Go “Secure by Default” With Custom Admin Roles for IT support staff
The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach.
In late August, Okta’s Defensive Cyber Operations team outlined a social engineering campaign in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.
One of the many recommendations made in response to this event was to constrain the permissions of IT support staff in ways that prevent them from performing operations on highly privileged users. The best way to do this is to create and assign a Custom Admin Role for IT Support staff.
As the name suggests, Okta’s Custom Admin Roles provides the ability to create customized administrative roles with the least privileges required. These roles can be constrained by what tasks the administrator can perform, and what resources (users, groups, apps, workflows etc) the admin can perform those tasks in.
Custom Admin Roles can subsequently be used to remove all other administrators from the resource set assigned to your IT Support staff.
Detailed instructions are available in the following Knowledge Based Article.
Brett Winterford is Vice President of Okta Threat Intelligence. Okta Threat Intelligence delivers timely, highly relevant and actionable insights about the threat environment, with a focus on identity-based threats. Brett was previously the regional Chief Security Officer for Okta in the Asia Pacific and Japan, and advised business and technology leaders in the region on all things identity. Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank. Brett is also an award-winning journalist, editor-in-chief of iTnews Australia and a contributor to the Risky Business podcast and newsletter, to ZDNet, the Australian Financial Review and the Sydney Morning Herald.