Prisma Access & Cloud Dynamic User Groups Find Risky Users

Aug 04, 2023
4 minutes

Prisma Access, the cloud-delivered security service edge platform from Palo Alto Networks, expands ZTNA 2.0 coverage to Microsoft Azure AD with Cloud Dynamic User Groups (CDUGs) to identify risky users and mitigate their behavior.

Imagine if there was a way to audit internal threats by tracking suspicious user behavior. Would it prevent data exfiltration? Would it reduce international cybercrime?

Time after time, we are seeing super users abuse their privilege to leak private information. These users are often grouped based on company hierarchy (for example, financial analysts may all be together within the “finance” group and provided the same, broad permissions). However, these examples show that a user’s access to specific resources must be determined by more than just their position or title within an organization as IP and user groups are not sufficient to catch these forms of attack.

To achieve a zero-trust posture, user access must change automatically and daily when new information indicates that their access trust level may need to be reduced, additional identity factors verified, or activity investigated.

Cloud Dynamic User Groups (CDUGs) address this challenge by allowing businesses and organizations to create new groups directly in Cloud Identity Engine (CIE) based on many different data points. This simplifies monitoring and controlling access for IT administrators and reduces the mean time to remediate malicious activity.

Cloud Dynamic User Groups (CDUGs)

CDUGs help you create policies that auto-remediate for anomalous user behavior and malicious activity while maintaining user visibility. The low-fidelity enablement applies user attributes and security context as filtering criteria to enable customers to automatically add and remove users as members. These groups can then be added to a policy like those already synchronizing through CIE Directory Synchronization Service.

Businesses and organizations can create two new categories for user groups:

  • Attribute-Based Groups: Through CIE, administrators can select any user attributes the connected directory provides as filtering criteria for group membership. As a user's attributes change, they will be added to or removed from the group. Additionally, organizations using Azure AD Identity Protection User Risk Scores will be able to select and filter by risk levels and specific risk detections.
  • On-Demand Assignment Groups: Unlike Attribute-Based Groups that require filtering criteria based on user attributes and security context to add and remove users, On-Demand Assignment Groups allow the administrator to manually select individual users to add or remove users from groups.

Attribute-Based and On-Demand Assignment Groups are not synchronized back to the directory source and are only shared with Palo Alto Networks solutions.

Enabling Least Privilege Access with Behavior-Based Access Policies Through Microsoft Azure AD User Risk Score Ingestion

Microsoft Azure AD user risk scores provide IT and security administrators with a way to quickly evaluate the risk a user brings to the network.

For example, let’s consider an engineer with access to code running in production as an example of how this works. If this user’s credentials are stolen or used in circumstances that could be considered suspicious (for example, a new location, odd hours), Microsoft Azure AD may assign them a high-risk score.

If a CDUG has been created with a filter only to add high-risk engineers whose credentials were leaked, CIE will receive this information and change the user’s cloud dynamic user group membership.

From this point, new policies will be applied to the user as created by the firewall or Prisma Access team, which may include but is not limited to increased decryption, blocking specific resources, etc. Once the issue is resolved—let’s say the engineer changes their credentials—CIE will remove the user from the high-risk group, and their access will return to its normal state.

The principle of least privilege requires that a user is granted the minimum level of access to any application or resource necessary to perform an authorized task and nothing else.

By integrating Microsoft Azure AD user risk scores and the CDUGs within CIE, organizations can genuinely follow least-privileged access as outlined in ZTNA 2.0. CIE goes beyond simple point-in-time trust assurances (as in ZTNA 1.0) with an infrastructure set to provide better access control decisions.

The architecture established with ZTNA 2.0 allows organizations to enable targeted access for users to a specific application while continuously reacting to changes in real-time, ultimately reducing the attack surface while enforcing true least privilege access based on user risk signals learned from Microsoft Azure AD.

Fig 1: Example of assigning a group to engineers that have a high risk in Microsoft Azure AD.

Enable your least privilege goals by connecting Azure AD to CIE today.

Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.