Manage Azure identity security risks with k9 Security
Simplify IAM Security for Azure
Now you can quickly identify risks to Microsoft Azure subscriptions from unintended privileged principals and prevent outages caused by expiring credentials with the k9 Security Access Analyzer for Azure. The flexibility of the Azure authentication and authorization system can create latent risks for customers from unintentionally provisioned excess permissions and unmanaged credentials. With k9 Security, customers can easily identify Azure IAM admins and credentials that should be remediated, ensuring the security and compliance of their Azure environments. This release is now available for OEM integration.
Address Azure Identity Security Challenges
Organizations using Azure need efficient cloud access governance workflows. However, it is too difficult to audit Azure access permissions quickly and confidently, and just-in-time access workflows lack the context to make good decisions.The Azure RBAC role assignment model enables Azure permissions to be granted to an Entra principal by assigning roles throughout an Azure account’s hierarchy. This often leads to unintended role inheritance and overly-permissive role assignment. Without help, security auditors and access reviewers are unable to determine if a person or application’s cloud access is appropriate.
There is also no easy way to review your Entra Service Principal credentials. A service principal can have zero to many (hundreds!) of client secrets. And teams risk the potential impacts of compromised credentials because there is no sustainable way to see which credentials exist, and of those, which need rotation.
Streamline Azure IAM Access Review
k9 Security reports Azure IAM access entitlements and other critical data supporting identity security for Entra users and service principals in your Azure subscriptions. With k9’s simplified access capability model you can easily identify unintended Azure IAM admins. k9 Security also reports what credentials each principal has in a simplified, consistent view so you can quickly identify credentials that should be revoked or rotated. k9 Security delivers reports designed to be consumed by people and cloud security products to a customer or partner-managed Amazon S3 bucket.
Audit Azure IAM Admins
k9 Security enables quick identification of principals that can administer the security policies in the subscription that authorize access to Azure APIs and resources — and thus have privileged access within a subscription. k9 Security analyzes access to the Azure Authorization service and reports the effective access each principal has to the service. You can quickly identify principals that are IAM admins using the k9 Security ‘Principals’ view.
The Principals view reports whether a principal is an IAM admin in the Principal is IAM Admin column. Admins can also be identified by filtering the ‘Principal Access Summaries’ view to Azure service Authorization and access capability administer-resource. k9 Security currently classifies 37 Authorization service permissions to the administer-resource capability. The Principals view reports additional information critical to identity security and access governance: creation time, last used time, whether MFA is enabled, and the types of active credentials.
Review Entra Principal Credentials
k9 Security enables quick review of the most common types of credentials used to authenticate Entra principals.
- Users: Password
- Service Principals: Certificate Key, OAuth2 Client Secret
The Credentials view aggregates and normalizes information about all the credentials for each principal in the Entra directory associated with the subscription into a single view:
This capability is especially useful for identifying Service Principal credentials that are nearing expiration and must be rotated to avoid a service outage. k9 reports the period during which each client secret and certificate key is valid in addition to how many days until expiry. So you can alert on secret expiration and rotate proactively instead of reacting to a service outage.
“Many Azure users told us that understanding who has access to what in Azure and what credentials are in use caused poor security, delays in delivery, and even outages. So k9 Security is simplifying the essential cloud security practices for Azure so that every practitioner can understand effective access and make great identity security decisions from within their current workflows and preferred tools.”
–Stephen Kuenzli, Founder, k9 Security
Launch multi-cloud access governance at your next conference
The k9 Security access analyzer suite now supports both Azure and Amazon Web Services, available as native integrations for OEM customers. k9 Security’s OEM program helps cloud and security product companies reduce time to market for cloud access governance with proven security workflows and technology for Azure and AWS.
k9 Security helps OEMs design world-class cloud access governance workflows tailored to the OEM’s customers and users. Then k9 Security helps OEMs integrate the k9 Security service via SaaS, partner-hosted, or customer-hosted deployments. Finally, k9 Security helps OEMs iterate on the user-experience to maximize end-user productivity and customer value.
Getting Started with k9 for Azure
Take the Next Step in Azure Identity Security and learn more about how Azure or AWS OEM integration works
Contact us via the form or email us at [email protected].
FAQ
Learn more about simplifying IAM Security for Azure:
Q1. How can I evaluate k9 Security for my organization?
For OEM integration discussions and evaluation, you can:
- Review k9 Security OEM integrations to learn more about how it works and what we can build
- Contact via the website form
- Email directly at [email protected]
Q2. When will this be available?
The service launched on November 15, 2024 for OEM integration partners.
Q3. Is AWS support also available?
Yes, k9 Security supports AWS for direct SaaS customers and OEM partners.
Q4. What types of Microsoft Entra credentials does k9 Security monitor?
The system monitors several credential types:
- For Users: Passwords
- For Service Principals: Certificate Keys and OAuth2 Client Secrets
Q5. Is this a standalone product or for OEM only?
Currently this is an OEM offering only, however k9 plans to ship our solution for Direct Customers in 2025h1. Please reach out if you are interested.
Recent Comments