Thursday, September 26, 2024

 Principle of Just-in-Time (JIT) privileged access:

This is a security model used in Azure public cloud to grant temporary permissions to users for performing privileged tasks. This approach helps minimize the risk of unauthorized access by ensuring that elevated permissions are only available when needed and for a limited time. Users receive elevated permissions only for the duration necessary to complete specific tasks. Once the time expires, the permissions are revoked automatically. A dedicated service in Azure services portfolio by the name Azure AD Privileged Identity Management (PIM)  manages JIT access, allowing administrators to control and monitor privileged access to Azure resources and Azure AD. PIM can generate alerts for suspicious or unsafe activities, enhancing security monitoring. This is commonly used for administrative tasks, accessing sensitive data, or managing critical infrastructure.

Amazon Web Services aka AWS also supports something similar with its Privileged Access Management aka PAM solutions where third-party solutions can be integrated into the AWS to provide ephemeral JIT access, ensuring that users only have the necessary privileges for the duration of their tasks. AWS provides  regular fine-grained permissions for users, groups and roles with its Identity and Access Management policies which can even be used to restrict access to a certain time of the day. The single sign-on service can work with different identity providers to enforce JIT access. Finally, the AWS Security Token Service can issue temporary security credentials that provide limited time access to AWS resources.

To bolster the physical security, reducing the risk of malware or unauthorized access, streamlining and restricting activities that can be performed with the escalation of privilege, Microsoft hands out Secure Admin Workstations (SAWs) that are specialized and dedicated devices used exclusively for administrative tasks. They are particularly valuable in high-risk environments where security is paramount. Public clouds happen to be the most widely used cloud but there are other clouds that can be dedicated in scope specifically for governments, defense departments and those that require tighter access control and these are collectively called sovereign clouds. These clouds are especially benefited with SAW devices. Only authorized personnel can use SAWs, and they are often subject to strict security policies and monitoring. As an example, Microsoft uses approximately 35,000 SAW devices, with a small number dedicated to accessing these high-risk environments aka sovereign clouds.

These practices help ensure that Azure remains a secure platform for both administrators and users. 



No comments:

Post a Comment