We were having a discussion in the office yesterday that was triggered by a discovery we made about our Office365 backup solution (we use SkyKick).\u00a0 In a nutshell we discovered that the backup vendor has to make a few manipulations with provided credentials in order to back up site collections inside SharePoint Online.\u00a0 The provided creds have to be assigned site collection admin privileges in order to back up all site contents and I know that I didn\u2019t assign the creds explicitly.\u00a0 Sean surmised the backup vendor has to be doing something in the backend via PowerShell to make the assignment.<\/p>\n
Now all of this is not necessarily a bad thing, after all, you do want to be able to backup your data otherwise why would you contract with an O365 backup vendor?\u00a0 But it does raise some interesting questions and it means all of us have to re-evaluate how we look at security in the new Cloud-enabled world.<\/p>\n
By definition, any of us that sign up for an O365 tenancy are entering into a tacit and implied \u201csecurity agreement\u201d with Microsoft.\u00a0 Our data is being stored inside Microsoft\u2019s cloud and we are \u201ctrusting\u201d Microsoft to not pry into our private data.\u00a0 Microsoft has made many public statements about how they have layers of protection in place so that Microsoft employee\u2019s and contractors cannot \u201csee\u201d into any given organization\u2019s or user\u2019s data.\u00a0 And most of us have heard about Microsoft\u2019s efforts to deflect various American government agencies requests for access to customer data (which also raises interesting questions about those layers of security that prevent \u201cprying\u201d eyes).\u00a0 My point being that there are security layers in place to protect the privacy of customer data, at least at the\u00a0 Microsoft level.<\/p>\n
But what about the levels that are not under direct Microsoft control?<\/p>\n
A very common example that most organizations may not be aware of is the level of access that a \u201cpartner\u201d may have to data in the tenancy.\u00a0 Many organizations that use O365 contract with a Microsoft partner to help manage their tenancy, this is referred to as \u201cdelegated administration\u201d.\u00a0 itgroove, as an example, helps to manage over 40 tenancies at time this article is being written.\u00a0 In order to be able to manage inside O365 our \u201cdelegated admin\u201d accounts have certain rights that allow us access to a lot of data inside a given tenancy.\u00a0 Delegated admin does not give us 100% \u201cgod rights\u201d inside a tenancy but it does give us considerably more rights than you might think.\u00a0 So, by definition, there is also a tacit and implied security contract between us, the partner as delegated admin and you, as the O365 tenant.\u00a0 Again, there is not necessarily anything wrong with this but it is something that you as a tenant and we as a delegated admin have to agree on.<\/p>\n
In the \u201cold days\u201d your IT staff would have had certain rights across your systems, admins always need elevated access rights.\u00a0 You would have had explicit, internal security controls that would have defined who had what access and, normally, this would be pretty tightly controlled.\u00a0 Now, with the advent of the Cloud, your IT staff has expanded to include vendors, such as Microsoft, and partners, such as us.\u00a0 The security \u201cagreement\u201d, therefore, has tacitly and silently expanded to include these groups.\u00a0 But the active understanding of this security agreement probably has not<\/em> been expanded or updated at the tenant organization level.<\/p>\n I think a frank discussion is called for between the tenancy holder and the various partners so that all of the security concerns and issues are clearly understood by all.\u00a0 The tenancy holder needs to have a clear understanding of what access the partner needs and\/or has while the partner needs to be very clear and transparent about what the rules and boundaries are as far as the tenancy holder is concerned.\u00a0 And it is incumbent on the partner to inform the tenancy holder about the access that other<\/em> services might have or require in order to implement a particular service, such as backup.<\/p>\n As Cloud services and offerings expand, the inter-related connections between tenancy, partner and services vendor are going to grow and become very entangled.\u00a0 The tenancy holder really will need to have a good understanding of who can access what in order to stay on top and in control of their overall security.\u00a0 This means that tenant organizations will have to start asking more and more questions of their primary partners such as Microsoft and their Delegated Admins and organizations such as mine (itgroove) will have to expand scrutiny over the things that partnered service vendors do within a customer\u2019s tenancy in order to be able to answer those questions.<\/p>\n The single biggest thing to keep in mind is that everyone\u2019s security role is changing and will continue to change and evolve as more services and offerings come online as part of the overall massive shift of services from on-prem to the Cloud.\u00a0 Scrutiny and oversight needs to \u201camp up\u201d to keep pace with the changes.\u00a0 So, go ahead and start having those conversations with your various partners, security of your data ultimately resides in your hands.\u00a0 In this case knowledge truly is power and ignorance becomes a security breach.<\/p>\n","protected":false},"excerpt":{"rendered":"