Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 63 This week it won't be a full house, but Mike lives in Florida and so he's dealing with Hurricane Ian. Actually, I spoke to him last night, he's doing fine. They've got a little bit of damage but nothing life-threatening. That's great to hear. So it's myself, Michael Gladys and Sarah.
We also have a guest, Nick Ryder, who's here to talk to us about Entrepomissions Management. But before we get to Nick, let's take a little lap around the news. Sarah, why don't you kick things off? I have just one thing to talk about today, which is AKS stuff. Apart from my baby Sentinel, I love a bit of AKS or Azure Kubernetes Service. There's a public preview now of API server VNet integration for private clusters in AKS.
So what that means is it's enabling network communications between the API server and the cluster nodes without a private link or a tunnel. So if you're trying to keep things nice and secure and not exposed publicly and you're doing private clusters, this is definitely something for you to go look at. And it's just that one from me today. Well, I have three that I've been playing with. The first one is conditional access.
In some deployments, organizations may need to restrict authentication sessions, such as a resource being accessed from a managed or shared device, or maybe having high impact users logging in or critical applications and sensitive information being accessed. Well, certain organizations want to change the length of that session when it occurs.
So customers now may have the availability or the ability to force reauthentication just to those users so they get a request for a refresh authentication each time a user performs certain of these actions. Forced reauthentication supports requiring a user to reauthenticate during in-tune device enrollment, password change for risky users and risky sign-ins. To configure this, you just go to Azure AD Security Conditional Access as normal, right?
And under sessions, you have the sign-in frequency where you want to configure the periodic authentication timeframe. I'm providing a link named Configure Authentication Session Management with Conditional Access in our podcast, so go there for additional information. The other news that I am really excited about is regarding Azure AD Access Review.
For those of you that are not familiar with this, basically, it's a way to schedule reviews of access to specific resources of applications or even groups. Well, now you could create a multi-stage access review. In a single-stage review, all reviewers make a decision within some defined period of time. And the last reviewer to make the decision basically wins. In the multi-stage, you have two or three reviewers, one after the other, and you can allow them to see the previous reviewer answers.
That way, they're making a collaborative decision about the access that will remain in place. And the last new that I wanted to talk about is investigative alerts in Microsoft 365 Defender. Alerts are the basics of all incidents, and often, actually, every single time are aggregated together to form incidents. They provide a broader context to the attack, and they show as part of the incident. However, there are many instances that certain alerts need to be investigated individually.
So there's an alert queue and broader capabilities to investigate these alerts are being provided under the Microsoft 365 Defender. Back to you, Michael. Yeah, I got a few items. The first one is in public preview, policy analytics for Azure Firewall. Policy analytics for Azure Firewall is all about trying to get ahead of changes that creep in over time with Azure Firewall rules.
It's in public preview, and the whole point of it is to give you insights into changes you might want to make based on changes in utilization when using the product. Next one in my own backyard, public preview for Azure AD authentication with Azure Database for MySQL flexible server. Great to see.
Historically, MySQL has had its own authentication mechanism, so it's great to see that it now works with Azure AD authentication as well, which is, again, that means it's one less credential for customers to manage, and one less credential is one less thing to secure, and one less thing to secure means you're more secure. So that's a really great thing to see. Next one is, in general, availability. It's Azure policy, built-in definitions for Azure NetApps files. I'm a huge fan of Azure policy.
This is where you can put a policy in place that says, hey, if you deploy a storage account, it must use TLS. Or if you deploy a Cosmos DB instance, you can't have network access or internet access, those kinds of things. And then when you put these rules in place, you must deploy something that matches that policy, and also you can't drift away from it. So I'm a huge fan of Azure policy, and it's great to see Azure NetApp files getting the same love and treatment.
Second to last one is, public preview is encryption scopes on hierarchical namespace storage accounts. So hierarchical namespaces are supported with Azure Data Lake Gen2 storage accounts, so ADLS Gen2. So you can have folders like Canon, most file systems. But now what you can do, this has been available in Blob Store, but now it's available in ADLS Gen2. So you can actually have different encryption scopes on different parts of the file system. They may think, well, OK.
So well, the main reason for that is you might have, say, I don't know, HR and Legal have the same storage account, but you might want to give them their own encryption keys. And that way, it's sort of plausible deniability. The HR guys can't read the stuff that's held over on Legal because they don't have access to the keys. So again, encryption scopes has been available in Blob Store, but it's great to see ADLS Gen2 getting the same love.
