{"id":25214,"date":"2025-01-27T07:38:19","date_gmt":"2025-01-27T06:38:19","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=25214"},"modified":"2025-01-27T07:38:20","modified_gmt":"2025-01-27T06:38:20","slug":"enterprise-access-model-1-2-how-to-scope-your-control-plane-to-secure-your-cloud-administration-and-prevent-a-global-cloud-compromise","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/01\/enterprise-access-model-1-2-how-to-scope-your-control-plane-to-secure-your-cloud-administration-and-prevent-a-global-cloud-compromise\/","title":{"rendered":"Enterprise Access Model (1\/2): How to scope your Control Plane to secure your Cloud Administration and prevent a global Cloud compromise"},"content":{"rendered":"\n

\u00a0<\/p>\n

This article is the first of a series of 2, tackling the implementation of the Enterprise Access Model, an administration model proposed by Microsoft to secure the administration of Cloud environments.\u00a0<\/span><\/i>\u00a0<\/span><\/p>\n

Today, most companies use public cloud to host numerous workloads from business to functional services. Although this brings benefits, the Cloud also introduces new paradigms, which need to be understood clearly in order to be secured.<\/span>\u00a0<\/span><\/p>\n

Historically, enterprises have relied on a 3-tier model for securing Active Directory environments. This model segments the network into three distinct tiers: Tier 0 for highly sensitive systems and data, Tier 1 for server administration, and Tier 2 for end-user workstations and devices. While this model has proven effective in on-premises environments, the shift to cloud-based infrastructures requires a reevaluation of its applicability.<\/span>\u00a0<\/span><\/p>\n

This article delves into a recent, concerning trend: the global compromise of Entra ID, originating from the compromise of a helpdesk account. Such an attack can have severe repercussions, even more so than an AD Domain Administrator compromise. We will explore the mechanisms behind these attacks, their implications, and, most importantly, how we should protect against this kind of privilege escalation and implement an adapted and secured administration model.<\/span>\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

Understanding Entra ID, Active Directory, and Azure Permissions<\/span><\/b>\u00a0<\/span><\/h2>\n

As shown in <\/span>Figure 1<\/span>, Active Directory and Entra ID (formerly Azure Active Directory) are two Identity services with different structural properties and IAM protocols. While Entra ID focuses on identity and access management across both cloud and on-premises environments, providing authentication and user management, Azure permissions extend to the broader management of cloud infrastructure and services. Understanding the distinctions and interconnections between these tools is essential for maintaining robust security and effective access control in modern enterprise environments.<\/span>\u00a0<\/span>\"Figure<\/span><\/i><\/p>\n

Figure <\/i>1<\/i>: Active Directory and Entra ID key differences<\/i><\/span><\/p>\n

\u00a0<\/p>\n

Between Active Directory, Entra ID, and Azure- each manages its own permission model:<\/span>\u00a0<\/span><\/p>\n