Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

The value of PIM without approvals

Copper Contributor

It seems that for Privileged Identity Management (PIM) to be effective you would always need to "require approval" for each role. Is there any security benefit to PIM without using this feature? It would seem that if an account is compromised the bad actor could simply activate the role themself if no approval is required.

3 Replies
best response confirmed by woettmeier (Copper Contributor)
Solution
Two advantages IMO:
- One access is JIT. Sure an attacker can activate the role, but it's an extra step to make the life of an attacker harder
- Auditing. With PIM you have an audit trail when and why a role was activated
I agree with William Oettmeier. At least PIM should be complemented with a robust audit applied to the roles' activation and the activities privileges role are performing. A kind of Privileged Access Management.
It's security through obscurity and allows the implementer to check the "JIT" and "Privileged Access Management" boxes, without taking any responsibility what so ever. It is beyond stupid.


.... IMO.
1 best response

Accepted Solutions
best response confirmed by woettmeier (Copper Contributor)
Solution
Two advantages IMO:
- One access is JIT. Sure an attacker can activate the role, but it's an extra step to make the life of an attacker harder
- Auditing. With PIM you have an audit trail when and why a role was activated

View solution in original post