One of the biggest concerns in Cybersecurity today is that of making sure employees, third party vendors, etc. have all been assigned the optimal mix of rights, permissions, and privileges to conduct their everyday job tasks. However, trying to do this is a lot harder than it looks. For example, you do not want to give too much or give too little. To help resolve this issue, Microsoft has come out with a new tool called “GDAP”.
What Is GDAP?
It is an acronym that stands for “Granular Delegated Administrative Privilege”. It can be technically defined as follows:
“It is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol.”
(SOURCE: 1).
It contains two particularly important concepts:
- Least Privilege:
This is where you assign an employee or a third-party vendor just enough rights, permissions, and privileges to do what they need to do and remain productive. For example, a network administrator will have more than, say, an administrative assistant, given the functions that they perform.
- Zero Trust:
This is a framework that divides up, or segments, the entire IT/Network Infrastructure of a business into different zones. Each one of them deploys the use of MFA, in which three or more differing authentication mechanisms are used to fully confirm the identity of an individual.
GDAP enhances control over assignments, offering unprecedented granularity. However, the main caveat here is that this new feature is not available to just everybody. Rather, a business must have an established partnership with a Cloud Services Provider, also known as a CSP.
More About GDAP
GDAP is an enhanced version of what is known as the Delegated Administrative Privileges, also known as “DAP”. With this, global rights, privileges, and permissions were assigned to an administrator on the IT Security team. But this can also pose a risk, especially if the employee goes rogue, and attempts to launch an Insider Attack. GDAP refines it in the following ways:
- RBAC:
This is an acronym that stands for Role Based Access Control. It assigns an employee the permissions they need based upon their job title. So in our previous example, a network administrator would have super user privileges, so that they can maintain the entire Network Infrastructure. Whereas the administrative assistant would not have this, they would be assigned more clerical permissions.
- Scoping:
This means that an employee will not have blanket permissions anymore. For example, if the administrative assistant needs access to other shared resources, those will have to be assigned individually, depending upon their needs.
- Time:
With GDAP, an employee will have permission only for a certain amount of time to accomplish the task they need to. After that, it will be terminated immediately.
- Auditing:
GDAP allows for the monitoring of activity on a real time basis to provide insight into how employees are accessing resources that they have permissions to. Any suspicious activity immediately triggers an alert. Also, all activity can be archived to provide a detailed audit log.
The Importance Of GDAP
The GDAP brings in key benefits over the DAP, which are:
- With more granular permissions that can be assigned, the overall security posture of the business is enhanced.
- Compliance with the data privacy laws (such as those of the GDPR, CCPA, HIPPA, etc.) are much better assured.
- The overall brand reputation of the business is enhanced, because customers can see that the IT Security team is taking seriously the protection of their Personal Identifiable Information (PII) datasets.
The overall GDAP structure is illustrated in the diagram below:
(SOURCE: 2).
Conclusions
If you have any questions, or are interested in deploying the GDAP for your business, contact us today.
Sources