And while on the topic of ADLS Gen2, there's now immutable storage. So again, this has been available in Blob Store. And immutable storage is really important for certain kinds of workloads, especially from legal and compliance requirements. So you can actually store some data and, say, have a 90-day lock on it, which means that the data cannot be deleted. And for 90 days, there's all sorts of other rules that you can put in places as well.
So it's nice to see Azure Data Lake Storage getting the same love as your Blob Store did. So yeah, immutable storage is now generally available for ADLS Gen2. So with that, and then getting the news out of the way, let's turn our attention to our guest. So this week, we have Nick Wright, as I mentioned. He is here to talk to us about Entrapermissions Management. Nick, thank you so much for joining us this week. Would you take a moment and tell us a little bit about yourself? Thank you, Michael.
My name is Nick Wright, and I'm an experienced product manager. And I work with customers worldwide, strategizing, designing, and discussing their identity solutions around Microsoft Entra and identity as a whole. I have global experience serving government clients, as well as commercial customers, advising security services, consulting, and working with teams to bring them a business-focused approach that incorporates processes, control innovation technology, and security for a brighter future.
I'm mainly skilled in identity and security strategy. And currently, my focus in Microsoft is in cloud infrastructure and title management in that space. And I'm part of the identity network and access product group. What is Entrapermissions Management? I know the name. I saw the announcements. But I'm going to be honest with you. I probably don't know enough of as much about it as I probably should. But I'm sure I'm not the only person listening who's thinking the same thing.
So can you tell us, elevator pitch, what it is, why we should care? Oh, absolutely. So Entrapermissions Management really is one of the new products that is coming under the Microsoft Entra umbrella. So the Microsoft Entra is the cloud identity series of products that encompasses Azure Active Directory, Entrapermissions Management, and Verified ID. So what is Entrapermissions Management, as you asked?
Permissions Management is a cloud infrastructure and title management solution that provides comprehensive visibility into permissions assigned to all identities, whether it's users and workloads, actions, and resources across cloud infrastructures. It detects right sizes and monitors unused and excessive permissions and enables zero trust security through least privilege access in Microsoft Azure, Amazon web services, and Google Cloud platforms. Entrapermissions Management was an acquisition.
We acquired Cloud Knox in July of 2021. That is, they were a security company that was doing this cloud infrastructure entitlement management solution. And that's how we integrate them into the Microsoft ecosystem by bringing them into the Microsoft Entra umbrella. I'm really excited about this. Can you explain if this is only for Azure, or can you use it in other environments? In addition, is this only for users or any other accounts? I'm glad you asked that.
So Entrapermissions Management is not only for Azure. This is one of our multi-cloud solutions that basically spans across three main clouds. As I mentioned, Microsoft Azure, Amazon web services, and Google Cloud platform. It's not only for users because this product actually manages resources as well. And we're able to get visibility into those resources.
So I didn't actually add this portion to what actually Entrapermissions Management is, but what is the problem that Entrapermissions Management really solves? Well, what we've noticed is that unmanaged permissions are expanding the attack surfaces that organizations have to date, such that permissions that are granted, most people give so many permissions so a lot of users, service principles, automations, versus the permissions that are used, it's a great delta that's there.
And that's what we call the permissions gap. And what we know is that there's lack of comprehensive visibility into identities, permissions, and resources across many organizations. And we also know that the increased complexity of IAM and security teams to manage permissions across multi-cloud environments is a very, very hard thing to do. And lastly, increased risk of breach from accidental or malicious permission misuse is something that's happening in many, many organizations today.
So like I said, the product is not only for users. It actually covers all cloud infrastructure entitlements across the three clouds that I mentioned earlier. And you can basically even look into your service principles, what we call workload identities, or any automations that you have set up within your environment.
I'm really happy about this, especially with service principle, because after solar winds and there's other attacks that have been taking advantage of service principles, permissions, right? So just providing this privilege, I think it will help out greatly many applications and customers. So I've got to ask. So I mean, how does this thing, I mean, obviously, I expect to explain all the nuts and bolts, but at a high level. How does it work? And how do you define even an excessive permission?
We have the Kim service. So cloud infrastructure entitlement management, the short form, we say Kim. So we have a Kim service, which gives access to that customer's Azure, AWS, or GCP account. And that service principle facilitates a collection. And that collection starts by getting all the data that's mainly the resources within that customer or that environment that have environments infrastructure. The data goes through our AI models and gets evaluated.
