Contents
Security Today - Conditional Access and Ongoing Monitoring
(A.K.A. "Not today, Satan. Not Today").
In the fast-changing digital world, companies deal with all kinds of new threats that old-school security just can’t handle. That’s why it’s so important to use conditional and context-aware access, along with ongoing monitoring and good governance. These strategies make sure that access isn’t just about who you are—it also depends on things like where you’re logging in from, what kind of device you’re using, and what’s going on at that moment. Plus, keeping an eye on everything helps catch permission creep and stops people from getting into things they shouldn’t.
For example, imagine a global business where employees work remotely from all over the place using different devices. With conditional access policies in place, if someone logs in from an odd location or a device that isn’t trusted—even with the right password—the company can block or limit their access to sensitive info. Meanwhile, continuous monitoring means any weird activity gets flagged right away, so issues can be fixed fast and only the right people have access. This way, risks are lower, compliance is easier, and it’s clear why these modern security steps are so important for keeping organizations safe today.
These principles reflect a modern approach where the identity becomes the gatekeeper, constantly checking the user, the device, and the context against narrowly defined permissions.
Principle 1: Centralized Identity as the Core Security Boundary
AWS
Uses IAM as the foundation for identity controls.
Recommends IAM Identity Center (SSO) to unify identities across environments.
Azure (Microsoft Entra ID)
Employs Entra ID as the central identity hub.
Supports security and detection strategies anchored on centralized identity management.
Google Cloud
Utilizes Cloud Identity for unified identity management.
Provides a single console for centralized oversight.
Principle 2: Least Privilege and Role-Defined Permissions
AWS
Promotes least privilege through fine-grained IAM roles and policies.
Provides IAM Access Analyzer for tailored permissions.
Supports permissions boundaries to restrict delegated roles.
Azure
Implements granular access with Azure RBAC.
Assigns privileges at different scopes to limit access appropriately.
Google Cloud
Uses IAM roles for detailed permission management.
Allows assignment of minimum necessary privileges to users and services.
Principle 3: Strong Authentication Through MFA
AWS
- Encourages enabling MFA, especially for privileged accounts.
Azure
Mandates MFA for many users.
Offers advanced options like FIDO2 keys and Windows Hello.
Google Cloud
- Provides various MFA options, including Titan Security Keys for enhanced protection.
Principle 4: Favoring Temporary Credentials
AWS
Directs users to federate via IdPs for session-based credentials.
Workloads use short-lived, role-based credentials.
Azure
- Advises moving service accounts to secure workload identities that avoid user-managed secrets.
Google Cloud
- Supports temporary credentials and service account keys with limited lifespans.
Principle 5: Single Sign-On (SSO) and Federation
AWS
- IAM Identity Center serves as the platform’s SSO hub.
Azure
- Entra ID facilitates SSO for thousands of integrated apps.
Google Cloud
- Enables SSO and federation for numerous applications using Cloud Identity.
Principle 6: Conditional and Contextual Authorization
AWS
- Offers conditional policies based on attributes and context (device, location, etc.).
Azure
- Uses Entra ID Protection to identify suspicious sign-ins and trigger adaptive Conditional Access.
Google Cloud
- Delivers Context-aware Access that dynamically adjusts permissions in real time.
Principle 7: Ongoing Monitoring and Robust Governance
AWS
Logs all actions for auditability.
IAM Access Analyzer checks for unintended access.
Emphasizes regular access reviews.
Azure
Advocates formal governance and routine access audits.
Periodic removal of unused roles/users is recommended.
Google Cloud
Maintains comprehensive audit logs.
Promotes ongoing review and adjustment of access privileges.
These comparisons highlight how AWS, Azure, and Google Cloud approach core IAM principles, with each provider offering tools and features tailored to their platforms’ strengths.
| Key Principle | Provider | Description |
|---|---|---|
| Access Analysis | AWS | IAM Access Analyzer checks for unintended access. |
| Access Analysis | Azure | Emphasizes regular access reviews through formal governance. |
| Access Analysis | Google Cloud | Maintains comprehensive audit logs for access visibility. |
| Access Review | AWS | Emphasizes regular access reviews to ensure proper permissions. |
| Access Review | Azure | Advocates formal governance and routine access audits. |
| Access Review | Google Cloud | Promotes ongoing review and adjustment of access privileges. |
| Role/User Cleanup | AWS | Periodic removal of unused roles/users is recommended. |
| Role/User Cleanup | Azure | Periodic removal of unused roles/users is recommended. |
| Role/User Cleanup | Google Cloud | Periodic review and removal of unused roles/users is encouraged. |
| Audit Logging | AWS | Provides audit logs to monitor and track access events. |
| Audit Logging | Azure | Supports audit logging for tracking access and changes. |
| Audit Logging | Google Cloud | Maintains comprehensive audit logs. |
| Access Privilege Adjustment | AWS | Supports ongoing adjustment of access privileges as needed. |
| Access Privilege Adjustment | Azure | Enables ongoing adjustment of access privileges. |
| Access Privilege Adjustment | Google Cloud | Promotes ongoing review and adjustment of access privileges. |
| Formal Governance | AWS | Encourages structured processes for managing IAM policies. |
| Formal Governance | Azure | Advocates formal governance and routine access audits. |
| Formal Governance | Google Cloud | Supports structured IAM management with policy enforcement. |
| Platform-Specific Tools | AWS | Offers tools tailored to AWS IAM strengths. |
| Platform-Specific Tools | Azure | Provides Azure-specific IAM features and management tools. |
| Platform-Specific Tools | Google Cloud | Delivers IAM features designed for Google Cloud’s platform. |
security AWS Access Reviews Auditing Azure Centralized Control Centralized Identity Conditional Access Context-Aware Access Core Security Boundary Federation GCP Governance IAM Identity and Access Management Identity as the Security Perimeter JEA JIT Just-in-Time Least Privilege MFA Multi-factor authentication Ongoing Monitoring PIM Privileged Access RBAC Role-Defined Permissions SSO Single Sign-On Strong Authentication Temporary Credentials Temporary Credentials for Workloads secure engineering security architecture 2024
