Hi Everyone,
Has anyone dealt with compliance and newer Privileged account management / Privileged Identify Management? NIST 800-171 and 53r4 for example calls for the use of a separate ‘non-privileged account’ for accessing security functions. That seems to be getting more difficult with services like Azure AD, its licensing model and the elevated rolls that can be assigned to accounts. We also want to be sure we take modern PAM into account in our policies as well.
Thanks,
Art
Art,
Great issue to raise, and a challenge for many organizations today, whether the cloud is in the picture or not. Without having visibility into the specifics of the issue(s) that you would want to address, there are provisions made for these exact scenarios, or many of them anyway, in all of the major cloud service providers PAM / IAM stacks today. Whether it is Microsoft Azure, Amazon AWS, or even Google GCP, all of them offer approximate compliance solutions along similar lines.
Since you mentioned Azure specifically, perhaps taking a look at the link below will give you a better idea of the large number of roles that are available, as well as descriptions, and if you continue down the list below the roles, a detailed permission breakdown for every role.
I have had many of these exact conversations about this issue in the filed, and in classrooms, and there are solutions that will stand up to scrutiny for auditability and validation, but you do need to plan carefully and document thoroughly as well as implement relentlessly through standardized models across the enterprise to ensure that things turn out as required.
Cloud vendors, especially the big 3, have come a long way with regards to security and compliance alignment in the PAM / IAM area in the last few years. Gone are the days of the "random role" that used to plague us as auditors and cause havoc for customers vis-à-vis compliance. If you pay attention to the details and guidance that the vendor makes available, typically via the security and compliance center, or whatever it may be called, you will have a great place to start from, and the resources that you need to craft a successful outcome.
I would be happy to discuss specifics with you if you have a scenario in mind, or are looking for advice about a certain approach. Feel free to contact me directly if that is of interest to you, my email is: adam@itpro.tv
Be in touch if you feel that I can help further. I look forward to hearing from you.
Good Luck !!
Cheers,
Adam