pr-aa-5 critical Protect / Identity Management, Authentication, and Access Control

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Over-permissioned accounts are a root cause of breaches going far beyond the initial point of entry. Least privilege limits what any single compromised account can access. Separation of duties prevents any one person from both initiating and approving sensitive actions, reducing insider risk and accidental misconfiguration.

Estimated effort: 6h

least-privilegerbacaccess-reviewseparation-of-duties

Complete first: pr-aa-1

Implementation steps

1

Define a role-based access control model

Map your business roles to permission sets. Each role should grant the minimum access needed for that job function. Document the roles, what they can access, and who approves membership in each role.

oktamicrosoft-entraaws-iamgoogle-cloud-iam
2

Remove or restrict standing privileged access

Administrators should not have elevated permissions at all times. Use just-in-time (JIT) access elevation that grants admin rights only when needed and revokes them automatically. Require approval for sensitive access requests.

cyberarkaws-iam-identity-centermicrosoft-pimteleport
3

Enforce separation of duties for critical workflows

Identify workflows where a single person could cause significant harm if acting alone: deploying to production, approving payments, modifying audit logs. Require a second approver for each of these actions.
4

Conduct quarterly access reviews

Every 90 days, have each manager review the access held by their direct reports. Flag and revoke access that is no longer appropriate. Document the review with a sign-off.

sailpointsaviyntokta