A few months ago Microsoft introduced us to Microsoft Entra as a new product family that encompasses all of Microsoft’s identity and access capabilities. The Entra family includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity. The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.

---

The goal of many IT leaders is to continue to make access protection stronger while, at the same time, making everyday tasks easier for their users. This is about how people sign in, how often they have to sign in, and how they authenticate that users are who they say they are.

From our experience we find that the proper application of a username and password is not a tremendous predictor of a genuinely authenticated person. In other words, just knowing the username and password doesn’t prove that I am who I say I am. If that’s true – How can this be improved? How do we get to a world that’s beyond passwords, beyond what we know are faulted technologies for proving authentication, and at the same time make it easier for end users?

It is also equally important to understand how much control you really have over access? Not only who is accessing what but also, can those access control policies change depending on various conditions?

For example, I might be a very trustworthy employee of Oakwood today, and I might be allowed to access certain sensitive information. Tomorrow, I might be a slightly less trustworthy employee, for a variety of reasons we’ll get into in a moment, and I might not be allowed to access that same information. Can your access control policies adapt to those changing conditions? Can you make decisions on the fly? This is a technique being championed by many industry experts and analysts.

Some experts refer to this as adaptive security. The identity space is the primary control point for such a capability.

Lastly, we ask, how do you protect user credentials? This is really about, in this imperfect world where we do sometimes rely on username and password, keeping those credentials protected once they’re used. So that when they’re stored as part of an operating system session for example, that they can’t be hijacked by an attacker and then used to access other things that the genuine legitimate user is not trying to access.

With all the above being said – Microsoft’s approach to identity and access management is really threefold.

• Secure authentication that is convenient for end users.
• Conditional access to reach Zero trust
• Identity protection – safeguard those identities when they are used as part of an OS session or application session.

Microsoft Entra Permissions Management aims to eliminate the complexity of multi-cloud environments and streamline permission management from a single unified platform.

CloudKnox Permissions Management fully supports multi-cloud, meaning that it works with all the major cloud service providers, including Google Cloud, AWS, and Microsoft Azure. With CloudKnox Permissions Management, we provide a comprehensive, streamlined view into every action performed by every identity on every resource, so that you can have a look at where your permission risks lie within your cloud infrastructure.

30% of IT Decision Makers (ITDMs) say that lack of centralized visibility is their biggest challenge when it comes to managing cloud privileged access. (Source: internal Microsoft research 2021)

To make this challenge easier, the CloudKnox Permissions Management dashboard gives you granular visibility into every action performed by every identity on every resource. These discoveries are reported in the ‘Permission Creep Index’, which is a single metric that evaluates the gap between permissions granted and permissions used, if you remember that table from a previous slide. The higher the number of unused high-risk permissions, the higher the index score.

Once you identify the most critical permissions risks in your infrastructure, CloudKnox Permissions Management allows you to automate least privilege policy enforcement and right-size your permissions with just a few clicks.

For one-off scenarios when an identity needs to perform a certain set of actions on a set of specific resources, they can request those permissions in a just-in-time manner for a limited period with our self-service workflow. Once the specified time period is up, those permissions with automatically be revoked.

With so many security risks developing in this multi-cloud world, staying aware of your organization’s vulnerabilities is essential. CloudKnox Permissions Management’s machine learning-based anomaly detections will alert you of any suspicious activity. You can also set up customizable trigger alerts for a specific set of actions or resources to automate your monitoring and perform incident response.

Another way you can support rapid investigation and remediation is by generating fully-customizable context-rich forensic reports around identities, actions, and resources.

The diagram above illustrates the participation of three parties in a verifiable credentials interaction. This solution automates verification of identity credentials and claims.

The verifier is an organization that requests proof and upon receipt verifies that claims in credentials satisfy requirements. The user receives and approves the request for credentials obtained from issuer and presents to verifier. The credential claims are cryptographically signed with the user’s private key. The issuer is an organization that attests to claims and grants digitally signed credentials to the user. An ecosystem of organizations, workplaces, governments, schools, institutions, and individuals act as trusted issuers and verifiers for verifiable credentials, with users granting permission and managing access through their digital wallet.

---

Want to learn more? Reach out to one of our Microsoft Entra specialists below.