Leave the Privileged Cloud Identities in the cloud with PIM and RBAC enabled and not synced!

🔸What does this mean?
It simply states that Privileged accounts or the accounts that can be elevated in to privileged accounts responsible for tasks in cloud systems must be created as “in-cloud” accounts rather than syncing from a local/ on-prem directory.

🔸Why you ask?
The most classic example anyone can think of is Entra ID privileged roles enabled identities.

This is a very important factor that most of the IT admins who are responsible of maintaining the accounts and/ or security are ignoring.
If you are in a hybrid environment, just because all other accounts are synching from On-prem AD to Entra ID, it should not be the case for the Cloud identities.

When raised this question, the answer most of the time is – “We never thought about that” or “This has been the way always” or “The person who created these accounts and sync is not in the business anymore”.

🔸Why do you need this?
Simply put, by segregating these accounts, it will reduce the attack surface.

Imagine in an unfortunate event of an Active Directory compromise or a lateral movement scenario the bad actor is in a mission to find the keys to the kingdom and if and when the cloud privileged accounts are synced, the organisation is simply handing over those crown jewels to them and the damage can be severe.

🔸Enabe PIM
Enabling PIM will add another layer security to those Privileged accounts where Just in Time and Just Enough Access will be provided with Strong Authentication (highly recommended!) to the admins who needs to elevate their permissions to perform tasks. They are just normal accounts until the elevated access is approved (automatically or by a moderator).

🔸Use RBAC
Setting up RBAC is as important as enabling PIM. You don’t need to make everyone a Global Admin in Entra ID just because they are performing Admin tasks. Review the tasks they are perform and make sure they have the elevated access to perform only those required tasks.

These are some simple tasks that you can perform without much effort to make sure you are in the right path of securing the privileged identities, in return building a strong cloud posture.