And then we manage the permissions and entitlements. So Entropermissions Management defines those excessive permissions as an aggregated metric that evaluates the level of risk associated to permissions across identities and resources by comparing those permissions granted versus the permissions that are used or exercised for that user, the non-human identity, or a workload. So in the product, we call this measure or this metric permission creep index. Let's call it PCI for short.
The permission creep index is calculated by a formula with two terms multiplied together for a given identity. A factor score between 0 to 100 based on high risk permissions, an identity has not used within the last 90 days. And a factor score between 0, 100 based on how many resources the identity can impact across the entire authorization system. So that is how we define those excessive permissions. So it's interesting you should bring up the whole notion of excessive permissions, right?
Because permission creepers is just huge. I've certainly seen some customers try to manage this themselves. And honestly, it's just a losing battle. I had a customer write some code, an Azure function, and they grounded it. Some access to Azure. And there were gravel permissions on absolutely every single object and every user account. Like every 30 minutes or so, it just became un-maintainable, though.
They have a report at the end of the day that showed added permissions, deleted permissions, sort of delta in the drift. But they didn't know how to make sense of it. So it's great to see a product like this come along, especially from a scalability perspective. Is there a way to tell how many users have excessive permissions? Can you get an overall vision of sort of the permission posture, so to speak, of the environment? And then can you actually do the minimization as well?
Like can you actually reduce permissions while you're doing it? Or is it just really just the one-way thing? Yeah, so the product actually goes really, really deep here, Michael. So let's start with just what the console looks like. So immediately when you actually launch the Entra Permissions Management product, the first thing within the dashboard that you'll see is you'll get a graph. Basically, you get a dashboard that shows you this permission creep index that I mentioned.
And within that permission creep index, we give you an aggregation of all your users' applications and manage identities in a fashion that we give you your total users, and we rank them from high to medium and low. Why are we ranking them? We're ranking them to give you visibility to say, hey, you have high risk users within your environment.
And this all is calculated with our machine learning algorithm that's in the background that does this data collection and throws it into this nice dashboard for you to just get a snapshot of what's actually happening within your environment. And like I mentioned, we do this for applications, manage identities as well.
And this PCI trend, we give you a graph of that, meaning if a user is over-permissioned and you are able to right-size them using one of our other tabs and functionalities, which we call remediation, we can talk about that a little later, you can see that trend of that PCI score actually decreased, meaning that your environment is actually getting better.
And so basically what's happening here is that whenever the EPM product collects data for a given enterprise and provides that comprehensive report, within the console you can find what we call permissions analytics report. This provides you with cross-cloud visibility such that you get a multi-dimensional view of all your permissions risk within your organization. So can you focus on the most risky permissions? Yeah, for sure, for sure, Sarah.
So as I mentioned earlier, even within our dashboard, another functionality that we give you right away after the data collection has happened, like I mentioned, the data collection happens across your multi-cloud footprint. And within that, we actually give you a quick snapshot of all the identities that you have and all the resources that you have and give you the findings.
So for example, within the identity findings, we are able to give you your inactive applications that are identities or workload identities, inactive users, over-permission active users, super users, inactive serverless functions, over-permission active apps. You see what's going on here. That's what we kind of do for you. And then on the resource side, we also give you a snapshot of all your findings based on the different permissions that are used versus the permissions that are granted.
Examples could be your block container accessible, is your block containers accessible externally, or your open network security groups, what's going on there, they're over-permissive, or even for your managed keys, they're over-permissive. We give you these findings in a very quick snapshot so you have a place to actually start to see how you can actually manage this permissions risk that most organizations deal with today. So I was playing with some demo portal.
And if I understood correctly, basically, the system or the service is viewing all the permissions that are being used and is building a report based on that and then give you guidance. Now, say that I go and remediate those permissions. And if we move some permissions that now, next week, I may need. What happens and how do I deal with that? Because suddenly, my role change and I need more permissions. Yeah, so actually, let's take a step back really quick.
Let me just give a quick snippet of some of the features and functionalities of the Entrapremissions Management product. So like I mentioned, we've talked about the dashboard and it gives you that quick view into what's happening within your cross-cloud environment. Well, we also have an analytics tab.
That analytics tab is where, like I mentioned, all the machine learning algorithms that we've done with your data, it basically gives you all the different dash data that you have of your digital footprint with some of what your users are doing, some of the groups that you've created, what's happening with them, how people get permissions. And we give you even a nice chart to trace back to how a user actually got a specific permission. And we go into the details of those permissions, right?
