Microsoft PIM and Centero Carillon – Taking Charge of User Permissions
Elevated user permissions are often essential for the ease of work but if every user has admin privileges, the whole organization can be exposed to incredible security threats. Simple solutions to the problem include both Centero Carillon and Microsoft Privileged Identity Management. But which one of them would come on top in a fight? Or… is there even a fight? Let’s ask Tuukka Tiainen.
Microsoft’s Privileged Identity Management service or PIM is part of Azure Active Directory, i.e., Azure AD. PIM enables you to manage and monitor your organization’s resources located in Azure AD, Azure, or other Microsoft online services, such as Microsoft 365 or Intune.
“In a nutshell, PIM is meant to improve the management of privileged user permissions. Azure AD includes a vast number of different roles, and all of the admin roles are really important. PIM makes it safe and easy to activate those roles and the related permissions on a temporary basis,” explains Centero’s IT expert Tuukka Tiainen.
The PIM service was specifically developed for cloud environments, but it also works in so-called hybrid environments if the local Active Directory is synchronized with Azure AD.
“For example, I have global admin permissions in our own environment but if I want to change some settings that require admin privileges, I have to request them separately from PIM. We have even set a time limit of one hour at a time for using the privileges,” says Tuukka.
Data Security and Sensible User Permissions as a Starting Point
Centero Carillon service was designed partially for the same purpose as PIM, only much earlier and taking into account local Windows environments. Just like PIM, Carillon makes it possible to perform tasks requiring admin permissions without having permanent permissions in an individual organization’s device environment.
“Both services place a heavy emphasis on data security and adhere to the principle of least privilege. PIM is meant for cloud environments and largely for the Office 365 world, whereas Carillon is designed for the Windows environment and workstations,” says Tuukka.
“In a larger organization where people work in a hybrid environment and use both Windows and Azure AD, the services are mutually complementary. Under no circumstances are PIM and Carillon mutually exclusive—on the contrary.
Large organizations in particular have woken up to a new way of thinking about data security and the related requirements. It is increasingly rare for all Windows users in an organization to be permanently signed in with local admin permissions. After all, from a security point of view, it is one of the riskiest approaches you could imagine.
“A lot of research has gone into how much more vulnerable workstations are to malware when they are permanently used with admin permissions. Windows is simply not meant to be used like that. That’s why services like PIM and Carillon are so essential for effective and smooth working,” says Tuukka.
“Like all of our services, we are constantly developing Carillon. The next step is a SaaS model where the service can be run over a network connection without needing a dedicated server to run it.”
Interested in Centero Carillon? Book a meeting with Kimmo, and he’ll tell you more!