membership is based on user attributes. Most of the access should be granted through the information synchronized with the HRMS, reflected in Azure AD group
Access control goals and metrics are shown in Figure 2.
User accounts and access controls (groups, roles, attributes, claims) exist in both the identity provider and in the application. This can create risk if the application owner over-provisions a user or delays in removing accounts when the organization
revokes a person’s access and removes their account in AD and the HRMS. Ideally, the application tightly integrates with the identity provider, and creation, modification and deletion of accounts is synchronized.
Azure AD supports such application integrations through systems for cross-domain identity management (SCIM). When the application doesn’t support SCIM, Azure AD can achieve the objective of identity synchronization using federation protocols such
as security assertion markup language (SAML) and Open ID Connect (OIDC).
Application lifecycle goals and metrics are shown in Figure 3.
Appropriate access shifts over time due to edge cases where automation isn’t effective, or manual efforts outside of normal provisioning. At best, this results in out-of-role access. At worst, it can result in toxic combinations and separation of
duties (SoD) violations. Periodic access reviews help prevent these risks from occurring. Access reviews also can uncover stale accounts, orphaned accounts and over-provisioned access. These point to gaps in process and identify opportunities for
improving account automation and access control (i.e., RBAC and ABAC).
Azure AD provides access reviews and certification programs as a component of identity governance. These reviews are tied to specific groups and performed by group owners or designated reviewers. Azure AD provides recommendations during the review process,
for example, removing individuals who have not used their accounts in months.
Access review goals and metrics are shown in Figure 4.
MFA adds additional factors of authentication to the primary factor which is, typically, a text password. Azure provides MFA through a combination of factors, providing a strong authentication for applications and resources.
MFA goals and metrics are shown in Figure 5.
We trust identities to use the privileges we’ve assigned them. This can be as simple as an identity knowing the password for its user account (primary authentication factor). While the principle of least privilege has been consistently improved
with access controls, the principle of least trust around identities connecting to resources has only recently begun to be developed. In modern systems, we consider the context and conditions of authentication before allowing user accounts to access
applications and resources.
Azure AD collects signals of trust on authentication and enforces decisions based on these signals. Examples of signals include location, device state or risky behaviors. Decisions include block, allow or require stronger authentication. Collectively,
this is the conditional access feature in Azure AD.
Conditional access goals and metrics are shown in Figure 6.
Privileged identity management (PIM) and privileged access management (PAM) are capabilities for enforcing least privilege and SoD for accounts with administrative-level access. PIM/PAM build on IAM concepts previously discussed; they require role-based
access and access reviews, enforce strong authentication, and validate trust before privileged access. PIM also includes the concept of just-in-time access and time-bound access to limit the time an account has elevated access to the environment.
Azure AD includes PIM functionality to manage and monitor privileged access to Azure and Office 365 resources.
PIM goals and metrics are shown in Figure 7.
Azure offers several features to make out-of-box IAM in the cloud possible. To be successful consider the following IAM best practices:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.