Whether it's read, write, delete, certain things that are in this specific role, we break those down for you. And then one of our other features, remediation, is what you're talking about here specifically. Well, within our Remediation tab or the feature of Enter Permissions Management, we have a functionality called Permissions on Demand.
So you mentioned, OK, now that you've right-sized or used the principle of least privilege with a specific user or workload or non-human identity, what happens if you need those permissions back? Well, with permissions on demand, you can actually follow the flow that we got there and actually request those permissions.
And the way that we do that is we actually give you granular control such that because of the data collection that has happened in your environment, we are able to determine that a user has been only using specific permissions over time. And so all those permissions they've been using over time and they're requesting for a specific permission that they're going to be using, they can go in there and request that. And an authorizer or an approver can go in there and approve it.
It's a simple workflow. It's very easy to use. You can do it for almost all your users today. And that's how we basically right-size every user. And that's what we're really trying to do with this product is we want to give you those controls. So for example, within Azure, we call, what is a role within Azure?
Well, a role within Azure is a set of permissions that are given to a specific name that Azure uses to say, OK, for example, if I have the contributor role, I have a whole bunch of permissions that are embedded into my specific role that I'm actually inheriting. Within AWS and GCP, they call it different things. AWS, the way permissioning is done within AWS is different from the way Azure does it.
However, the product is very smart that it actually gives you that granular control and you're able to go in and request that specific permission that you need, whether it's read, write, delete, or a specific function that you're going to do. And with our workflow, you're able to get approval and go do your job. And then whenever you're done, we also have time-based functionality with this, such that whenever you're done with that permission, it takes it away.
And you can go ahead and buy your business and know that that user is not going to be over-permissioned in the future. This whole permissions creep thing is just such a big, big, big deal. I've seen instances with customers where I'm not going to say that there's been a breach, like an internal breach. I'm not going to say that at all. But someone's had access, they really shouldn't have had access to. And it was because of permission that they no longer require.
So that's a really, really fascinating product. So I do have to ask, so how does this compare and contrast? I think I know the answer. So how does this compare and contrast to, say, Azure Active Directory Privileged Identity Management, PIM, or Azure AD Access Review? Let's start with PIM, Privileged Identity Management. So the functionality of PIM was created to help you get just-in-time access for Azure Identities and resources. So the features of PIM include, like I said, just-in-time.
We currently support Azure Active Directory, our back roles, custom Azure Active Directory roles. You have an approval to activate a Privileged Role Assignment. With PIM, you can enforce multifactorial authentication and justification for role activation, basically providing you a way to have eligible roles that you can basically get access to. And within PIM, you can use access reviews with PIM where you can take out a user whenever they're not using that specific Azure Active Directory role.
And we also provide you with an audit history download for internal and external audit. But the difference here within with Enter Permissions Management is, number one, it is a PIM solution. We extend these additional capabilities along with PIM.
So Enter Permissions Management basically comes alongside PIM to provide a solution that gives you the customer a comprehensive visibility and control over permissions for any identity and resource in those three clouds that I mentioned within Azure, AWS, and GCP. It makes it so simple and so easy to basically go from AWS to Azure and GCP in a split second. And we give you that control. So let me give you a scenario here, right? Whether you have JIT from Multicloud as an example.
Customers can use Azure AD PIM, but if they're looking for a way to get that granular visibility into what that PIM role is doing, that's what Kim is there to actually show you for that JIT assignment. Also, one additional difference is with PIM, well, you have access reviews that does review some of those accesses and take them away.
However, with Enter Permissions Management, the customer can actually assess those accesses or those roles specifically as they're tied to infrastructure entitlements and use the product to detect anomalous behavior. So one of the things that we like to say within the product group is whenever a credential is compromised, if that credential is right size, there's not much a bad actor can do with those credentials because, well, they only have access to a few things.
And so with PIM is just an elevation of a role that the user has access to. But with PIM, it's a compliment to PIM to give you that visibility, to give you that remediation and right sizing capability.
And finally, it monitors, it gives you a way to get alerts, to detect anomalous behavior, to basically generate reports and make it easy for you to know what is really happening with those users, their permissions, and what they're doing with that according to the resources that you have for your cloud infrastructure entitlements.
So in other words, what you're saying is basically, you look at the least privilege, you look at those excessive permissions, a custom role is created, which can be used in PIM in order to request temporary access. Is that the way it works? So not necessarily, right? So remember, I mentioned, enter permissions management solution really looks at cloud infrastructure entitlement.
