cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
d46j48fx
Contributor I

Request from a TPC to be given O365 Global Admin Access. Political issue; need advice

Hello  fellow InfoSec professionals!  I would appreciate your advice on the following matter:

 

I have been informed of a request to provide the Office365 Global Admin role to a third party contractor (TPC) who is working on a project that has already provided a deep level of Azure access before my tenure as Infosec employee #1 began here. 

I have grave concerns regarding the provision of such access outside of the IT team (the individual works for a specific, high-visibility project that is enabled but not managed by IT).  it is my understanding that by granting this role, the TPC would be able to read (and possibly delete) emails from all corporate accounts, including the CEO and board members. This role would also allow the user to provide privileged access roles to others. This could all be monitored and audited but I think I be first asking the question, “Do we need to provide this level of access in the first place?”

Even if the end can be used to justify the means, I should STILL be in receipt of documentary evidence that without this level of access, the individual would be unable to perform the tasks required by their role, right?  The political issue is that 1) the individual has ingratiated themselves at levels of the organization necessary to get what they want and 2) I have the daily responsibilities of a CISO...without the title and "clout".  Thoughts on how to deal with this (yesterday, as always LOL) would be much appreciated!

9 Replies
Huntington
Newcomer II

Do you have an established Least Privilege Policy?  You would need to document why they need that level of privilege, and understand the duties that the role supports.  It's unusual to demand a role level, more usual to say "I need to do x, y,z.  Please assign the appropriate permissions."  

 

If the TPC is your partner of record on the tenant id, then they should already have this.

CraginS
Defender I

I'm gonna vote NO.

Anyone else wanna vote NO? 

C'mon, let's all vote NO.

 

Ok, this next suggestion is only partly facetious:

Prepare an authorization memorandum, to be signed by the CEO, COO, CFO, GC, CIO, and CISO, with the following language:

 

I hereby authorize the YouGottABeKiddingMe Company to have full read privileges to all of my official e-mails and stored files for the duration of their contractual relationship with the company.

 

Now, a few questions:

Is the TPC contracted to develop an enhancement to the cloud and O365 capabilities, or to install and  operate a proprietary software system that integrates into your corporate cloud and office automation systems?

If the former, how about amending teh contract to say that they are responsible for training in-house staff to perform the installation and admin management of the systems, but are not authorized admin rights into the system themselves.

If the latter, does the contract give them special rights for internal access in order to protect their intellectual property from your company?

 

Finally, do ou have a corporate risk officer? If so, that official needs your report on the implications of this request.

 

Good luck!

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
denbesten
Community Champion


@CraginS wrote:

Finally, do ou have a corporate risk officer? If so, that official needs your report on the implications of this request.

Craig has the right approach.  If the decision is not solely yours, your obligation is to ensure the decision maker has everything they need to make an informed, responsible decision that best respects the competing interests of your company.   Specifically calling out risk, identifying potential mitigation and offering recommendation is your responsibility.   Accepting/rejecting the risk belongs with the decision maker.

 

To protect yourself, you should retain evidence of your conversation/recommendation.  A great way of doing this is to first discuss it in person with the decision maker and then follow it up with a polite, factual email memorializing the conversation.

 

Azure/O365 has a fine-grained access control system. "Global Admin" is usually requested because it is "easy", not because it is "necessary".  If you can help find that "middle ground", you have an opportunity to start earning that "clout".  Perhaps start with a phone call between yourself, the TPC and Microsoft support to hone in on the actual access needs.

 

Incidentally, in my company nobody (not even our admins) have Global Admin.  When they need it, it is checked out of our automated vault.  Amongst other things, the vault collects a reason, seeks approvals and then removes the access a few hours later.

 

 

 

CISOScott
Community Champion

I would vote no as well. We are going through this same thing. In the past they just made everyone global admins because it was EASY. Don't have to worry about taking hours/days/weeks to work out the right assignment of roles, just "Git 'er Done!" (Get it done for you that have not been exposed to Larry the Cable Guy comedian).

 

Also ask yourself if giving this contractor this level of unprecedented access would give said contractor a leg up on negotiations in the future if they have access to all of the company emails?

 

JoePete
Advocate I


@d46j48fx wrote:

I have been informed of a request to provide the Office365 Global Admin role to a third party contractor (TPC) who is working on a project that has already provided a deep level of Azure access before my tenure as Infosec employee #1 began here. 


I don't spend a lot of time with Office 365. As a practical matter how would the third party know their level of access? In short would be it be possible to create a role that would provide the third party with suitable access but not any sort of global admin?

 

I think the technical answer is obvious. The political one is not, but there are a boatload of resources you can point to that say don't do this. You have to couch this in liability. Should something go sideways (reference Equifax) there will be some sort of legal discovery as part of a civil suit or regulatory investigation. As such all emails etc. become part of the legal record, and senior management/the board needs to explain why they went against every possible recommendation or best practice.

Steve-Wilme
Advocate II

We had a similar request from a third party and handled by splitting the work up into that which would require global admin and that which the third party could do without global admin.  The first part was carried out by the existing global admins as a small project formally request of IT.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
CISOScott
Community Champion

A global admin would have content search rights within O365. This can have unintended consequences. For example: I perform content searches in response to FOIA requests. I performed one particular search using several keywords. At the time we also had a CIO position vacant. One of the keywords I was searching for was HHS (Health/Human Services). Well guess what, one of the applicants for the CIO position was working at HHS. So guess who accidentally got to see who was being interviewed for the CIO position? Me. Luckily I was not interviewing for the position or it could have caused a conflict of interest. Or it could have given me the information I needed to sidetrack my rivals, if I was so inclined.

 

So you can see just giving someone global admin rights can have some serious consequences and WAY more access than they need. 

d46j48fx
Contributor I

Everyone, TBH, although I have marked one answer as the "accepted solution", each one of your responses has provided me the necessary insight to be able to formulate an objective, risk-based response to the request; thanks very much!

 

Please forgive the incremental reveal...your questions brought more info to the surface.

The individual is the team lead for our organisation's AppDev team and is responsible for the org's Azure infrastructure.  Custom interfaces and applications are being developed in addition to using the "standard" O365 ecosystem.  Although the buck stops with an internal employee, the Appdev team are all contractors, including the individual.  O365 PIM has been implemented whereby we (in theory) know when someone assigns themselves the Global Admin role and his access expires after 1hr.  Auditing is enabled in O365 for all accounts. The individual has also presented screenshot evidence that an activity he was attempting resulted in a "you need to be a global admin to do this" error message.  Am I hamstrung?

CISOScott
Community Champion

If you are pairing auditing with rights assignment/management then you should be good. Especially if you have an IAM (Identify and Access Management) or PIM (Privileged Identity Management) solution in place. As long as you can track what they are doing and take the appropriate action if malfeasance occurs, then you should be OK. It is just giving them Global Admin with no boundaries that can be problematic.

 

This is what the community is here for, to help others and share experiences that you may not have had yet. I'm glad we were able to help.