BIO 09.02.01

Entitlement Management Design

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Entitlement Management levert self-service toegang met approvals, automatische expiratie en periodieke herbeoordeling voor interne en externe gebruikers.

Aanbeveling
IMPLEMENTEER ENTITLEMENT MANAGEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
24u (tech: 12u)
Van toepassing op:
βœ“ Azure AD
βœ“ Identity Governance

Zonder deze beveiligingsmaatregel kunnen er significante security risks ontstaan die leiden tot data compromise, compliance overtredingen en reputatieschade voor de organisatie. Een van de grootste security uitdagingen is access sprawl: ad-hoc toekenningen zonder expiratie of review. EM structureert toegang via access packages: wie mag aanvragen, wie keurt goed, welke resources, hoe lang, en automatische removal.

PowerShell Modules Vereist
Primary API: Microsoft Graph
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.Identity.Governance

Implementatie

Ontwerp: Access packages per business rol (Project X Member, Vendor Reader), Catalogi per organisatieonderdeel, Policies voor interne/externe aanvragers, Approvals (manager/owner), Expiratie (30-90 dagen), Review vΓ³Γ³r verlenging.

Vereisten

  1. Azure AD Premium P2
  2. Catalog owners
  3. Approvers per package
  4. Defined resource scope (Groups/Apps/Sites)

Implementatie

Gebruik PowerShell-script entitlement-management.ps1 (functie Invoke-Remediation) – Basisconfiguratie EM.

  1. Maak catalogus + access packages
  2. Defineer aanvragers (internal/external) en approvals
  3. Stel expiratie + verlengingsreviews in
  4. Publiceer packages in MyAccess portal
  5. Pilot β†’ productie

Monitoring

Gebruik PowerShell-script entitlement-management.ps1 (functie Invoke-Monitoring) – Controleren.

  1. Aanvragen/afwijzingen volume
  2. Tijd tot goedkeuring
  3. Verlopen toekenningen verwijderd
  4. Externe gast-toegang trends

Compliance en Auditing

  1. BIO 09.02 - User Toegangsbeheer
  2. ISO 27001 A.9.2.3 - Management of privileged access rights
  3. NIS2 art. 21

Remediatie

Gebruik PowerShell-script entitlement-management.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Entitlement Management Design .DESCRIPTION Implementation for Entitlement Management Design .NOTES Filename: entitlement-management.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/identity/entitlement-management.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Entitlement Management Design" $BIOControl = "9.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "entitlement-management" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: Unmanaged access = access sprawl, compliance errors, external accounts zonder expiration, manual approval overhead. Compliance: BIO 9.02, ISO 27001. Het risico is medium - access governance.

Management Samenvatting

Entitlement Management: Access packages (bundled permissions - apps + groups + SharePoint), Self-service request portal, Approval workflows (manager + IT), Auto-expiration (90-365 dagen), Guest lifecycle (auto-remove expired), Access reviews integration. Vereist: Azure AD P2 (Identity Governance). Activatie: Entra ID β†’ Identity Governance β†’ Access packages. Kosten: P2 license. Verplicht BIO 9.02, ISO 27001. Implementatie: 24 uur (package design + workflows). Scalable access provisioning + governance.