Azure Privileged Identity Management (PIM)

What does it mean if something is privileged?

In this article, The Azure Privileged Identity Management (PIM) service will be discussed. But before discussing Azure PIM, it is essential to explain what does the word privileged imply in the context of computer security. Privilege is the concept of managing permissions and access of certain data and resources to computer users.

For instance, in any organisation, a hierarchy of privileged users is maintained. This means that not every user has permission to perform privileged tasks like modify system files. Instead, these permissions are only given to users which are commonly known as System Administrators or Local Administrators.

This segregation of permission between normal users who are not authorised to make system level changes and administrative users who have every permission on the system is essential to prevent insider threats and propagation of a cyber attack within the organisational network.

This is because, If every user is given administrative rights on their respective system, the users may click on illegitimate installers on the web and install data stealing malware on their systems.

This sophisticated process of managing user privileges is traditionally achieved through the use of a Privileged Management Solution such as Microsoft Azure Active Directory. In the next section of this article, Privileged Identity Management will be explained to demonstrate how it can be used for managing user privileges.

What is the principle of least privilege?

Principle of least privilege is the concept that is widely adopted among organisations and it is the recommended best practice especially among financial institutions who have to ensure PCI DSS compliance. What the Principle of Least privilege says is that any user, program or service should only have access to what it requires, in order to achieve its task.

For example, a database read-only user should only be able to connect to a database directly without having access to the operating system shell. Similarly, a programmer whose job is to make changes to the code, should not have access to administration and financial data.

Why is the Principle of least privilege important?

In order to truly understand the impact of the principle of least privilege, let’s take an example of a cyber attack scenario.

Assume that an organisation’s human resource employee (low-privileged user) opened an email that seems to be a job application. The email looks harmless and contains an attachment that seems to be the resume of the applicant. When the employee opens the MS Word attachment it actually contains a hidden macro which gives persistent control of the employee’s system to the attacker.

Now if the employee’s account would have been of administrative privileges, the attacker has significantly more options and room to perform lateral movement and compromise the whole network. But since the employee had a low-privileged account, the breach can be contained to some extent and remediated when discovered by security analysts

What is Privileged Identity Management (PIM)?

Privileged Identity Management (PIM) solution provides the IT administrators of an organisation with the ability to assign, control, manage accesses and permissions that are assigned to the users of that organisation.

These access controls can be implemented for organisational data, computation resources, application source code, databases, firewalls etc.

PIM allows the organisation to centrally manage authentication and authorisation controls of all workstations, devices and applications. If there are more than a hundred computers in an organisation and PIM is performed locally, it is very tedious and inefficient for the IT administrators to ensure prompt security access controls on every machine.

What is a central identity management system?

• Centralised Identity management is the process of managing identities through single sign on for a single workspace. Using one set of credentials, the user can have access to all the services, resources and applications within that workspace. While this process ensures smooth access, it creates a single point of compromise.
• Decentralised Identity Management is the process where identity and access management is not performed centrally and the user has to login or authorises himself for every single application within a workspace. While this method does not pose the risks of a central point of compromise, its tedious management makes the accessibility process tedious and leads to the usage of weak and same passwords across multiple applications.

What is Privileged Account Management (PAM)?

The terminology “privileged accounts” is used for the most powerful accounts in an IT infrastructure and environment, such as a *NIX root, Windows administrator, database administrator etc.

These accounts are used by IT teams to carry out elevated tasks such as installing new hardware/software, running critical applications, conducting maintenance activities etc.

Privileged accounts are a fruitful target for any cyber attack and malicious attackers tend to go after these accounts to get the most sensitive information because if compromised the potential damage would be huge.

Privilege account management deals exclusively with the protection of these accounts in an organisation, so no individual misused access permission. It is a set of tools that ensure security and access monitoring of organisations’ sensitive data and resources.

How does a PAM solution work?

Privileged Access Management (PAM) is used to control, manage and monitor access to critical assets and accounts in an organisation. To accomplish this, PAM solutions generally store credentials of privileged accounts (for example admin accounts) in a secure repository or vault.

Whenever a system administrator needs to access his account, he must go through the PAM to access his credentials, at which point the PAM will log and authenticate the admin account. When the credentials are checked back in, the PAM resets it to ensure that each time the administrators must go through the PAM to access the account.

Storing credentials to privileged access accounts protects credentials from being stolen, and centralising the entire process gives an added level of security as all accesses are logged and monitored for suspicious activities.

Are PIM and PAM the same?

Privileged Identity Management (PIM) and Privileged Access Management (PAM) are sometimes confused with each other because both of them involve dealing with privileges, but these are all different concepts and solutions.

PAM only focuses and manages those accounts that have elevated privileges or global administrator access, whereas PIM deals with any user account that requires access to a system. PIM provides enterprises ways to manage and authenticate general access to employees, customers, third-parties etc.

For an organisation to have a high level of security both PIM and PAM solutions should be implemented together. Where PIM covers a larger attack surface within the entire infrastructure and PAM covers the higher-valued admin accounts.

What is Microsoft Privileged Identity Management (PIM)?

For an organisation, it is important that only a certain number of people have access to sensitive information to reduce the chances of cyber attacks such as unauthorised access. However, users still need to be given access to such important resources to perform their daily tasks.

In this case, Privileged Identity Management (PIM) solutions are needed to monitor access to critical information and resources.

Microsoft provides its users with their own Azure AD Privileged Identity Management (PIM) solution. This is a service in Azure Active Directory (AD) that enables an organisation to manage, control and monitor access to critical and important resources within the network.These resources may include services in the Azure AD Privileged Identity Management itself or other Microsoft online services such as Microsoft 356.

Using the Azure PIM solution, the organisation can grant just in time privileged access to Azure AD Privileged Identity Management resources and monitor the user activities. However, unlike other PIM solutions, the Azure PIM is only relevant to the users created within the Azure Active Directory (AD) and the Azure resources that are linked or integrated with the Microsoft services.

Image Source: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/media/pim-configure/pim-quickstart.png

What features does Microsoft Privileged Identity Management (PIM) have?

Microsoft PIM offers a wide variety of features for the time-based and approval-based role activation process so that users do not have excessive or unnecessary access to resources. Some the key features include:

• Provides just in time privileged access to Azure AD and other Azure resources.
• Last Global Administrator role active assignment can not be removed.
• Time-bound access to resources can be granted using start and end dates (require approval).
• Audit history can be downloaded for internal or external audits.
• Explicit approval is required to activate privileged roles.
• Periodic conduct access reviews can be conducted to check if users still need the assigned privileges.
• Multi factor authentication (MFA) can be enforced on role activation.
• Notifications are sent when privileged access roles are activated.
• A justification section is added to understand why the users activate their privileges.

What scenarios does Microsoft PIM support?

Privileged Identity Management supports the following scenarios:

• Privileged Role Administrator permissions
• Approvals for specific roles can be enabled.
• Define specific users or privileged access groups to approve requests.
• View current and previous approval requests for all privileged roles.
• Approver permissions
• View pending requests for approval
• Decide whether to approve or reject requests for role elevation.
• Provided valid justifications for accepting or rejecting role elevations
• Eligible role user permissions
• Can request activation of a role that requires approval.
• View the status of your own activation requests.
• After activation is approved, users can complete their tasks in Azure AD.

How does PIM protect your business?

A Privileged Identity Management (PIM) solution can help protect an organisation’s IT infrastructure and in turn protect the business from cyber attacks in various ways such as:

• Create segregation between end users and administrator accounts so that no normal user will have access or privilege to carry out sensitive tasks.
• If any user needs elevated privileges Privileged Identity Management (PIM) can provide one-time administrative access to the required services, this will reduce the chances of misuse by any employee.
• Continuous monitoring and tracking will ensure no suspicious activity is left ignored.
• Relevant stakeholders can receive alerts regarding any privileged activity being carried out.
• PIM offers a consolidated dashboard to view all access permissions granted to all users.
• Multi factor authentication is also supported by PIM solutions.
• Conduct access reviews periodically, to ensure that no user has more privileges than needed.

