ASD's Blueprint for Secure Cloud

Identity Governance

This section describes the design decisions associated with entitlement management and access to workloads and landing zones for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Identity Governance encompasses:

  • Entitlement Management - the automation of request and approval workflows for access to groups, applications and sites
  • Access Reviews - enforcing review and expiry of continued access to these groups, applications and sites

Entitlement Management delegates the management of user permissions from the Platform Administrators to the resource owners. Access Packages provide access to Azure resources, applications, and SharePoint sites using Entra ID group membership. This method is preferred over direct group assignment as it requires that access is explicitly sought by the requester and granted by the owner on a “business need” basis.

Access Management delegates the management of continued access from the Platform Owner to the entitlement owner. This provides a review process for the assignment of users to groups, and can be carried out for directly assigned users (via Groups), Security Groups (via Entitlement Management) and Privileged Groups (via Privileged Identity Management). Access Reviews must be carried out for all group memberships on a six monthly basis.

Access Reviews

A base recommendation for access reviews is below. However, organisations should review and update these configurations based on their risk appetite and organisational policies.

Review TypeReviewerRecurrence
Privileged Access - Global AdministratorsOrganisation Decision6 monthly
Privileged Access - Privileged GroupGlobal Administrators6 monthly
Privileged Access - Entra ID RoleGlobal Administrators6 monthly
Workloads (Applications)Application Owner6 monthly
Other Security GroupsGroup OwnerAs required
Microsoft 365 GroupsGroup Owner6 monthly

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra