Go “Secure by Default” With Custom Admin Roles for IT support staff
The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach.
In late August, Okta’s Defensive Cyber Operations team outlined a social engineering campaign in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.
One of the many recommendations made in response to this event was to constrain the permissions of IT support staff in ways that prevent them from performing operations on highly privileged users. The best way to do this is to create and assign a Custom Admin Role for IT Support staff.
As the name suggests, Okta’s Custom Admin Roles provides the ability to create customized administrative roles with the least privileges required. These roles can be constrained by what tasks the administrator can perform, and what resources (users, groups, apps, workflows etc) the admin can perform those tasks in.
Custom Admin Roles can subsequently be used to remove all other administrators from the resource set assigned to your IT Support staff.
Detailed instructions are available in the following Knowledge Based Article.