Real world help desk stories of unrestricted access to SaaS applications

“Don’t open that door!”

That’s the kind of thing we might shout at a character in a horror movie when there’s a danger lurking.

With less bloodshed, the very same things can happen all too easily with unrestricted access to SaaS applications. The quickly growing SaaS apps that organizations rely on have created a huge number of virtual doors that might be opened inappropriately — opened by an unwitting user or by an outside malicious agent.

What’s to be done? The safeguarding principle behind Least Privilege Access (LPA) is pretty simple but often overlooked. The idea is that if each user in a system is given only the level of access needed to complete their assigned tasks, the possibility for serious error and other unwanted horrors is greatly reduced.

But if an MSP is managing an organization’s SaaS stack without the vital securing effect of LPA, chances are that administrators will lose a lot of sleep listening for bumps in the night. Here are a few grim examples.

Every door opened to every user!

Let’s say you’re a SaaS-managing MSP and your customer’s well-intentioned end-user has been given a high level of admin access. In other words, there are a lot of inappropriate doors that this end-user can open. Then, tragedy strikes. The innocent end-user accidentally hits the button that makes all employee files visible to every employee via Dropbox. Just like that, private data is laid open to the entire organization, including salaries and other personal details.

If that’s not scary enough, consider another scenario that might be a little closer to home for the MSP. Imagine that one of your junior technicians is attempting to offboard an employee named John Smith at Customer ABC but logs into the wrong Microsoft 365 environment and accidentally offboards John Smith at Customer XYZ. Ouch! You’ll have to perform your most agile maneuvers to survive that one.

We’ve found that as a rule of thumb, only an MSP’s most senior technicians with the necessary training, certifications and experience should be logging into the Microsoft or Google portals. Each time you grant full admin access, it opens 100% of your customer’s environment, leaving room for potential issues to arise.

Hacked into submission

Cyber attacks are one of those potential issues. Overprovisioning of user privilege significantly increases the risk of malware or hackers stealing passwords or for malicious code to be installed via email attachments. Successful assaults like these can leverage the entire set of assigned user privileges to access data or launch an attack against your networked computers or servers.

Again, it’s all about the level of access. If a low-access user clicks on an attachment or link within a phishing email that loads ransomware onto their system, the impact would be isolated to the user’s system and the resources they can access. But if the phishing victim has broad admin privileges, the ransomware could exploit domain account privileges to modify settings and to access, corrupt, or encrypt sensitive data from endpoints and servers across the network.

Scarier still, hackers often gain initial access through a low-level entry point such as a phishing attack on a standard user. The intruder then works through the network until they find a dormant or orphaned account that allows them to escalate their own privileges. Elevation of privilege vulnerabilities is increasingly common and can make it shockingly easy for a hacker to do serious harm.

Stop the horror stories before they begin

Fortunately, applying LPA protocols makes it virtually impossible for MSPs to experience nightmare scenarios like those described above—and with Augmentt Engage, it’s a simple matter of automation. With Engage, you can easily adopt LPA for all users (and in some cases for L1 technicians) across multiple applications.

Designed with a transparent access management model, Engage makes it easy to seamlessly provides users with only the access level they require to get the job done. That means far less exposure to the security risks and data breaches associated with excess privileges.

And because Augmentt Engage lets you implement LPA directly into your workflow, it means that technicians must stop sharing passwords, further reducing security threats, and it lets you track administrator activity for both traceability and troubleshooting.

Above all else, LPA with Engage will spare you from those recurring and sleep-stealing SaaS management horror stories.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.