The digital landscape is wild--and getting wilder. Research from Rubrik Zero Labs shows that cyber attacks are on the rise, with 94% of organizations reporting a significant attack in the last year. And the attacks are effectively disrupting business, with 62% of those reporting an attack revealing that their systems were compromised. 

So security teams need to use all of the tools in their toolkits to protect the enterprise. That includes an embrace of least privileged access, a security principle that ensures users only have only the minimum permissions necessary to perform their assigned tasks.

With an understanding that the least privileged access is a must-have for smart security teams, Rubrik built innovative authorization options into its flagship product, Rubrik Security Cloud, to support wider use of least privileged access strategies for Microsoft Azure Cloud. Indeed, Rubrik stands out in the cybersecurity industry for taking this security strategy to a new level.

How to Onboard Azure Subscriptions with Least Privileged Access

Rubrik Security Cloud helps you enforce robust data protection by offering options for read-only permissions at the subscription level. This approach eliminates the need for assigning excessive permissions for users performing day-to-day operations such as backup, indexing, replication, and archiving. Temporary elevated permissions are only required during recovery processes and are promptly revoked upon task completion. This method minimizes the risk of permission compromise leading to destructive operations, ensuring the security and integrity of your data. While this option is currently only available for Azure, it is becoming a standard feature across all workloads. 

When onboarding an Azure subscription, Rubrik requires only the following permissions:

  1. Read and Write permissions at the Rubrik Resource Group level
  2. Read-only permissions at the Subscription level

By strictly controlling permissions, Rubrik ensures extremely limited access to the lowest possible hierarchy, confined solely within the Rubrik Resource Group. This approach also ensures that Rubrik does not have access to any other product resources in the customer's environment. This stringent control is crucial for maintaining robust security and control protocols, as it prevents over-permissioned service accounts from overriding established safeguards. Ensuring that permissions are minimized to the absolute necessary scope helps protect customer data and reinforces trust in Rubrik's commitment to security.

Authorization Options Provided by Rubrik Security Cloud

Rubrik Security Cloud offers two distinct authorization options to ensure that customers can elevate permissions only during recovery times, when read-write permission is required. These options ensure customers maintain control and adhere to the least privilege model. 

The first option allows customers to elevate permissions by adding roles to the service principal. Once the recovery is complete, customers can manually remove the role from the service principal.
 

Azure vm recovery


With Service Principal Role Authorization, Rubrik creates a service principal account with enhanced permissions for recovery operations, which adheres to the least privileged access principles giving services only elevated permission when required. 

The second option enables the backup admin to grant the necessary permissions to Rubrik Security Cloud. After the recovery is complete, the read-write permissions assigned to Rubrik Security Cloud will be automatically revoked after a 30-minute wait time, reverting to the previous permission state.
 

Azure vm recovery2


Backup administrators can grant necessary permissions to Rubrik Security Cloud using  authorization with a security token, adhering to the least privilege access principle by granting access based on the specific needs of a user or process.

These options provide flexibility for customers to choose the most suitable authorization method based on their operational model.

A New Industry Standard

Rubrik's innovative approach to access management sets a new standard for data management and protection solutions. By adopting solutions that effectively limit user and service accounts with excessive permissions, organizations can significantly reduce security risks and manage business requirements with key regulations such as PCI, SOC2, and FedRAMP. Undoubtedly, the principle of least privileged access should be a cornerstone in securing an organization's data and resources.