cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgorman
Contributor II

Least Privilege and SaaS

<SOAPBOX> It amazes and depresses me to see so many SaaS providers not enabling their customers to set up true least privilege programs of their own.  I am in the process of reviewing all of our SaaS providers for cyber certifications, etc. as well as building audit scripts to collect all the users and their roles for periodic or separation audit.  Most of these vendors have some sort of certification, SOC-2, ISO-27001, etc.  However, a user, system user, etc. needs Administrator access to pull all the users, including other administrators.  That's the kicker that got me, you could create an admin account with read only access, but it couldn't see the other admins.  Really?  With the above certifications, you should have a least privilege model in place.  You should be performing regular audits of your systems for user and role verification.  Why can't I build a role that has the right to read ALL, write nothing?  That is an audit role, and should be defined everywhere.  At least the ability, perhaps there are switches to limit scope, etc. for distributed audit functions, but the ability to have an overall should be there. </SOAPBOX>

0 Replies