Go “Secure by Default” With Custom Admin Roles for IT support staff

Brett Winterford

The Takeaway: Creating custom roles for your help desk staff supports a “least privilege” approach.

In late August, Okta’s Defensive Cyber Operations team outlined a social engineering campaign in which a target’s IT support staff - that is, the team responsible for common help desk tasks, were tricked into resetting the authenticators of users with the most privileged roles in an organization.

One of the many recommendations made in response to this event was to constrain the permissions of IT support staff in ways that prevent them from performing operations on highly privileged users. The best way to do this is to create and assign a Custom Admin Role for IT Support staff.

As the name suggests, Okta’s Custom Admin Roles provides the ability to create customized administrative roles with the least privileges required. These roles can be constrained by what tasks the administrator can perform, and what resources (users, groups, apps, workflows etc) the admin can perform those tasks in.

Custom Admin Roles can subsequently be used to remove all other administrators from the resource set assigned to your IT Support staff.

Detailed instructions are available in the following Knowledge Based Article.

Brett Winterford
Regional CSO, Okta APJ
Brett Winterford is the regional Chief Security Officer for Okta in the Asia Pacific and Japan.
He advises business and technology leaders on evolving threats and helps them harness advances in identity technology to drive business outcomes and mitigate risk.
Prior to Okta, Brett held a senior security leadership role at Symantec, and helmed security research, awareness and education at Commonwealth Bank.
Brett is also an award-winning journalist, having long ago been the editor-in-chief of iTnews Australia and a contributor to ZDNet, the Australian Financial Review and the Sydney Morning Herald. Most recently, he was the founding editor of the Srsly Risky Biz newsletter, a companion to the Risky Business podcast, providing the cybersecurity, policy, defense and intelligence communities with a weekly brief of the news that shapes cyber policy.