Privileged access management (PAM) is an identity security system that assists organizations in protecting themselves against cyber risks by monitoring, detecting, and preventing unwanted privileged access to important resources. Every cloud provider offers solutions for this, and Azure is no exception. But how do you make Azure PAM work for a cloud application?
What is Azure privileged access management (PAM) all about?
Privileged access = access with increased administrative permissions. For example, using the SSH or RDP protocol to virtual machines running an application is considered “privileged,” especially if you get root or “administrator” access.
Another area of privileged access centers around the creation, deletion, and updating of cloud resources in Azure. These types of actions require elevated permissions for Azure users specifically.
Azure provides diverse tooling to identify an acceptable level of security controls consistent with the current and future Identity and Access Management policies of your company.
In what follows, I focus on two specific Azure privileged access management solutions: Bastions and PIM.
Azure Bastion for host access
Azure Bastion PaaS service comes in handy for configuring Azure VM host access, which is key in building Azure PAM. It allows you to connect to a VM using a browser and the Azure portal. You can also connect using the native SSH or RDP client already installed on a local computer. VMs don’t require public IPs, special agents aren’t required either.
The following diagram depicts the network topology required for Bastion access:
Since VMs aren’t accessible over the internet, they’re not susceptible to port scanning and potential zero-day attacks against internet-exposed ports and protocols.
Azure Bastion is a hardened “jump box,” and Microsoft is responsible for patching, zero-day vulnerabilities, and network attacks.
Types of Azure Bastion
Azure Bastion comes in two flavors: Basic and Standard (SKUs). The differences between these offerings are as follows:
Azure Bastion can monitor distant sessions and perform swift management actions. Session monitoring allows you to see which users are connected to which virtual machines. It displays the IP address from which the user connected, how long they were connected, and when they connected.
The session management experience lets you select an ongoing session and force-disconnect or delete a session to disconnect the user from the ongoing session.
How much does Azure Bastion cost? Here’s a pricing breakdown:
- Azure Bastion Basic – $0.19 per hour, $138.70 per Month,
- Azure Bastion Standard – $0.29 per hour, $211.70 per Month,
- Additional Standard Instance – $0.14 per hour, $102.20 per Month.
Note that you only need one bastion service for all peered VNets. Previously, Bastion required an instance per VNet, making the service cost prohibitive for all VNets.
Opening management ports – just in time
Adjacent to privileged access, you can reduce the administrative attack surface by enabling VM management port access in real time, through an access request workflow.
Azure Defender for Cloud provides this capability through the “secure management port” control feature.
You can time-bind access to management ports and revoke it after a specified TTL. Furthermore, you can enforce a policy that only Azure Bastion hosts have access to management ports (as specified by security groups).
Azure Active Directory and Privileged Identity Management (PIM)
Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that allows you to manage, control, and monitor access to critical organizational resources. This includes Azure AD, Azure, and other Microsoft Online Services like Microsoft 365.
PIM can help you achieve the following policy-driven objectives:
- Allow only-when-needed privileged access to Azure AD and Azure resources.
- Use start and end dates to assign time-bound access to resources.
- To activate privileged positions, you must first obtain authorization.
- To activate any position, require multi-factor authentication.
- To understand why people activate, utilize reasoning.
- Receive alerts when privileged roles are activated.
- Conduct access audits to ensure that users still require roles.
- Save audit history for internal or external auditing purposes.
- Prevents the last active Global Administrator and Privileged Role Administrator role assignments from being removed.
PIM helps teams reach the goal of removing all console access from administrative users in their landing zone. They can then activate specific roles and permissions through the PIM-provided approval workflow. Access will be time bound and auditable.
Pricing and licensing requirements for PIM
Azure PIM comes at an additional cost. Using this feature requires Azure Active Directory Premium P2 licenses. P2 costs $9 per user per month – as compared with P1 which costs $6 per user per month. Note that you only need to license Azure users in this context.
Azure DevOps and PIM
Azure DevOps has been integrated with PIM since 2019. Azure AD has an Azure DevOps administrator role that you can use in conjunction with PIM to elevate permissions.
Azure DevOps is a separate product, so there is a small caveat that users must log off and log back in to activate elevated privileges. At least one user has shared their experience with AD Groups and PIM, this seems to work well.
There’s more to discover about Azure PAM
In this article, I just scratched the surface of all the available Azure services for building privileged access management capabilities into a cloud application running in Azure.
If you’re looking for more Azure security insights, check out this article on identity access management (IAM) and a more high-level overview of security for cloud migration and beyond.