Azure Role-Based Access Controls

In the summer semester of 2023, I was fortunate enough to be a full-time cloud security intern at a local insurance SaaS company. I had a total of three projects within this internship, but the primary project was redesigning the current Role Based Access Controls system for the company, in a way that adheres to the principle of least privilege. Essentially, my task was to learn how Azure RBAC works, interview employees to understand what everyone does and how they do it, and use this knowledge to design a new RBAC system. The whole point of this RBAC redesign was to provide a quality-of-life improvement for all employees. Employees should have access to everything they need, but only the access that they need. This is to protect the company and its employed individuals, but also so employees need not worry if they have access to something. They can simply worry about what work they need to complete.

Luckily, I was not alone in this endeavor. I worked with the other cloud security intern on this project, as well as my mentor. The internship was split into the following three phases: planning, documentation, and implementation. The planning phase consisted of creating a questionnaire for the interviews, looking at ways to rework the current security grouping system, and so forth. The documentation phase was all about interviewing employees using the questionnaire so that we could get a good idea of what they do for the company and how they do it. Furthermore, we needed to sift through the results and figure out what information we actually needed in terms of being able to redesign the RBAC system. From this, we brainstormed ideas on an RBAC redesign and eventually chose the best fit for the company. Another crucial aspect was figuring out how to use different Azure tools such as Azure Privileged Identity Management and Access Packages to make this a reality. Due to time constraints, we were not able to implement the redesign, but it was discussed that we would be given an opportunity in the future to be a part of the implementation.

This internship was a great experience for me and I cannot explain how much I learned within this project alone. It was very interesting to see how a SaaS company is run, its different roles and respective responsibilities, and what things need to be taken into consideration for security. I got comfortable with the Azure platform, as well as tools like LucidChart, Microsoft Office, and more. I also learned about the principle of least privilege, how Azure RBAC works, and how different tools on the Azure platform can be used for implementing cloud security measures.