Why is Permissions Management needed?
Organisations don’t typically operate on a single cloud platform. According to the Flexera 2022 State of the Cloud Report, 89% of organisations operate a multi-cloud approach to business.
This presents a series of challenges:
- The number of identities within an organisation is on the rise.
- There’s a massive explosion in the number of cloud workloads.
- The permissions granted to individuals is larger than needed – the dreaded permissions gap is growing.
- Access management across cloud platforms is often inconsistent.
With Permissions Management in place, however, these problems can be easily taken care of and their effects mitigated, because:
- You’ll have highly detailed, granular visibility across all of your cloud platforms
- You’ll be able to enforce least privilege policies at the right time, helping to shrink that permissions gap
- Increased visibility will allow you to uncover potential permissions risks
- You’ll be able to monitor and detect permission anomalies across your cloud platforms
Benefits of Entra Permissions Management
After the initial setting up and configuration period, you’ll start to see some great insights appear in Permissions Management, which are broken down into different areas.
Response actions are available throughout, and generally you’re only removing permissions not in use, so you can go ahead without having an impact. Some changes can also be “unapplied” after the fact.
Dashboard
On the Dashboard screen, we see an overview of the general security posture. Each service is separated, so you will need to manually move between AWS, Azure, and GCP.
- The Permission Creep Index (PCI) gives us an overview of permission changes found over time. It separates users into different levels of permission creep – low, medium, and high.
- The Identity card shows us general findings around inactivity, privileges, and security. The cards vary depending on the service.
- Some services also show a Resource card, e.g., in Azure it may spot a Managed Key and in in AWS an S3 bucket with public access.
Analytics
The Analytics screen allows us to search and filter the events that have been detected. You can filter between Users, Groups, and other resources. Again, this is done per service.
Results include the PCI for each object, as well as details on how the score was calculated and which permissions are unused.
What’s also great is being able to see (and edit) what permissions a given group actually provides.
Remediation
The Remediation screen allows you to easily view and amend permissions across resources, including roles, policies, and users. You can then start to configure all roles and permissions across your cloud providers through a single pane of glass.
Especially interesting, is being able to assign specific permissions to an identity on a schedule, e.g., a service user that only needs access at 1-2 am on a Monday.
Furthermore, a role can be created based on the activities of a given user – that is, being able to select the exact permissions somebody used for a certain task, rather than all the permissions that may come with a role.
Permissions can also be requested granularly if the available roles are too permissions rich.
Autopilot
Autopilot, not to be confused with a Microsoft service of the same name, allows us to set up rules to automatically remediate access issues, both around users and roles. For example, you could automatically remove unused AWS roles for service users inactive for the last 90 days.
Audit
Audit allows us to search across each authorisation system for any relevant changes over a given time, including via query search.
For example, you may want to see what permissions a certain user has had added or removed over the last month.
Reports
Reports allows you to run a pre-built permission report, as well as create custom ones. This area is also where you’re taken if you drill down into some cards on the dashboard. These can be viewed online in the dashboard, with some being available for CSV download.
Many reports are also shown as visual dashboards, giving a clear and high-level insight into any current problems.
Activity Triggers
Activity and Anomaly Triggers allow you to configure alerts, based on custom or built-in triggers.
For example, we can create alerts for when a certain user in GCP hits an authorisation failure rule, when a resource or identity performs a particular task for the first time, or if overprovisioned identities are detected.
Getting set up
So how does it all work?
Firstly, you’ll need to set up ‘controllers’, i.e., connectors, for each service. For Azure, this is a little easier than for AWS and GCP, as Microsoft have a built in ‘app’ that does this for you.
With AWS and GCP, you will need to create an OIDC app with API permissions in the local platform, and create some service accounts and configurations in the instance you wish to inspect.
Note that a given service ‘controller’ is tied to a specific subscription in Azure, an account in AWS, or a project in GCP, so you may need multiple controllers per service in any case.
By default, ‘read only’ permissions are given for each controller. Additional steps are needed to make changes in the given platform, i.e., to remediate problems.
Where you don’t enable write access, Permissions Management can generate a script for you to run locally in the respective environment to make the very same changes.
Entra Permissions Management pricing and licensing
Permissions Management is available today as a standalone solution, priced at $125 per resource, per year.
The resources supported are:
- Compute resources
- Container clusters
- Serverless functions
- Databases across Amazon Web Services, Microsoft Azure, and Google Cloud Platform
There is also a 90-day free trial of Entra Permissions Management available. With it, you’ll be able to run a comprehensive risk assessment, identifying the top permission risks across your multi-cloud infrastructure.
Conclusion
With organisations increasingly embracing multi-cloud operations, dealing with permissions correctly is becoming more and more crucial.
Individuals within organisations collecting permissions privileges they don’t need or use is a huge – and surprisingly common – problem.
With Permissions Management in place, not only will organisations be able to remediate these issues as they happen, but they’ll be able to proactively deal with them before they become a problem.
Although there is still some work to smooth out the transition from CloudKnox, Permissions Management looks set to be a key part of the Microsoft IAM stack moving forward.
Closer and closer proximity to Defender for Cloud and Cloud Apps can only enlighten the products further.
