“Don’t open that door!”
That’s the kind of thing we might shout at a character in a horror movie when there’s a danger lurking.
With less bloodshed, the very same things can happen all too easily with unrestricted access to SaaS applications. The quickly growing SaaS apps that organizations rely on have created a huge number of virtual doors that might be opened inappropriately — opened by an unwitting user or by an outside malicious agent.
What’s to be done? The safeguarding principle behind Least Privilege Access (LPA) is pretty simple but often overlooked. The idea is that if each user in a system is given only the level of access needed to complete their assigned tasks, the possibility for serious error and other unwanted horrors is greatly reduced.
But if an MSP is managing an organization’s SaaS stack without the vital securing effect of LPA, chances are that administrators will lose a lot of sleep listening for bumps in the night. Here are a few grim examples.
Every door opened to every user!
Let’s say you’re a SaaS-managing MSP and your customer’s well-intentioned end-user has been given a high level of admin access. In other words, there are a lot of inappropriate doors that this end-user can open. Then, tragedy strikes. The innocent end-user accidentally hits the button that makes all employee files visible to every employee via Dropbox. Just like that, private data is laid open to the entire organization, including salaries and other personal details.
If that’s not scary enough, consider another scenario that might be a little closer to home for the MSP. Imagine that one of your junior technicians is attempting to offboard an employee named John Smith at Customer ABC but logs into the wrong Microsoft 365 environment and accidentally offboards John Smith at Customer XYZ. Ouch! You’ll have to perform your most agile maneuvers to survive that one.
We’ve found that as a rule of thumb, only an MSP’s most senior technicians with the necessary training, certifications and experience should be logging into the Microsoft or Google portals. Each time you grant full admin access, it opens 100% of your customer’s environment, leaving room for potential issues to arise.
Hacked into submission
Cyber attacks are one of those potential issues. Overprovisioning of user privilege significantly increases the risk of malware or hackers stealing passwords or for malicious code to be installed via email attachments. Successful assaults like these can leverage the entire set of assigned user privileges to access data or launch an attack against your networked computers or servers.
Again, it’s all about the level of access. If a low-access user clicks on an attachment or link within a phishing email that loads ransomware onto their system, the impact would be isolated to the user’s system and the resources they can access. But if the phishing victim has broad admin privileges, the ransomware could exploit domain account privileges to modify settings and to access, corrupt, or encrypt sensitive data from endpoints and servers across the network.
Scarier still, hackers often gain initial access through a low-level entry point such as a phishing attack on a standard user. The intruder then works through the network until they find a dormant or orphaned account that allows them to escalate their own privileges. Elevation of privilege vulnerabilities is increasingly common and can make it shockingly easy for a hacker to do serious harm.
Stop the horror stories before they begin
Fortunately, applying LPA protocols makes it virtually impossible for MSPs to experience nightmare scenarios like those described above—and with Augmentt Engage, it’s a simple matter of automation. With Engage, you can easily adopt LPA for all users (and in some cases for L1 technicians) across multiple applications.
Designed with a transparent access management model, Engage makes it easy to seamlessly provides users with only the access level they require to get the job done. That means far less exposure to the security risks and data breaches associated with excess privileges.
And because Augmentt Engage lets you implement LPA directly into your workflow, it means that technicians must stop sharing passwords, further reducing security threats, and it lets you track administrator activity for both traceability and troubleshooting.
Above all else, LPA with Engage will spare you from those recurring and sleep-stealing SaaS management horror stories.
