{"id":23154,"date":"2024-05-17T10:35:12","date_gmt":"2024-05-17T09:35:12","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=23154"},"modified":"2024-05-17T10:35:15","modified_gmt":"2024-05-17T09:35:15","slug":"protecting-the-control-plane-critical-stakes-in-cloud-security","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/","title":{"rendered":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0"},"content":{"rendered":"\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">To meet this challenge, Microsoft has defined the <\/span><a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/privileged-access-workstations\/privileged-access-access-model\"><i><span data-contrast=\"none\">Enterprise Access Model<\/span><\/i><\/a><span data-contrast=\"auto\">, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2 style=\"text-align: justify;\" aria-level=\"1\"><span data-contrast=\"none\">Is the tiered model unsuitable for access management in the cloud? <\/span><\/h2>\n<p style=\"text-align: justify;\" aria-level=\"1\"><i><span data-contrast=\"none\">(For more information on this subject, please consult wavestone\u2019s white paper available <\/span><\/i><a href=\"https:\/\/www.wavestone.com\/app\/uploads\/2021\/10\/AD-Security-publications-V1EN_1.0-opti.pdf\"><i><span data-contrast=\"none\">here<\/span><\/i><\/a><i><span data-contrast=\"none\">)<\/span><\/i><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">The tiering security model, applied to Active Directory, is based on the fundamental principle of segmenting privileged accounts into 3 different layers, known as <\/span><b><span data-contrast=\"auto\">tiers<\/span><\/b><span data-contrast=\"auto\">. The aim is to ensure that, if a resource or account in a tier is compromised, the higher-trusted tiers remain preserved, thus avoiding any potential propagation of the compromise to the entire system.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23124 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/1art.jpg\" alt=\"\" width=\"457\" height=\"418\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/1art.jpg 457w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/1art-209x191.jpg 209w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/1art-43x39.jpg 43w\" sizes=\"auto, (max-width: 457px) 100vw, 457px\" \/><\/span><\/p>\n<ul>\n<li data-leveltext=\"o\" data-font=\"Courier New\" data-listid=\"6\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Courier New&quot;,&quot;469769242&quot;:[9675],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;o&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><i><span data-contrast=\"auto\">Tier 0<\/span><\/i><span data-contrast=\"auto\"> is the most critical tier, covering all the infrastructure components managing the company&#8217;s AD Domain Controllers.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><i><span data-contrast=\"auto\">Tier 1 <\/span><\/i><span data-contrast=\"auto\">typically comprises the company&#8217;s applications and the servers that host them.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><i><span data-contrast=\"auto\">Tier 2<\/span><\/i><span data-contrast=\"auto\"> covers everything that revolves around the user environment.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">While the tiering model can be used to secure the Active Directory infrastructure, it encounters significant challenges when applied in a cloud context. One of the major challenges lies in the very nature of the cloud, where access and administration are generally carried out via consoles exposed on the Internet, unlike in on-premises environments.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Microsoft has therefore defined a new model, the \u201cEnterpise Access Model\u201d, to take account of these new challenges. This article will look at how this model can be effectively implemented in a Microsoft cloud environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p>\u00a0<\/p>\n<h2 style=\"text-align: justify;\" aria-level=\"1\"><span data-contrast=\"none\">The Enterprise Access Model: a new model adapted to the needs of the cloud<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:0}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">One of the key features of the Enterprise Access Model is the implementation of a privileged access mode for certain critical tasks and the management of a multitude of critical resources, either on-premises or in the Cloud.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23129 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/2bis.jpg\" alt=\"\" width=\"840\" height=\"452\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/2bis.jpg 840w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/2bis-355x191.jpg 355w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/2bis-71x39.jpg 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/2bis-768x413.jpg 768w\" sizes=\"auto, (max-width: 840px) 100vw, 840px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><span data-contrast=\"none\">Source\u00a0 : <\/span><span data-contrast=\"none\">https:\/\/learn.microsoft.com\/en-us\/security\/privileged-access-workstations\/privilegedaccess-access-model<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\">Evolution of purpose and scope\u00a0\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\">Tier 0 -&gt; control plane\u00a0\u00a0\u00a0<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"18\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Control plane: includes management of all aspects of access control, identity management, and all elements that could jeopardize the tenant.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\">Tier 1 divided into 2 parts\u00a0\u00a0\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"5\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Management plane: management of the application infrastructure base, such as servers or configuration of PaaS (Platform as a Service) services.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Data\/Workload Plane: management and configuration of applications, resources, and APIs.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\">Tier 2 divided into 2 parts\u00a0\u00a0\u00a0<\/span><\/p>\n<ul>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"4\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">User access: includes B2B, B2C, and public access scenarios.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">App access: takes into account the attack surface of application-to-application exchanges via APIs.