Innova Solutions > Perspectives > Where Do Administrators Live?

Where Do Administrators Live?

Robert M. Toups, Jr
Cloud Services

In Active Directory, any non-privileged user who can change a Domain Administrator’s password is themselves a Domain Administrator. Whoever can change that non-privileged user’s password is a Domain Administrator as well. You can see the privilege escalation rabbit hole starting to develop with simple lateral movement and password changes. It is one of many scenarios Innova Solutions has discovered during client Active Directory audits. It underscores a problem IT organizations face, not only who is an administrator of services but who could make themselves an administrator.

On the surface, IT organizations believe they know who has access when they look at their tools in a one-dimensional manner. Having administrative control in Active Directory is not solely based on membership in the Enterprise Admin and Domain Admin groups. There are many ways a non-privileged user can abuse or misuse their access and gain more control up to Domain Administrator. The threat of intentional and accidental privilege escalation is why we must monitor administrator accounts and who can manipulate them with actionable alerts. Typically, Active Directory administrators accomplish this with Windows Event Forwarding or SIEM tools like Splunk and SumoLogic, waiting for specific Event IDs. Depending on the maturity of the process, it may include ticketing and automated remediation.

When your organization’s workloads are guarded by corporate firewalls and no packet egresses without scrutiny, you can feel confident that you know who an administrator with adequate monitoring. However, this is not the case for most organizations. With SaaS applications’ advent, administrative accounts live in the Cloud and are not always bound to Active Directory user objects or members of group objects.

Those Active Directory user objects that govern administrative access to SaaS applications are most likely not under the same rigorous controls as members of the Enterprise Admins and Domain Admins groups.

Can you look at Active Directory right now and know who is an administrator in Google Workspace, Office 365, Salesforce, SharePoint Online, OneDrive, Dropbox, or Box? Are these federated accounts the only administrators of your organization’s SaaS solutions? What if the administrative identity is not bound to Active Directory?

The data stored on SaaS platforms typically have the same compliance requirements as in the datacenter. A key component of compliance is understanding and reporting who has access, what level of access, and who can manage access. If you are running multiple SaaS products, this is a tedious task and difficult to manage. If you can automate the process, you need to continually monitor the application programming interfaces (API) of these services to ensure your bespoke reporting tool does not break. SaaS solutions’ goal is to rapidly provide features and benefits to reflect the value paid for them. This rapid value delivery is excellent for the SaaS consumer. It is a management dilemma for the IT staff struggling to stay current with their reporting tools and targeted services.

While managing one or two SaaS applications for administrative control may be achievable with spreadsheets and manual processes, will your organization just limit its SaaS consumption for your management ease? With the simple ability to use a credit card on the Internet to obtain services, Shadow IT forces traditional IT to scramble to keep up with employees who see a wealth of services a mouse click away. Each new SaaS solution acquired forces IT administrators to update any bespoke reporting tool they use for compliance and review the service’s security.

Application delivery can take months in the datacenter and a few days in the AWS, Azure, or GCP. That lag time gives IT organizations time to prepare for identity and access management. With SaaS applications, it only takes seconds and sometimes without notice. That is how fast the compliance landscape can change in an organization. To maintain the velocity set by our workforce, we need the tools and practices that keep traditional IT in pace with the SaaS consumers. We need to extend our Identity Platforms to manage these non-traditional administrative accounts and maintain the least privileged access.

Working with our partner, BetterCloud, Innova Solutions takes its traditional Active Directory access management and continuous compliance platform and moves those controls beyond the Datacenter and Public Cloud to 60+ SaaS applications. BetterCloud gives Innova Solutions the ability to obtain a 360-degree view of employee access across disparate SaaS applications.

The increased visibility in the Cloud allows us to understand who a service administrator is in near real-time for compliance reporting. BetterCloud facilitates the monitoring of administrator access and who can modify that access with alerting and automatic remediation. These capabilities give Innova Solutions the ability to control identity and access no matter the platform the application operates; Datacenter, Public Cloud, and now, in SaaS solutions.

If you are looking for end-to-end access controls in your Datacenter, Public Cloud, and SaaS applications, Innova Solutions has the managed platform to ensure continuous compliance across these three application delivery points. Our managed service allows you to focus on application delivery no matter the platform and ensure that audits are predictable because tight access controls are in place with near real-time reporting and drift mitigation. When you offload managing compliance, you can focus on value delivery and ensure your workforce can access the bleeding edge of productivity with SaaS applications while still maintaining the rigorous compliance requirements of your regulatory realities.

For more information about SaaSOps

Please contact us below. We will reach out to you to discuss how we can improve your SaaS delivery?