{
	"id": "6b45db73-5c95-4386-8dfc-6e7d0abadfd3",
	"created_at": "2026-04-06T00:09:05.186828Z",
	"updated_at": "2026-04-10T13:12:56.535032Z",
	"deleted_at": null,
	"sha1_hash": "eec3762bb5b4711fb252174c8e5e7e3ba8e2936d",
	"title": "Securing privileged access Enterprise access model - Privileged access",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50267,
	"plain_text": "Securing privileged access Enterprise access model - Privileged\r\naccess\r\nBy kenwith\r\nArchived: 2026-04-05 17:18:45 UTC\r\nThis document describes an overall enterprise access model that includes context of how a privileged access\r\nstrategy fits in. For a roadmap on how to adopt a privileged access strategy, see the rapid modernization plan\r\n(RaMP). For implementation guidance to deploy this, see privileged access deployment\r\nPrivileged access strategy is part of an overall enterprise access control strategy. This enterprise access model\r\nshows how privileged access fits into an overall enterprise access model.\r\nThe primary stores of business value that an organization must protect are in the Data/Workload plane:\r\nData/workload plane\r\nThe applications and data typically store a large percentage of an organization's:\r\nBusiness processes in applications and workloads\r\nIntellectual property in data and applications\r\nThe enterprise IT organization manages and supports the workloads and the infrastructure they are hosted on,\r\nwhether it's on-premises, on Azure, or a third-party cloud provider, creating a management plane. Providing\r\nconsistent access control to these systems across the enterprise requires a control plane based on centralized\r\nenterprise identity system(s), often supplemented by network access control for older systems like operational\r\ntechnology (OT) devices.\r\nControl, management, and data/workload planes\r\nEach of these planes has control of the data and workloads by virtue of their functions, creating an attractive\r\npathway for attackers to abuse if they can gain control of either plane.\r\nFor these systems to create business value, they must be accessible to internal users, partners, and customers using\r\ntheir workstations or devices (often using remote access solutions) - creating user access pathways. They must\r\nalso frequently be available programmatically via application programming interfaces (APIs) to facilitate process\r\nautomation, creating application access pathways.\r\nAdding user and application access pathways\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN\r\nPage 1 of 3\n\nFinally, these systems must be managed and maintained by IT staff, developers, or others in the organizations,\r\ncreating privileged access pathways. Because of the high level of control they provide over business critical\r\nassets in the organization, these pathways must be stringently protected against compromise.\r\nPrivileged access pathway to manage and maintain\r\nProviding consistent access control in the organization that enables productivity and mitigates risk requires you to\r\nEnforce Zero Trust principles on all access\r\nAssume Breach of other components\r\nExplicit validation of trust\r\nLeast privilege access\r\nPervasive security and policy enforcement across\r\nInternal and external access to ensure consistent policy application\r\nAll access methods including users, admins, APIs, service accounts, etc.\r\nMitigate unauthorized privilege escalation\r\nEnforce hierarchy – to prevent control of higher planes from lower planes (via attacks or abuse of\r\nlegitimate processes)\r\nControl plane\r\nManagement plane\r\nData/workload plane\r\nContinuously audit for configuration vulnerabilities enabling inadvertent escalation\r\nMonitor and respond to anomalies that could represent potential attacks\r\nThe enterprise access model supersedes and replaces the legacy tier model that was focused on containing\r\nunauthorized escalation of privilege in an on-premises Windows Server Active Directory environment.\r\nLegacy AD tier model\r\nThe enterprise access model incorporates these elements as well as full access management requirements of a\r\nmodern enterprise that spans on-premises, multiple clouds, internal or external user access, and more.\r\nComplete enterprise access model from old tiers\r\nTier 0 scope expansion\r\nTier 0 expands to become the control plane and addresses all aspects of access control, including networking\r\nwhere it is the only/best access control option, such as legacy OT options\r\nTier 1 splits\r\nTo increase clarity and actionability, what was tier 1 is now split into the following areas:\r\nManagement plane – for enterprise-wide IT management functions\r\nData/Workload plane – for per-workload management, which is sometimes performed by IT personnel\r\nand sometimes by business units\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN\r\nPage 2 of 3\n\nThis split ensures focus for protecting business critical systems and administrative roles that have high intrinsic\r\nbusiness value, but limited technical control. Additionally, this split better accommodates developers and DevOps\r\nmodels vs. focusing too heavily on classic infrastructure roles.\r\nTier 2 splits\r\nTo ensure coverage for application access and the various partner and customer models, Tier 2 was split into the\r\nfollowing areas:\r\nUser access – which includes all B2B, B2C, and public access scenarios\r\nApp access – to accommodate API access pathways and resulting attack surface\r\nNext steps\r\nSecuring privileged access overview\r\nPrivileged access strategy\r\nMeasuring success\r\nSecurity levels\r\nPrivileged access accounts\r\nIntermediaries\r\nInterfaces\r\nPrivileged access devices\r\nSource: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?re\r\ndirectedfrom=MSDN\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN"
	],
	"report_names": [
		"securing-privileged-access-reference-material?redirectedfrom=MSDN"
	],
	"threat_actors": [],
	"ts_created_at": 1775434145,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eec3762bb5b4711fb252174c8e5e7e3ba8e2936d.pdf",
		"text": "https://archive.orkl.eu/eec3762bb5b4711fb252174c8e5e7e3ba8e2936d.txt",
		"img": "https://archive.orkl.eu/eec3762bb5b4711fb252174c8e5e7e3ba8e2936d.jpg"
	}
}