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Which accounts should be included in the control plane?\u00a0<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">To define the accounts in the control plane, this article proposes an approach based on the criticality of the roles and the impact they can have on the cloud environment. If the role could have a systemic impact on the enterprise (destruction of a large part of the cloud and backups, for example), it should be managed in the control plane.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Make sure to carry out a complete analysis, as some common roles, such as helpdesk administrator, with no critical privileges on direct resources, can take control of accounts that do!\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23158 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/3artEN.png\" alt=\"\" width=\"855\" height=\"450\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/3artEN.png 855w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/3artEN-363x191.png 363w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/3artEN-71x37.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/3artEN-768x404.png 768w\" sizes=\"auto, (max-width: 855px) 100vw, 855px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Strategy based on criticality<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p aria-level=\"1\">\u00a0<\/p>\n<h2 style=\"text-align: justify;\" aria-level=\"1\"><span data-contrast=\"none\">Optimizing security: applying the Enterprise Access Model to the Microsoft cloud\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:240,&quot;335559739&quot;:0}\">\u00a0<\/span><\/h2>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">At the heart of Microsoft&#8217;s cloud ecosystem are roles, an essential component that governs how users and services interact with cloud resources.\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This section takes a deep dive into this crucial aspect of identity and access management in the cloud. The section will explain what Azure roles are, how they work, and why good management is crucial to the security and performance of a company\u2019s cloud infrastructure.\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Organization of roles in Microsoft clouds:\u00a0<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Roles are a set of permissions that control who can access Azure resources and what actions they can perform.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23148 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/4art.png\" alt=\"\" width=\"657\" height=\"527\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/4art.png 657w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/4art-238x191.png 238w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/4art-49x39.png 49w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Roles in Microsoft Cloud\u00a0<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">It&#8217;s important to differentiate between three types of roles:\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Azure roles are dedicated to accessing and managing Azure resources.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"\uf0b7\" data-font=\"Symbol\" data-listid=\"3\" data-list-defn-props=\"{&quot;335552541&quot;:1,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769226&quot;:&quot;Symbol&quot;,&quot;469769242&quot;:[8226],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;\uf0b7&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"2\" data-aria-level=\"1\"><span data-contrast=\"auto\">Microsoft Entra roles are used to manage resources in the Microsoft Entra ID directory.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Microsoft Entra roles used to manage associated Office 365 resources.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">It&#8217;s important to note that these roles can be <\/span><b><span data-contrast=\"auto\">interconnected<\/span><\/b><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h3>\u00a0<\/h3>\n<h3 style=\"text-align: justify;\"><b><span data-contrast=\"auto\">Azure roles<\/span><\/b><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Azure roles are organized according to the principle of Role-Based Access Control (RBAC), which is an integrated feature of Microsoft&#8217;s Azure cloud platform.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">They are dedicated to the management and access of Azure resources, and encompass elements such as Azure virtual machines, SQL databases, services, as well as application services such as web apps.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Azure role assignment is a key step in implementing access management in a cloud environment. It determines who has access to which resources, and what privileges are granted.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">\u2018Security Principals\u2019, on Azure, refers to the entities, including users, groups, or services, to which permissions are assigned. There are several types of security principals on Azure, which may or may not be human.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23135 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/5art.jpg\" alt=\"\" width=\"703\" height=\"213\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/5art.jpg 703w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/5art-437x132.jpg 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/5art-71x22.jpg 71w\" sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Security Principal<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Scope, when assigning roles in Azure, is crucial in determining where permissions apply. It can be specified at different levels, as shown in the diagram below:\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23137 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/6art.jpg\" alt=\"\" width=\"644\" height=\"366\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/6art.jpg 644w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/6art-336x191.jpg 336w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/6art-69x39.jpg 69w\" sizes=\"auto, (max-width: 644px) 100vw, 644px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">The scope of RBAC<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">To better understand role assignment as well as the strategy based on the criticality of roles, and their impact on the cloud in terms of their placement in the control plane, this article proposes two concrete