search cancel

Maintaining segregation of duty while activating Office 365 Securlet

book

Article ID: 223566

calendar_today

Updated On:

Products

CASB Security Advanced CASB Security Premium CASB Security Standard CASB Securlet SAAS

Issue/Introduction

Some customers are concerned that the requirement of matching email addresses between the Office365 global administrator and the CloudSOC sysadmin breaks the segregation of duties - This can potentially allow the Office 365 administrators to access the CloudSOC environment with the sysadmin privilege or the other way around.

This article discusses the strategy to keep the access separate to each team so the Office administrator cannot access CloudSOC or vice versa.

Resolution

There 2 approaches to activate the Office 365 Securlets without sharing the credentials:

  • Use existing Office365 Global Admin
    • Create a new user in CloudSOC that matches the username as the GA account's username (CloudSOC user's email field = GA admin's username)
    • Reset the password in the CloudSOC Users settings so that only the CloudSOC admin team can access this newly created user
    • Promote the CloudSOC user to sysadmin during the activation change window
    • During the activation session, use a video conferencing tool and present the screen to the Office administrators
    • Log in to CloudSOC as the sysadmin created above to activate the Securlet
    • When it needed to enter the GA account credential, pass the remote control to the O365 Team to keep the confidentiality of the GA account
    • After the O365 team entered the GA account credential and successfully activate the Securlet, change this CloudSOC sysadmin back to an end-user and/or deactivate this CloudSOC user
  • Create a new Office365 Global Admin
    • Create a new O365 Global Admin
      • Note that you do not need to create the mailbox or assign an Exchange license to this user
    • Create a corresponding CloudSOC sysadmin
      • Note the Office365 user's username filed should match the CloudSOC User's email filed
    • Activate the Securlet
    • After the activation completes, the O365 admin team can demote the GA account to a regular user. The CloudSOC admin team can perform the same action for the sysadmin account

Additional Information

Using existing GA may be easier for some organizations than requesting a new GA in Office365 environment. The benefit of creating a new O365 GA is that the account is only used for this activation, so there is minimal concern over the risk of loess the identity as it can be deactivated after the activation.