So it actually focuses more on the Azure roles versus the Azure Active Directory roles, where, for example, PIM can be used to elevate to Azure Active Directory and also to Azure roles for those resources. The difference here is that with cloud infrastructure entitlements, that is tied directly to specific resources that is within a subscription within Azure, within the account for AWS, and then within the project for Google Cloud.
And so what that is trying to do there is to ensure that that user or non-human identities access to a specific resource is captured and that we actually know to the granularity layer of exactly what permissions that user actually has. And so that is the intricate details that this product actually gives you and gives you the control and the power to ensure that as long as you have visibility, you know what a user is capable of doing with certain permissions.
And it gives you a way to right size users because over time, like I said, those permissions grow. And you can right size users because we've done the research and I can tell you, it's been over 90% of users are over permissioned today. And how we know that is because we do these risk assessments for lots and lots of different customers and lots of different people.
And we've noticed that the permissions that are used versus the permissions that are granted, there's a huge delta there, as I called it, the permissions gap. And so how do you make sure that permissions gap is actually controlled or managed? Well, that's what the product comes in. You can actually right size those users to start. And after you right size them, you put them through a continuous monitoring.
What the tool gives you the capability to do so that you can continuously see what's happening there and actually build a robust identity security platform for your organization. I have a question for you. Do you ever have customers run this tool and be absolutely terrified at the result? Oh, absolutely. I mean, I think that's one of the first things that we actually notice when we engage with a customer.
And whenever they see their environment and notice how many over permissive users exist, I mean, I think that's the first thing everyone's like, wow, I didn't know I had that. And almost every customer I have engaged with has said that and said, oh, I didn't realize I had all of these over permissions. And I didn't realize over 90 days, these are the only permissions my users and my managed identities, my non-human identities, workload identities, or whatever.
That is why do they have all these permissions? And if they're not using it, they're only using just a fraction of it. So my course is said if people get as scared about the solution, how do you foresee organization managing? Because many customers what I have seen with our services is that they use it, they implement the capabilities, and they leave it. Do you see that this is a continuous improvement type of service?
What are the recommendations for how people in process should be involved in there? Oh, absolutely. This is something that I would recommend every organization do on a bi-weekly or monthly basis, depending on their workload and their work streams. Because it's very, very important to understand what users are doing.
I think the focus has been for many, many organizations today to just look at, hey, I know I'm managing, I have an identity governance service or solution that can do access reviews, that can see, oh, this person has these right-sized roles. Well, within those right-sized roles, there are permissions in there that maybe that user does not need.
And so what I foresee happening is, as Zero Trust has been growing and a lot of enterprises that are adopting the Zero Trust methodology and actually enforcing the principle of least privilege, what I foresee happening is you'll see many people actually talk about the permissions that some of these roles actually have.
And that is where enter permissions management can help you be successful and help you actually manage these unmanaged permissions and actually determine the permissions risks that most organizations and enterprises have today. All right, well, let's start to wrap this thing up. So one thing we always ask our guests is if you had just one thought to leave our listeners with, what would it be?
My thought here is, I believe every enterprise in every organization out there today actually has over-permission within their environment. And my thought here is, we've studied and observed these trends that demonstrate the fact that these organizations have to consider permissions management as a central piece of their Zero Trust security. And so I'll just say, go get a free risk assessment done.
With this product, we do a 90-day free trial that we actually give you to just see what's happening. And you'll get that comprehensive visibility that I talked about. And when you onboard and see what's going on in your environment, that should give you enough reason to consider how you actually manage your permissions within your clouds.
And as we already know, most enterprises are growing into a multi-cloud strategy where they're not only operating on just one cloud, they're operating on three or more clouds. So go get yourself a free permissions management trial and see what's going on within your environment. And remind me again, what is Kim's then for? Cloud Infrastructure Entitlement Management. There you go. Hey, so Nick, thank you so much for joining us this week. I know you're obviously really, really busy.
You know, the product's relatively new, so I have no doubt you've got a lot of talks with customers. So again, I really appreciate you taking the time. And to all our listeners out there, thank you for listening. We hope you found this of interest. Stay safe, especially those in Florida. And we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website, azsecuritypodcast.net.
If you have any questions, please find us on Twitter at Azure Setpod. Background music is from ccmixter.com and licensed under the Creative Commons license.