examples:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23139 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/7art.jpg\" alt=\"\" width=\"962\" height=\"527\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/7art.jpg 962w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/7art-349x191.jpg 349w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/7art-71x39.jpg 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/7art-768x421.jpg 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Strategy application example<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In example 1, a user is assigned the owner role (allowing him to read, write, and assign roles to other users throughout the scope to which the role is assigned), on the scope of a management group. In this example, the owner role is critical because the scope is very high-level: it will therefore have full authority over all subscriptions, resource groups, and resources in its management group. This is why the owner role is in the control plane.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">In example 2, a group is assigned the contributor role (allowing it to read and write to the entire scope to which the role is assigned), on the scope of a subscription. In this example, the impact is limited to one subscription, and therefore probably not systemic for the enterprise. This is why, in this case, the contributor role is in the management plane.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">The key takeaway from these examples is that the criticality of a role is not only related to its permissions but also to the scope over which it is assigned.\u00a0\u00a0\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\" aria-level=\"2\"><span data-contrast=\"none\">Segmentation between Microsoft Entra ID and Azure? The case of global admin\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:40,&quot;335559739&quot;:0}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Microsoft Entra ID and Azure roles are defined independently: in Microsoft Entra ID and Azure RBAC respectively. This means that authorizations assigned to Microsoft Entra ID roles do not provide access to Azure resources, and vice versa. However, as global admin within Microsoft Entra ID, they can grant themselves access to all associated Azure subscriptions and management groups.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">When the global admin grants themselves access to Azure, they are assigned the role of user access administrator in the Azure management group root scope.\u202fThis enables them to view all resources and grant themselves access to any subscription or management group in the directory.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">It is therefore important to control who and how many people are assigned the global admin role, and to manage it in the <\/span><i><span data-contrast=\"auto\">Control Plane<\/span><\/i><span data-contrast=\"auto\">.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23141 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/8art.jpg\" alt=\"\" width=\"673\" height=\"546\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/8art.jpg 673w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/8art-235x191.jpg 235w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/8art-48x39.jpg 48w\" sizes=\"auto, (max-width: 673px) 100vw, 673px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Global Admin Azure<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\" aria-level=\"2\"><span data-contrast=\"none\">Privilege escalation through password reset and MFA\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:40,&quot;335559739&quot;:0}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This method relies on exploiting privileges that allow passwords to be reset for user accounts or systems. Attackers often target specific roles that have this privilege because, once compromised, they can reset the passwords of more sensitive accounts and thus gain access to take control of critical systems.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">The table below highlights the Microsoft Entra ID roles that can reset the password of any subscription owner.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Note that security measures such as MFA (Multi-Factor Authentication) can reduce this risk, as detailed in the rest of this article.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23143 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/9art.jpg\" alt=\"\" width=\"930\" height=\"379\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/9art.jpg 930w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/9art-437x178.jpg 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/9art-71x29.jpg 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/9art-768x313.jpg 768w\" sizes=\"auto, (max-width: 930px) 100vw, 930px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Can a user with a role in column 1 reset the password of the user in row 1?\u00a0\u00a0<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\"><span style=\"text-decoration: underline;\">Attack scenario 1:<\/span> <\/span><\/b><span data-contrast=\"auto\">Escalation of privilege to an Azure role from a Microsoft Entra ID role:\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">A helpdesk administrator, which is a very common role in the enterprise, can reset the password of a subscription owner and thus access Azure from within Microsoft Entra ID. As a result, segmentation between the two worlds is no longer guaranteed.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><b><span data-contrast=\"auto\"><span style=\"text-decoration: underline;\">Attack scenario 2:<\/span> <\/span><\/b><span data-contrast=\"auto\">Escalation of privilege to a Microsoft Entra ID role from a Microsoft Entra ID role:\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Within Microsoft Entra ID, privilege escalation from a helpdesk administrator to an Authentication Administrator is possible.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">These <\/span><b><span data-contrast=\"auto\">two scenarios<\/span><\/b><span data-contrast=\"auto\"> are no longer possible if MFA is set up, as the password alone cannot be used to authenticate to the account. In most cases, this security measure covers this type of privilege escalation. However, certain roles have the upper hand on both parameters, i.e. password reset and MFA setting, and it is not uncommon for user support to have this ability.