Identity Governance (part 1 of 6)

By Ashwin Venugopal -

 



To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here
To read part 6, please click here






Azure AD Identity Governance

Organizations can possess the ability to perform following tasks across employees, business partners, and vendors, as well as across services and applications both on-premises and in clouds with the help of Identity Governance:
  1. Govern the identity lifecycle
  2. Govern access lifecycle
  3. Secure privileged access for administration

It can also help the organizations to address the following key questions:

  1. Which users should have access to which resources?
  2. What are those users doing with that access?
  3. Are there effective organizational controls for managing access?
  4. Can auditors verify that the controls are working?

Identity Lifecycle



Identity lifecycle management is known as the foundation for Identity Governance and its effective use requires a proper modernization of the identity lifecycle management infrastructure for applications. Azure AD premium can automatically maintain the user identities for people represented in Workday in both AD as well as Azure AD and also includes Microsoft Identity Manager to import records from the on-premises HCM (Human Capital Management) systems like SAP, Oracle eBusiness, Oracle PeopleSoft. 

While Azure AD B2B Collaboration allows you to share your organization's applications as well as services with the guest users and external partners from any organization securely along with the maintenance of control over your own corporate data; the Azure AD entitlement management helps you to choose the type of organization users are allowed to request access and can be added as B2B guests to your organization's directory and making sure that these guests will be removed when no longer required.

Access Lifecycle




Nowadays, it is required to manage access beyond the one that is initially provisioned to a user when that user's identity was created along with the ability to efficiently scale the development, enforce access policy, and control on an ongoing basis.

Technologies can readily help the organizations in the automation of the access lifecycle process along with the ability to control which guest users can have access to an on-premises applications whose rights can be regularly reviewed with the help of recurring Azure AD access reviews. If a user tries to access applications, Azure AD can enforce Conditional Access policies which may include displaying a terms of use and making sure that the user has agreed to the terms before accessing an application. 

Privileged Access Lifecycle




Although privileged access has been stated as a separate capability from Identity Governance by various vendors but Microsoft thinks it as the key of Identity Governance. Azure AD Privileged Identity Management (PIM) offers additional controls made to secure access rights for resources across Azure AD, Azure, and the other Microsoft Online Services. It provides just-in-time access as well as role change alert capabilities along with the multi-factor authentication and Conditional Access; to offer a comprehensive set of governance controls to secure your company's resources. However, the organizations can use access reviews to configure recurring access recertification for all the users in administrator roles in other forms of access. 












To read part 2, please click here
To read part 3, please click here
To read part 4, please click here
To read part 5, please click here
To read part 6, please click here







Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can...
Read more