Why Administrators Have Way Too Much Power
Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all? That the average shop faces 0.8 insiders threats every month – close to ten a year?
IT Can go Bad, and Often Does!
Here’s some tough news. IT pros are people like anyone else. And when they go bad they can do very bad things. They know where the bodies, err, the data lies, and how to get it. And with their high-level privileges, there is little to stop them from stealing data or causing other kinds of MAYHEM.
So how do you mitigate/reduce the breach risk related to your Office 365 operator’s rights? IT veterans may chime in with role-based access control (RBAC), low levels of which indeed exist within Office 365.
However, Microsoft simply does not provide a granular RBAC. Luckily with CoreView, you can segregate your operator responsibility by implementing a truly granular RBAC – but first ask yourself:
- Why is Segregation of Duty a must-have for your organization?
- What are the regulatory constraints?
- What is the risk if you do not implement it?
- What is the business impact of not implementing it?
With Office 365, administrative rights is an all or nothing affair. Under the O365 centralized admin model, all administrators have global credentials, which means they can touch each and every user. Not only is this deeply inefficient, it creates huge security problems in two ways. First, if an O365 admin account is compromised, the hacker can access the entire environment, wreaking widespread security havoc. Second, the O365 admins themselves may have bad intentions, and become your worst security nightmare.
Global Rights are the Culprit
The native Office 365 Admin Center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with Office 365 entirely relies on granting these ‘global admin rights’ – even to regional, local, or business unit administrators. There is simply no easy facility for setting up regional and other geographic-based rights. Nor can you easily set up rights based on business unit, country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly so they can only perform limited and specific functions, such as changing passwords when requested.
RBAC to the Rescue
CoreView addresses these pain points with our Role-Based Access Control (RBAC) features that give you fine-grained control over what admins can, and cannot do.
A proper approach to Office 365 permissions and privileges is partitioning permissions based on roles through RBAC, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your Office 365 environment.
Using a simple, intuitive interface, CoreView lets IT segment the Office 365 tenant in myriad ways — for example, by department, business unit, or location. After these groups are set up, IT can dive deeper, using CoreView’s RBAC capabilities to define specific permissions for administrators who then can only perform certain tasks and only against a specific subset of users.
With CoreView, IT can take the entire organization served by Office 365 and break it into logical groups, or virtual tenants also called sub-tenants, perhaps based on Active Directory (AD) attributes or custom tags on the CoreView side. Once the organization is logically divided, regional admins can be assigned to the virtual tenants.
CoreView further allows you to fine-tune what actions each admin can perform, and which reports they can see. Instead of using the native Office 365 Admin Center, your administrators simply log into the CoreView portal. Here, they are limited to making changes only to their assigned users, and can only perform actions they are specifically assigned. Find out more by reading our Learn to Love Office 365 Role-Based Access Control blog.
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.