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\"> <img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-23145 size-full\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/10art.jpg\" alt=\"\" width=\"885\" height=\"346\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/10art.jpg 885w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/10art-437x171.jpg 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/10art-71x28.jpg 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/10art-768x300.jpg 768w\" sizes=\"auto, (max-width: 885px) 100vw, 885px\" \/><\/span><\/p>\n<p style=\"text-align: center;\"><i><span data-contrast=\"auto\">Does a user with a role in column 1 have rights on the MFA?<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"text-decoration: underline;\"><b>Attack scenario 3: <\/b><\/span><span data-contrast=\"auto\">Privilege escalation from an authentication administrator to Azure or Microsoft Entra ID :\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Here the authentication administrator is a role that can manage and reset the authentication methods of users who do not have an administrator role. In addition to being able to control the MFA, this role can also modify or reset the passwords of a large proportion of users. The tables above show that it can take on the role of a helpdesk administrator or a subscription owner.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">These roles need to be managed in the control plane to avoid privilege escalation scenarios and maintain the watertight seal between Microsoft Entra ID and Azure.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p>\u00a0<\/p>\n<h2 style=\"text-align: justify;\" aria-level=\"1\"><span data-contrast=\"none\">Reinforce your security, some examples of additional security measures<\/span><\/h2>\n<p style=\"text-align: justify;\" aria-level=\"2\"><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:40,&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\"><span data-contrast=\"none\">Grant privileges to a managed identity rather than to a user<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">To limit the risks associated with assigning control plane roles, it is recommended to use Managed Identities as alternatives to user authorizations, or Privileged Identity Management (PIM) to better manage high-privileged users. This approach limits the risk of privilege escalation.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Managed Identities are authentication entities managed by Azure for applications and services. Rather than granting privileges to individual users, you can assign authorizations to the Managed Identities associated with these applications or services. <\/span><span data-contrast=\"auto\">This approach offers the following advantages:\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"Tahoma\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Reduced credential exposure: using Managed Identities reduces the potential attack surface, as credentials are not exposed or shared.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Secure automation: applications and services using Managed Identities can automate tasks without the need for high-privileged user accounts.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1.\" data-font=\"Tahoma\" data-listid=\"2\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Centralized control: authorizations are managed centrally, facilitating privilege management across the entire cloud environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h3 style=\"text-align: justify;\" aria-level=\"2\"><span data-contrast=\"none\">Limiting risks with Privileged Identity Management (PIM)\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:40,&quot;335559739&quot;:0}\">\u00a0<\/span><\/h3>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">When assigning high-privilege roles or control plane roles, especially to users, it is very important to control and monitor the assignment of these roles. The use of PIM, a feature that enables precise management of administrative privileges, may prove useful. PIM is based on:\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<ol>\n<li data-leveltext=\"%1.\" data-font=\"Tahoma\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"1\" data-aria-level=\"1\"><span data-contrast=\"auto\">Temporary elevation of privileges: users can be granted administrative privileges on a temporary basis to perform specific tasks, thus reducing the risks associated with permanent authorizations and errors.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Mandatory justification for elevated privileges.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li data-leveltext=\"%1.\" data-font=\"Tahoma\" data-listid=\"1\" data-list-defn-props=\"{&quot;335552541&quot;:0,&quot;335559685&quot;:720,&quot;335559991&quot;:360,&quot;469769242&quot;:[65533,0],&quot;469777803&quot;:&quot;left&quot;,&quot;469777804&quot;:&quot;%1.&quot;,&quot;469777815&quot;:&quot;hybridMultilevel&quot;}\" aria-setsize=\"-1\" data-aria-posinset=\"3\" data-aria-level=\"1\"><span data-contrast=\"auto\">Implementation of control and monitoring.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Creation of a workflow to validate privilege elevations: \/!\\ requires a high level of maturity to manage reactivity and HNO (non-working hours) requirements.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Securing a cloud environment is an essential concern. Attacks using the concepts and intricacies of cloud management will increase in the near future, therefore; it would be a loss to wait until attackers start dealing with this subject before companies start dealing with it properly.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">This article has <\/span><span data-contrast=\"auto\">explored various aspects of privilege management and security in the cloud, highlighting fundamental strategies and practices for effectively protecting the control plane, which brings together data and resources that are highly sensitive to the integrity of a company&#8217;s infrastructure.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">The article explored Microsoft&#8217;s enterprise access model, based on the \u201cZero Trust\u201d principle. This model offers a flexible and secure approach to access management in a cloud environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">It was<\/span><span data-contrast=\"auto\"> then presented that Microsoft Azure roles and some of the risks of privilege escalation, highlighting the importance of accurate authorization assignment and continuous monitoring to prevent abuse and potential threats.