Lesaffre is a key global player in fermentation for more than a century, Lesaffre, with a 2-billion-euro turnover, and established on all continents, counts 10,700 employees and more than 85 nationalities. On the strength of this experience and diversity, we work with customers, partners and researchers to find ever more relevant answers to the needs of food, health, naturalness and respect for our environment. Thus, every day, we explore and reveal the infinite potential of microorganisms.
To nourish 10 billion people, in a healthy way, in 2050 by making the most of our planet’s resources is a major and unprecedented issue. We believe that fermentation is one of the most promising answers to this challenge.
Lesaffre organizationally believes in the subsidiary model and gives it some 55 subsidiaries as much independence as possible. When the company moved to Microsoft Office 365, it wanted each subsidiary to control its own IT destiny. The answer – deploy CoreView to create 55 virtual O365 tenants and use the same CoreView solution to manage those tenants.
We spoke with Didier STUCKI, Group IT CTO for Lesaffre about the move to O365, and the role CoreView plays in managing and securing the environment.
The Move to O365
CoreView: You started using Office 365 in 2018. When did you start using CoreView?
Didier STUCKI: First quarter, 2019.
CoreView: What was it like using Office 365 in 2018 without CoreView?
Didier STUCKI: We started the migration in the beginning of 2018 and managed a global rollout for all our subsidiaries in something like six months. During that time, we did not have a tool like CoreView. We were using basic administration features provided by Office 365.
We focused on the roll out first. Then came the question of the administration. This is why we decided to search for a tool to delegate almost every administrative function to our local subsidiaries. We have IT departments in all of our subsidiaries, and we have something like 55 different in many different countries and 7,200 users.
CoreView: When you first rolled out O365, you did not have the virtual tenants and delegation capabilities, and an outside company in part handled the management of the system of the tenant? Is that right?
Didier STUCKI: We were managing the administration of the tenants internally but with the help of some consultants. We did not fully delegate this activity to an external company. We were just using the services of the company in charge of the O365 rollout in our subsidiaries to also manage the daily activities like, for instance, end user creation.
We knew we had to go for a delegation solution. It was part of the project scope from the beginning. However, it was not the top priority. The top priority was to first migrate. It was a huge job for us. Then to find and deploy a delegation solution like CoreView, of course.
CoreView and IT Security and Independence
CoreView: You could see firsthand what it was like without virtual tenants and delegation before you moved to CoreView. What problems did you see when you did not have it?
Didier STUCKI: We have many subsidiaries in different countries. There is a great principle at Lesaffre. We promote the idea of subsidiaries and promote autonomy of the different subsidiaries.
The problem we faced was that any IT manager could see and manage any O365 account (including the CIO one). It was a problem. There was no way to avoid someone making a change outside of his user scope. This is an obvious security issue.
Regarding the profiles you can manage in O365, you can manage different kinds of profiles of course. However, it is difficult to provide, for instance, basic administration features like user management with all features needed. It is difficult to provide any sort of features and also more advanced reporting features. For instance, to manage users but also have some visibility on auditing, security and so on. It is so difficult, in fact, to combine the different standard roles on a 365 level – and difficult to have the same kind of coverage we have with CoreView.
There are also security issues. With 365, if you are facing a main distribution issue, you can go into the main tracking control and you can track emails to verify if they are being distributed to their recipients. Means that as an administrator you can see all emails traffic logs.
We now have a way to avoid an IT manager having a look at the tracking of the emails sent by users outside his organization. It was not possible to block this before. There was no way to scope, I would say, authorization per use, per subsidiary or per region. For us, the main driver was the ability to restrict the parameter of the responsibility of each IT manager to his own users only – to be specific to an organization based on subsidiary and autonomy of each company.
We have very limited resources at the corporate level. Our organization is more based on the subsidiarity concept for all our subsidiaries.
Controlling the IT Insider Threat
CoreView: The insider IT threat is something many people do not like to talk about. However, IT people are people like anybody else – good and bad. An IT insider is more dangerous than a regular employee because the IT insider has all those privileges and knows where the data is – so they can cause a lot of damage.
Didier STUCKI: Exactly. That is it. In fact, each IT manager is responsible for his users and only for his users. We have one IT manager per subsidiary. That is our current organization. There is no central management of the user mailboxes and so on. At corporate level, we have only enough resources to manage Level 2 requests. Or to manage global questions regarding the governance of 365 and overall security. However, it was not planned to hire additional resources at the corporate level to manage the solution.
The Value of O365 Virtual Tenants
CoreView: With the virtual tenants, do each of the 55 local IT departments have their own virtual tenant?
Didier STUCKI: Exactly. We created one virtual tenant per company. In some IT departments, we are managing more than one virtual tenant. Take Mexico. We have a large subsidiary in Mexico. However, it is not the only legal company. There are seven. We created seven tenants because there are seven different companies. They are all managed by the same IT team. But all in all, yes we created one virtual tenant per IT department.
The Role of RBAC
CoreView: You have virtual tenants, but are you also using the Role-Based Access Control (RBAC) and Functional Access Control (FAC) underneath the virtual tenant?
Didier STUCKI: We are controlling the operator creation at the corporate level. So we provision new accounts for the local IT people, for the local administrators. In addition, we are creating accounts for the help desk department, that kind of thing. However, it is managed at the corporate level. If the IT manager in a given country is hiring someone to work for his help desk, he makes a request to the corporate department for the creation of a new operator. Then we assign centrally the appropriate authorization to the person. We are not delegating the creation of new administrative accounts. That is not something we are doing today.
CoreView: Are you using the Role-Based Access Control to control what a help desk person can do so they can only do what you allow them?
Didier STUCKI: Exactly. We build several different profiles. I would say perhaps five to seven roles, not a lot. For instance, we have the local IT manager role. That person can execute reports, and also analyze the audit logs, and has the necessary management features to manage his users. We also have, for instance, the regional IT manager role. This role is a bit particular because the person has no management features. He wants to have visibility on the countries he’s responsible for and he wants to have the ability to execute reports.
In addition, we created roles for the external IT manager because we have enough specificity. In some countries we have internal IT managers. In others, sometimes it is external people. Especially when the subsidiary is very small, we have some very small subsidiaries. For some entities, we do not have an internal IT manager working full time for the company. So, we contract with and are working with an external partner. For them, we created a role with some little differences from a local IT internal manager. Some features are not available for them, but the differences are minor.
Of course, we created some roles for the help desk people that need the ability to reset a password or change some properties for the user. Not so many different roles, but I would say between five and seven different authorization roles.
Tightening O365 Security
CoreView: Do you also use CoreView for security, such as using the audit path?
Didier STUCKI: The auditing path. Yes, we are working with security more and more. We did not focus too much on security at the beginning because the focus was clearly on management. We are working now on security and consider CoreView as a security tool – a tool that allows us to avoid or prevent security issues.
For example, in CoreView you can run a report named ‘Impossible Travels’. This report is useful because it allows you to detect an unusual connection made by a user — but from a country where he is not. For instance, the person is usually connecting from Italy, where we have a subsidiary. Then 10 minutes ago, the same connection from the same user — but from the U.S. Something is wrong, definitely.
By using this kind of report, we are providing local IT the ability to manage their own security and participate in the overall security strategy we are pushing to the subsidiaries.
Importance of O365 Reporting
CoreView: What other reports do you find useful?
Didier STUCKI: Impossible Travels, of course. The Sign-In and Risky Users reports are definitely the most useful. If you detect an impossible travel for a user, you can go deeper in the analysis to double check what exactly happened and to understand if it is a false positive or a real security issue.
CoreView: Have you used the license reporting to see whether you have licenses you are paying for that you are not using, or licenses that are oversized that you can downsize?
STUCKI: Today we mainly use Office E1 and E3. We have a very basic Microsoft contract. However, we did some analysis to understand if we had some unusual 365 E1 or E3 licenses, and the reports are really useful. A report like unused Exchange mailboxes is really useful — because it offers a way to detect mailboxes that are not used any longer with a valid license assigned. This we are doing centrally, of course. Centrally, we are making a kind of global analysis. However, we are also promoting those reports from the local IT manager to explain to them that we can make some savings by executing this kind of report.
We sometimes had problems in the user management flow. Sometimes the license remains assigned, even if the person left the company. We still have this kind of issue and is something we are working on. We are working on the user management flow and it’s part of our security strategy. We need to properly manage the arrivals, moves and departures of the employees. The CoreView reports are really useful to identify the issues, to close the accounts or for security reasons — but also to save money, of course. We can deassign licenses and save fees.
Protecting Against Bogus Sign-Ins
CoreView: You talked about the impossible sign-ins, and suspicious sign-ins. Do you have any examples that stood out?
Didier STUCKI: in 2019, we faced numerous attacks. We used CoreView to detect the attacks, and discover they were mostly coming from the same area. This is one of the most efficient ways to prevent this kind of attack (risky sign-ins analysis). This kind of attack happens after a phishing campaign. First, you face a phishing campaign and unfortunately, some users click on the bad link and enter their credentials.
Two years ago, and a few months after a phishing campaign, a hacker tried to login to the user accounts, and compromise the user accounts to perform activities like fraud attempts. This is a security issue we face. We are able to detect and prevent these kinds of attacks by using the CoreView solution.
O365 IT Satisfaction
CoreView: We understand you ran a satisfaction survey of your IT administrators about CoreView.
Didier STUCKI: It was a survey we sent to the IT administrators for feedback regarding the quality of the CoreView solution. It was a ranking from 1 to 5 with 5 being best. I think the CoreView score was a 4.5. It was considered really useful.
IT is definitely convinced because they receive the same autonomy they had previously. Before each subsidiary was managing its own mail system. We started from having 55 different messaging systems, at least. And not all the same. We had Microsoft Exchange on-premises, Google G Suite, Lotus Notes, POP systems, and so on. It was a big change for our It community. However, at this time, local IT can manage their system by themselves.