We were having a discussion in the office yesterday that was triggered by a discovery we made about our Office365 backup solution (we use SkyKick). In a nutshell we discovered that the backup vendor has to make a few manipulations with provided credentials in order to back up site collections inside SharePoint Online. The provided creds have to be assigned site collection admin privileges in order to back up all site contents and I know that I didn’t assign the creds explicitly. Sean surmised the backup vendor has to be doing something in the backend via PowerShell to make the assignment.
Now all of this is not necessarily a bad thing, after all, you do want to be able to backup your data otherwise why would you contract with an O365 backup vendor? But it does raise some interesting questions and it means all of us have to re-evaluate how we look at security in the new Cloud-enabled world.
By definition, any of us that sign up for an O365 tenancy are entering into a tacit and implied “security agreement” with Microsoft. Our data is being stored inside Microsoft’s cloud and we are “trusting” Microsoft to not pry into our private data. Microsoft has made many public statements about how they have layers of protection in place so that Microsoft employee’s and contractors cannot “see” into any given organization’s or user’s data. And most of us have heard about Microsoft’s efforts to deflect various American government agencies requests for access to customer data (which also raises interesting questions about those layers of security that prevent “prying” eyes). My point being that there are security layers in place to protect the privacy of customer data, at least at the Microsoft level.
But what about the levels that are not under direct Microsoft control?
A very common example that most organizations may not be aware of is the level of access that a “partner” may have to data in the tenancy. Many organizations that use O365 contract with a Microsoft partner to help manage their tenancy, this is referred to as “delegated administration”. itgroove, as an example, helps to manage over 40 tenancies at time this article is being written. In order to be able to manage inside O365 our “delegated admin” accounts have certain rights that allow us access to a lot of data inside a given tenancy. Delegated admin does not give us 100% “god rights” inside a tenancy but it does give us considerably more rights than you might think. So, by definition, there is also a tacit and implied security contract between us, the partner as delegated admin and you, as the O365 tenant. Again, there is not necessarily anything wrong with this but it is something that you as a tenant and we as a delegated admin have to agree on.
In the “old days” your IT staff would have had certain rights across your systems, admins always need elevated access rights. You would have had explicit, internal security controls that would have defined who had what access and, normally, this would be pretty tightly controlled. Now, with the advent of the Cloud, your IT staff has expanded to include vendors, such as Microsoft, and partners, such as us. The security “agreement”, therefore, has tacitly and silently expanded to include these groups. But the active understanding of this security agreement probably has not been expanded or updated at the tenant organization level.
I think a frank discussion is called for between the tenancy holder and the various partners so that all of the security concerns and issues are clearly understood by all. The tenancy holder needs to have a clear understanding of what access the partner needs and/or has while the partner needs to be very clear and transparent about what the rules and boundaries are as far as the tenancy holder is concerned. And it is incumbent on the partner to inform the tenancy holder about the access that other services might have or require in order to implement a particular service, such as backup.
As Cloud services and offerings expand, the inter-related connections between tenancy, partner and services vendor are going to grow and become very entangled. The tenancy holder really will need to have a good understanding of who can access what in order to stay on top and in control of their overall security. This means that tenant organizations will have to start asking more and more questions of their primary partners such as Microsoft and their Delegated Admins and organizations such as mine (itgroove) will have to expand scrutiny over the things that partnered service vendors do within a customer’s tenancy in order to be able to answer those questions.
The single biggest thing to keep in mind is that everyone’s security role is changing and will continue to change and evolve as more services and offerings come online as part of the overall massive shift of services from on-prem to the Cloud. Scrutiny and oversight needs to “amp up” to keep pace with the changes. So, go ahead and start having those conversations with your various partners, security of your data ultimately resides in your hands. In this case knowledge truly is power and ignorance becomes a security breach.