In this article I bring you along for a deep dive into the specifics of Azure Active Directory Privileged Identity Management (PIM) and why it matters more than you think.
Giving the wrong levels of access to your Azure assets and service environments is probably the leading cause of Cloud headaches. It is responsible for all kinds of downstream trouble including, but not limited to:
What you need is Just-In-Time!
As professional people, we do not want to make mistakes. And the best way to avoid making mistakes is to limit the risk of making them. At the same time, you need enough access to do your job at exactly the moment you need to, or else efficiency suffers, and your workday becomes cumbersome. What you need is for employees to have Just-In-Time (JIT) access, in the form of “least privilege” access, to perform only the specific tasks they themselves need to do.
In most cases, JIT means that a person does not have very much access at all. That means: no access to privileged roles that provide high security access, such as modifying production environments, or accessing production customer data. When someone needs access to a privileged work task, however, it is possible to elevate a dormant role to perform work in the protected areas.
“Least privilege” is a principle that states a person should have access to what they need to do their job, but no more. Bothering employees with having too much access as permanent assignments will often lead to mistakes that can carry a very high cost. This is not only very unnerving for employees, but usually leads to dissatisfaction, high employee turnover, data breech, and other negative outcomes. While people must be enabled in a timely manner, and need to feel empowered to do their job, my experience is that they do not want to have much more access than needed.
Nobody wins when everyone has access...
An old customer of mine had hundreds of customer databases. One database per customer environment. Because the company did not have a setup that enabled JIT and least privilege, they granted too much access to too many employees. It was bad to the extent that they in fact granted permanent database-server level access to support staff, including new hires, to 200 or more databases! Keep in mind that an ordinary support case would only require temporary access to just one database. As you can imagine the security situation, the data protection compliance, and the surface area for making a rookie mistake was horrible. Situations like this are so dangerous and completely unacceptable in any modern company.
The correct and powerful tools to stay safe and sound in your company while being empowered to effectively do the job and success is paramount. Enter stage left: Privileged Identity Management in Azure Active Directory.
What is AAD PIM?
The Microsoft Azure Active Directory (AAD) is the identity and access service underpinning all of Azure and many other services from Microsoft. In fact, a while ago Microsoft’s new “Windows Azure” Platform did not yet support any Active Directory services. We used to sign into Azure with non-corporate Microsoft Accounts to access corporate resources, because it was the only option available. AD services in the Cloud emanated instead from the Microsoft Exchange evolution we know as Office 365.
When the Cloud AD service for office workers had hundreds of millions of daily sign-ins, the same service was also added to and modernized Microsoft Azure. Today we have one cloud-based Active Directory service in the Cloud called AAD to govern access to all Microsoft services.
The Privileged Identity Management features (PIM) of AAD are part of the premium service offering, which means they require a “P2 license”, which is a higher cost per user. The obvious question is if it is worth the extra cost? The answer is indisputably – YES!
Why PIM is well worth its cost
PIM allows you to set up access that is not permanently active, but instead access that a user is eligible to activate when needed. A worker can have the admin access they need – to perform high security maintenance – only when the role assigned to them is activated. There are many features in PIM that make this a dream to work with:
Security when using PIM drastically increases, and user risk of making mistakes is drastically decreased.
The risks of moving with the front line
There are a few downsides with PIM to that you should be mindful about. One glaringly obvious one is that some of the features of PIM are still in preview in Azure, which means that they do not yet have a service-level agreement (SLA) from the supplier, Microsoft. Can you then use those features in your production areas?
Many enterprises today have taken that step, but only you can assess if that is appropriate for you and your company. The positive spin on this is that the feature set of PIM is already rich and expanding, allowing you fine-grained control of user access management. Moving with the front line can generally be very beneficial and well worth the risks.
The downside to the fine-grained control offered in PIM is that companies commonly find themselves challenged to make PIM work for them instead of becoming an administrative nightmare, or a roadblock for employees wanting their jobs.
An automation silver lining?
But the automation story for PIM is still evolving and improving in this very moment. In fact, automating PIM configurations have moved from being an Azure concern only into becoming a broader Microsoft concern for all service offerings.
This transition takes time, and in the meantime you as the end-user of PIM do not yet have a fully completed automation story. Downsides aside, AAD PIM is incredibly powerful and very well worth getting into and using to empower your organization. My recommendation right now for PIM is to proceed carefully yet resolutely and take advantage of PIM for your organization!
How to use PIM – a deep dive
Slightly more technically then, how does PIM work? Here is the high-level overview. First, an administrator with enough access, sets up PIM for a user. There is also an option to set up PIM for security groups and assigning many users as members to them that all get the same PIM configuration. I will leave that optimization for the next post. When a user has eligibility to activate a role, they need to make a request for activation. The request can be configured to require written justification upon activation, and it is time limited – automatically revoked.
Additionally, which is a great feature mentioned above, it can be set up to require MFA to complete an activation. When the request is complete, and if approval is required, an email is sent to the responsible manager, who can review, approve, or deny the request. If the request is approved, the requester is notified of the approved access. The activation is ready to take place. The employee now has an approved activation request and can proceed to activate the role and access that comes with it. After work is completed, either the access expires on its own, or can be deactivated. This is particularly useful, because the reason for having permanent access is often that “we don’t have a process to manage revoking it”. All this activity is logged and can be audited.
Your guide to mastering PIM:
In essence the following challenges with PIM need to be overcome for you to successfully leverage the service:
Change is rarely comfortable
That last point warrants some additional consideration. It is a story old as time – Who moved my Cheese* – where we need to be reminded that people generally do not respond very well to change. It is in the best interest of any company not to be careless with permanent access to critical systems.
As pointed out, all bad things that can happen due to too much access, including data theft and security breaches, will eventually happen. It is only a matter of time, and you cannot afford that to happen! You have to think of your business value weighed against the uncomfortability of change. Of course, business value wins. At the same time, we need to be mindful that these changes may be hard won. Changing how people work is sensitive.
Getting started with PIM
There are a few straight forward steps to take to get started toward safer and more sound access control with PIM.
Good luck and stay safe and sound in the cloud!
Azure Active Directory Privileged Identity Management AAD PIM: