Lesaffre

Lesaffre’s M365 Security and Control Rise with CoreView Virtual Tenants, RBAC and Delegated Administration

Lesaffre is the world’s largest yeast manufacturer. The global company has 10,700 employees with a turnover of 2 billion euros per year.

Stats:

  • 7,200 M365 users
  • 55 Local IT departments
  • 55 CoreView Virtual Tenants
  • Moved to Microsoft 365 2018
  • Adopted CoreView Q1 2019

The Client

Lesaffre, Marcq-en-Baroeul, France

The Situation

Lesaffre organizationally believes in the subsidiary model and gives its 50+ subsidiaries as much independence as possible.

Lesaffre has been a key player in the global fermentation market for over 100 years. The company is established on all continents and employs people with over 85 nationalities.

Lesaffre began its M365 migration in early 2018 and accomplished a global rollout in six months. During that time, Lesaffre did not have a solution like CoreView and relied upon Microsoft 365 basic administration features. With 55 separate companies, each wanting IT independence and central IT also wanting these groups to be protected from one another, they knew they needed a better solution.

After deploying CoreView in their Microsoft 365 tenant, Lesaffre now has 55 Virtual Tenants and has implemented RBAC and Delegated Administration for Least Privilege Access.

The Challenge

Lesaffre saw firsthand what it was like without Virtual Tenants, RBAC and delegation before it moved to CoreView. “We have many subsidiaries in different countries. There is a great principle at Lesaffre. We promote the idea of subsidiaries and promote autonomy of the different subsidiaries,” said Didier STUCKI, Group IT CTO for Lesaffre. “The problem we faced was that any IT manager could see and manage any O365 account (including the CIO one). It was a problem. There was no way to avoid someone making a change outside of his user scope. This is an obvious security issue.”

The answer was CoreView. “We knew we had to go for a delegation solution. It was part of the project scope from the beginning. However, it was not the top priority. The top priority was to first migrate. It was a huge job for us. Then to find and deploy a delegation solution like CoreView, of course,” STUCKI said.

The Solution

Because Lesaffre is focused on a subsidiary model, it has limited IT resources at the corporate level. Instead, the company focuses on support the IT efforts of its subsidiaries.

“We created one virtual tenant per company. In some IT departments, we are managing more than one virtual tenant. Take Mexico. We have a large subsidiary in Mexico. However, it is not the only legal company. There are seven. We created seven tenants because there are seven different companies. They are all managed by the same IT team. But all in all, yes we created one virtual tenant per IT department.” STUCKI said.

Lesaffre now uses Role-Based Access Control to control what a help desk person can do so they can only do what Lesaffre allows them to do. “We built several different profiles. I would say perhaps five to seven roles, not a lot. For instance, we have the local IT manager role. That person can execute reports, and also analyze the audit logs, and has the necessary management features to manage his users. We also have, for instance, the regional IT manager role. This role is a bit particular because the person has no management features. He wants to have visibility on the countries he’s responsible for and he wants to have the ability to execute reports,” STUCKI explained.

Lesaffre also created specific roles for external IT managers. “In some countries we have internal IT managers. In others, sometimes it is external people. Especially when the subsidiary is very small, we have some very small subsidiaries. For some entities, we do not have an internal IT manager working full time for the company. So, we contract with and are working with an external partner. For them, we created a role with some little differences from a local IT internal manager. Some features are not available for them, but the differences are minor,” STUCKI said.

Lastly, Lesaffre created roles for help desk workers needing to reset passwords or change user properties.

The Results

In 2019, Lesaffre was hit with numerous cybercrime attacks. “We used CoreView to detect the attacks, and discover they were mostly coming from the same area. This is one of the most efficient ways to prevent this kind of attack (risky sign-ins analysis). This kind of attack happens after a phishing campaign. First, you face a phishing campaign and unfortunately, some users click on the bad link and enter their credentials,” STUCKI explained.

Lesaffre ran a satisfaction survey of its IT administrators about CoreView. “It was a ranking from 1 to 5 with 5 being best. I think the CoreView score was a 4.5. It was considered really useful,” STUCKI said. “IT is definitely convinced because they receive the same autonomy they had previously. Before each subsidiary was managing its own mail system. We started from having 55 different messaging systems, at least. And not all the same. We had Microsoft Exchange on-premises, Google G Suite, Lotus Notes, POP systems, and so on. It was a big change for our IT community. However, at this time, local IT can manage their system by themselves.”