Frosti is an Access Management Copilot that will allow developers to request Just In Time access to the resources they need by describing their task in plain english rather than platform specific permissions. For example, tell Frosti “I need to rotate a secret in Azure Key Vault” and Frosti will respond “Request the Key Vault Secrets Officer role”. We imagine this becoming a Teams app which could generate a PIM request on the developers behalf, but for demo purposes we started with a simple standalone web app for role recommendations. Let us know what you think.
Try Frosti: https://www.tryfrosti.com/beta Demo Video: https://www.youtube.com/watch?v=XL5pOFjY7Pg
According to the MSFT’s State of Cloud Permission Risks Report, over 50% of identities are super admins, and only 1% of permissions granted to identities are actually used.
But who can blame the employees for over privilege? Here’s a scenario you see every day. You are working on a new project and need access to a resource, let’s say an Azure AI model. The resource owner has to pour over the IAM docs to pick the proper role out of the hundreds of built in roles. Often this first attempt fails (maybe they granted you access to the notebook but not the underlying cluster or data). Six iterations later you still don’t have the proper access, so they give up and add you as owner to the entire resource group and every relevant security group they can find. Since this works, no one bothers to later remove access and risk breaking your workflow.
So what’s the solution? To end the continuous chore of removing access, we need a simpler way to achieve “Zero Standing Privileges”. Rather than putting the onus on the developer to request the proper, time bound role, let them simply describe their task. This will simplify the process of picking a least privileged role and stop the common practice of developers defaulting to owner or contributor roles out of convenience.