Secure Every Tier - Beyond Microsoft’s Model

The Enterprise Access Model (EAM), also known as the Tier 0/1/2 security model, is a framework designed to safeguard privileged access. Originally developed by Microsoft, this model enhances security by segmenting access into distinct tiers, with the goal of preventing unauthorized privilege escalation and lateral movement by attackers.

Understanding the Enterprise Access Model

The EAM categorizes IT resources into three tiers:

• Tier 0 (Control Plane): The crown jewels of your IT environment. These include systems and resources that, if compromised, grant attackers complete control over the organization’s infrastructure. While traditionally this tier includes Active Directory Domain Controllers and identity management systems, it must now encompass non-Microsoft resources like:
  • The AWS Management Console, which governs critical cloud services. Compromise here could lead to total cloud environment takeover.
  • Google Cloud Admin Console, used for managing cloud infrastructure and applications. Unauthorized access could disrupt operations or result in data exfiltration.
  • Your Identity Provider - SSO portals that serve as gateways to enterprise applications, meaning a breach here gives attackers keys to the entire app ecosystem.
• Tier 1 (Management Plane): Systems that manage business-critical applications and processes. This tier has expanded beyond traditional Microsoft systems to include:
  • CRM platforms like Salesforce: A breach could expose sensitive customer data.
  • ERP systems such as SAP: Critical for managing financials, supply chains, and operations.
  • Cloud workloads and Kubernetes clusters: Increasingly part of the management plane in hybrid and cloud-native architectures.
• Tier 2 (User Access): Encompasses user accounts and devices with minimal privileges to limit the damage of a potential breach.

Challenges with Governing Non-Microsoft Tiered Resources

While Microsoft has provided reference implementations of the Enterprise Access Model, they’ve ignored cross-cloud and the diversity of SaaS applications that power the modern enterprise, creating major challenges. 

1. Complexity in Identifying Tier 0 and Tier 1 Resources
   Non-Microsoft environments often lack the clear hierarchy that Microsoft Active Directory provides. Identifying Tier 0 resources like the AWS Management Console or Kubernetes admin APIs requires deep understanding and context of the organization’s architecture.
2. Inconsistent Security Controls Across Platforms
   Microsoft environments benefit from a unified security framework. In contrast, securing non-Microsoft resources requires piecing together disparate tools, each with its own configuration requirements.
3. Evolving Attack Surface
   Cloud platforms, SaaS applications, and hybrid environments constantly evolve, introducing new entry points for attackers. For example, misconfigured IAM roles in AWS could grant unintended access to critical Azure Cloud Tier 0 systems.
4. Federated Access (Trusts)  Between Key Infrastructure
   In complex multi-cloud hybrid environments, it is common for Tier 0 resources to have federated access to other systems.  For example, a Tier 0 AWS console account that has the ability to administer Azure resources.  

Best Practices for a Cross-Platform Enterprise Access Model

1. Expand the Definition of Tier 0 and Tier 1 Resources
   Include cloud management consoles (e.g., AWS, Azure, GCP), SaaS admin portals (e.g., Salesforce, Okta), and DevOps pipelines (e.g., Jenkins, GitHub Actions) in your tiering framework.
2. Unified Identity Governance
   Implement a centralized identity governance solution to manage access controls across all platforms. This includes enforcing least privilege, automating role assignment, and conducting regular access reviews.
3. Highly restrict access to Tier 0 and Tier 1 resources
   Extend MFA to all Tier 0 and Tier 1 resources, including cloud management portals and SaaS applications, to reduce the risk of credential theft.
4. Automated Tagging and Monitoring
   Use automation to tag and monitor Tier 0 and Tier 1 resources across platforms, ensuring they remain compliant with security policies.

Why you should invest

The EAM limits the blast radius of potential attacks. By segmenting access into distinct tiers, organizations can:

• Prevent Lateral Movement: Attackers cannot easily escalate privileges from compromised user accounts (Tier 2) to critical systems (Tier 0).
• Protect Privileged Access: Tier 0 systems, such as Active Directory, AWS Management Console, and identity providers like Okta, are shielded from exposure to lower-tier environments.
• Minimize Insider Threats: Role-based access ensures that employees only have access to the systems they need for their job.

A single breach of a Tier 0 resource can compromise an entire organization. EAM investments reduce the likelihood of such events by:

• Implementing strict controls over Tier 0 and Tier 1 resources.
• Ensuring high-value targets, like directory services or cloud admin consoles, are isolated and protected.
• Limiting the impact of credential theft by enforcing least privilege and multi-factor authentication (MFA).

How Clarity Expands the Enterprise Access Model

Clarity enables a true cross-platform Enterprise Access Model, addressing the unique challenges of modern hybrid environments and helping you understand and control who has access to every critical system in your environment:

• Automated Governance Across Platforms
  Clarity replaces manual processes with automated tier tagging and policy enforcement, ensuring resources like the AWS Management Console and Kubernetes clusters are properly secured.
• Comprehensive Coverage
  Clarity extends the tiered access model to encompass SaaS platforms, Linux systems, and hybrid infrastructures, giving organizations the ability to secure every critical resource, regardless of platform.
• Simplified Implementation
  With Clarity, organizations can operationalize tier governance effortlessly, applying consistent security controls across Microsoft and non-Microsoft environments.
• Enhanced Visibility into Tier 0 and Tier 1 Resources
  Clarity provides a single pane of glass to visualize how resources like AWS, Google Cloud, and SaaS platforms fit into your tiering strategy, and control who has access.
• Adaptability to Evolving Environments
  As new resources are added to your ecosystem, Clarity ensures they are automatically tagged, tiered, and governed according to your policies.

Conclusion

The Enterprise Access Model is no longer just for Microsoft environments. In today’s multi-platform world, Tier 0 and Tier 1 resources extend far beyond Active Directory to include critical assets like the AWS Management Console, Google Cloud Admin Console, and key SaaS applications. By leveraging Clarity, organizations can protect their most sensitive resources, and stay one step ahead of attackers.

To learn more about how Clarity can secure your organization’s critical resources, visit Clarity Security.