BIO 09.01.02 ISO A.9.1.1

Azure RBAC Strategy Design (rol-Based Toegangscontrole En Authenticatie)

πŸ“… 2025-10-30
β€’
⏱️ 16 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Azure RBAC strategy design implementeert least privilege Toegangscontrole en authenticatie via ingebouwde en aangepaste rollen, rol assignments op subscription/resource groep/resource scope, Privileged identiteitsbeheer (PIM) voor elevated access en access reviews voor continuous governance.

Aanbeveling
IMPLEMENTEER AZURE RBAC STRATEGY
Risico zonder
Critical
Risk Score
9/10
Implementatie
48u (tech: 24u)
Van toepassing op:
βœ“ Azure

RBAC critical voor nul Trust: Least privilege (users alleen get needed machtigingen), Scope-based (assign bij lowest scope - resource vs subscription-wide), Time-bound (PIM - elevated access temporary), Separation of duties (no single user heeft complete control). Zonder RBAC strategy: Owner access voor iedereen (excessive machtigingen), No separation of duties (fraud risk), Permanent elevated access (aanvalsoppervlak), No audittrail (who did what?).

Implementatie

RBAC strategy components: (1) ingebouwde rollen: Owner (full control - avoid), Contributor (manage resources, no RBAC changes), Reader (view-only), Specific rollen (SQL DB Contributor, Network Contributor); (2) aangepaste rollen (organization-specific - example: VM Operator: start/stop only); (3) Assignment scope: Management groep (cascades to subscriptions), Subscription (all resources), Resource groep (logical groeping), Resource (single VM, opslagaccount); (4) PIM (Privileged identiteitsbeheer): Just-In-Time access (activate Owner rol voor 8 hours), Approval workflow (manager approval vereist), MFA enforcement; (5) Access Reviews: Quarterly reviews (remove unused assignments), Guest access reviews, Privileged rol reviews.

Vereisten

  1. Azure AD Premium P2 (for PIM)
  2. RBAC model documented (rollen per job function)
  3. aangepaste rollen defined (if needed)
  4. PIM geconfigureerd (privileged rollen)
  5. Access review schedule (quarterly)
  6. RBAC assignment process
  7. audit logging (Azure Monitor)

Implementatie

Define RBAC model (rollen per job function), minimize Owner assignments, Maak aan aangepaste rollen, implementeren PIM voor Owner/Contributor, Configureer access reviews (quarterly), assign rollen bij lowest scope (resource groep vs subscription), Schakel in Azure monitoren logging.

Compliance en Auditing

RBAC strategy voldoet aan: BIO 09.01 (Toegangsbeleid - Least privilege mandatory), ISO 27001 A.9.1.1 (Toegangscontrole en authenticatie beleid), ISO 27001 A.9.2.3 (Privileged toegangsrechten management), NIS2 Artikel 21 (Toegangscontrole en authenticaties), SOC 2 (Logical Toegangscontrole en authenticaties).

Monitoring

Gebruik PowerShell-script azure-rbac.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script azure-rbac.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Azure RBAC Design .DESCRIPTION Implementation for Azure RBAC Design .NOTES Filename: azure-rbac.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/platform/azure-rbac.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Azure RBAC Design" $BIOControl = "9.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "azure-rbac" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Critical: Geen RBAC strategy = excessive permissions (Owner for everyone), no least privilege, insider threats, privilege escalation easy, compliance violations (BIO, ISO 27001). Audit findings guaranteed. Het risico is KRITIEK - access control foundation.

Management Samenvatting

Azure RBAC Strategy: Built-in roles preferred (Owner/Contributor/Reader + specialized roles), Custom roles (minimal - document justification), Least privilege (minimum permissions needed), PIM (Just-in-Time elevation - no permanent admins), Deny assignments (protect critical resources), Quarterly access reviews, Separation of duties (no single person full control). Activatie: Design RBAC model β†’ Assign roles + PIM eligibility β†’ Remove excessive permissions. Gratis (PIM vereist P2). Verplicht BIO 9.01, ISO 27001 A.9.1.1, Zero Trust. Implementatie: 24-48 uur. CRITICAL Zero Trust foundation - least privilege mandatory.