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Securing the control plane in a cloud environment is of paramount importance in protecting a company&#8217;s sensitive data and resources. Exploring the strategies and best practices discussed in this article, it&#8217;s clear that every organization needs to carefully define its role model, ensuring that accounts and permissions are appropriately assigned in the control plane or management plane. It is imperative that measures are put in place to ensure the isolation of each plane, while paying particular attention to precise authorization management and continuous monitoring to prevent abuse and potential threats (including privilege escalation).\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span data-contrast=\"auto\">Security in the cloud is no longer an option, but an absolute necessity!<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions.\u00a0\u00a0&#8230;<\/p>\n","protected":false},"author":1292,"featured_media":23122,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3977],"tags":[3399,4446,4445],"coauthors":[2863,4447,4293],"class_list":["post-23154","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-focus","tag-cloud-security-en","tag-control-plane-2","tag-enterprise-access-model-2"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight<\/title>\n<meta name=\"description\" content=\"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-17T09:35:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-17T09:35:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Etienne Lafore, Romain SAVARIAU, Youssef Khouchaf\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Etienne Lafore, Romain SAVARIAU, Youssef Khouchaf\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\"},\"author\":{\"name\":\"Etienne Lafore\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14\"},\"headline\":\"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0\",\"datePublished\":\"2024-05-17T09:35:12+00:00\",\"dateModified\":\"2024-05-17T09:35:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\"},\"wordCount\":2199,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg\",\"keywords\":[\"cloud security\",\"control plane\",\"enterprise access model\"],\"articleSection\":[\"Focus\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\",\"name\":\"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg\",\"datePublished\":\"2024-05-17T09:35:12+00:00\",\"dateModified\":\"2024-05-17T09:35:15+00:00\",\"description\":\"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg\",\"width\":1280,\"height\":853},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14\",\"name\":\"Etienne Lafore\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/etienne-lafore\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight","description":"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/","og_locale":"en_US","og_type":"article","og_title":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight","og_description":"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/","og_site_name":"RiskInsight","article_published_time":"2024-05-17T09:35:12+00:00","article_modified_time":"2024-05-17T09:35:15+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg","type":"image\/jpeg"}],"author":"Etienne Lafore, Romain SAVARIAU, Youssef Khouchaf","twitter_misc":{"Written by":"Etienne Lafore, Romain SAVARIAU, Youssef Khouchaf"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/"},"author":{"name":"Etienne Lafore","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14"},"headline":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0","datePublished":"2024-05-17T09:35:12+00:00","dateModified":"2024-05-17T09:35:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/"},"wordCount":2199,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg","keywords":["cloud security","control plane","enterprise access model"],"articleSection":["Focus"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/","name":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0 - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg","datePublished":"2024-05-17T09:35:12+00:00","dateModified":"2024-05-17T09:35:15+00:00","description":"In the age of hybrid information systems, securing cloud resources is a cornerstone of enterprise security. Faced with constantly evolving threats and increasingly complex IT environments, companies are seeking more effective and scalable cloud information systems and access management solutions. To meet this challenge, Microsoft has defined the Enterprise Access Model, offering a new approach to identity and access management adapted to the reality of the cloud. This model promises to redefine how companies manage access to digital resources, whether within cloud solutions like Azure, Office 365 applications, or other strategic services. This article proposes a methodology and examples for implementing the Enterprise Access Model and defining criteria for assigning roles to the management plane or control plane. The article also aims to highlight the risks associated with poor implementation of the model, with concrete examples. Finally, it lists several best practices for configuring and managing the access model to help mitigate these risks.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/05\/forest-3622519_1280.jpg","width":1280,"height":853},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/05\/protecting-the-control-plane-critical-stakes-in-cloud-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Protecting the Control Plane: Critical Stakes in Cloud Security\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/00ee9607d2b8cd5205bfe63b482a2b14","name":"Etienne Lafore","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/etienne-lafore\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1292"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=23154"}],"version-history":[{"count":3,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23154\/revisions"}],"predecessor-version":[{"id":23161,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23154\/revisions\/23161"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/23122"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=23154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=23154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=23154"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=23154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}