How do you implement privileged identity management?

To implement Azure PIM:

1. First and foremost plan the project, make sure to involve all the relevant stakeholders and ensure that their roles are understood.
2. Plan a pilot run. Take a small set of users and verify that the Azure PIM is working as expected. Verify the configurations and then roll it out to production after it has been tested.
3. Plan testing. Create test users and implement the relevant configurations on the test users before deploying on real users.  Build a test plan and simulate potential disruptions to check your disaster recovery mechanisms.
4. If in any scenario Azure PIM fails, plan a rollback mechanism for each role.
5. Before assigning any roles in the Azure AD privileged identity management, list down which privileged roles are in the organisation.
6. Prioritise and determine the Azure AD roles in privileged identity management. Ensure all Global and Security admin roles are managed using PIM.
7. Configure the determined Azure AD roles in the Azure PIM solution.
8. Assign and activate the roles.
9. When a user requests for role activation, approve or reject these with justification.
10. View internal or external audit history and look out for suspicious activities.
11. Follow the same steps from Step no.5 for implementing PIM for Azure Resource roles.

How do you assign a PIM role in Azure?

For a user to assign roles in Azure PIM that user must be a member of the Privileged Role Administrator or Global Administrator role, as only these roles can manage role assignments for other administrators.

Other than this Global Administrators, Security Administrators, Global Readers, and Security Readers can also view role assignments to Azure AD roles in the Azure PIM.

In the case of Azure resource roles in PIM, only the subscription administrator, the resource owner or the resource user access administrator can manage role assignments for other administrations. Users that are associated with the Privileged Role Administrators, Security Administrators, or Security Readers roles can not view the role assignments to Azure resource roles in PIM in the default settings.

Which license did you need for PIM?

For an organisation to use the Azure PIM services they must procure an Azure AD Privileged Identity Management Premium P2 licence. The number of licenses is on per user basis so the number of Azure AD Premium P2 licenses depends on the number of employees carrying out the following tasks:

• Eligible roles assignments of Azure AD users using PIM.
• Users who are members or owners of privileged access groups.
• Users who will perform approvals for role activation requests (accept or reject).
• Users who conduct activated access reviews.
• Users assigned to access reviews.

A license is not required for users who:

• Set up Azure PIM, handle policy configurations, receive alerts, set up access reviews.

What is Microsoft Privileged Access Management (PAM)?

Microsoft offers PAM solutions for both Azure AD and Office 365. The PAM solution as described earlier allows the management of privileged administrator accounts. This protects the organisation from cyber threats originating from misuse of elevated privileges, such as unauthorised access to sensitive data or modifications in critical configurations.

Microsoft PAM accomplished two distinct goals:

• Isolates privilege account credentials, reducing the risk of disclosure.
• If the Azure AD is compromised, PAM re-establishes control by maintaining a separate bastion environment that is unaffected by malicious attacks.

How does Microsoft PAM work?

The Microsoft PAM creates a separate and isolated store for privileged access accounts from the existing Azure Active Directory environment. If an employee needs to use a privileged access account, a request is first generated and sent for approval.

After the request is approved, the privileged account is given access permissions using a foreign principal group in a new bastion forest rather than the current forest of the user or application.

What is identity governance Azure?

Identity Governance is another similar service provided by Azure AD to ensure that the intended employees have the right access to the right resources. Organisations can govern the identity lifecycle, govern the access lifecycle and secure admin privileges across employees, vendors, services, applications etc.

With the help of identity governance an organisation can ensure:

• Which users have access to which resources.
• What activities are being performed by the users using those accesses?
• Are there effective controls in place to manage access across the organisation?
• It is easy for auditors to verify the implemented controls during their audit process.