IT Least Privilege for SMB Co-Management

What is Co-Managed IT?

Co-Managed IT is a model where GreenLoop provides Managed IT Services, but the SMB (Client) also has their own internal IT department, solo IT staff member, or perhaps just an internal resource who is not an IT professional but is tasked with certain IT-related tasks.

What do we mean by “least privilege”?

It’s an IT best-practice that any task should be done with the least permissions and access required to successfully complete the task. In general, all IT staff should be able to perform tasks that are within their roles, responsibilities, and capabilities, and unable to perform tasks that aren’t. In addition, oversight and accountability should be in place via policy, documented procedures, and/or technical means so that there are checks in place for any critical changes or sensitive access events.

This also means that staff without clear IT roles (including senior and C-level staff) should not have standing admin access to IT systems.

Why is this important?

Even with a very trustworthy internal IT staff, it’s still important to consider which of these best-practices are appropriate. In general, GreenLoop recommends that at least¸ internal IT operations procedures detail what acceptable use looks like.

An overview of policy and technical mechanisms are outlined in the “what are our options?” section below. But first, here are some risks associated with not following least-privilege IT access:

• Mistakes put business operations at risk: IT staff operating with more privileges than necessary are more likely to make critical mistakes that impact business operations. This is especially true when combined with limited oversight (no senior IT leadership approving requests) and skill gaps that often accompany this situation.
• Inefficiency: When procedures aren’t in place to ensure that affected parties are all consulted or informed whenever critical changes are being made, this can result in inefficiency or unexpected disruption.

Providing collaborative oversight and consulting for internal IT is a key value-add of GreenLoop’s service with co-management. When significant business changes are made that we don’t have visibility into, this value suffers. In particular, 1) in many cases we could bring to bear our decades of experience with solving some of these problems; 2) it can be challenging for our Service Team to provide effective, timely support when key components have changed.

• Business continuity: Especially where internal IT staffs are small, a single person often is the “silo” for critical IT information. Since that information is often poorly documented and not shared by anyone else,  if that person leaves abruptly or is otherwise incapacitated, that information is lost and significant disruption can result.

Again, continuity of awareness and documentation-building is a value-add that an IT Service Provider like GreenLoop can help with.

• Insider threats: Malicious access or other unacceptable behaviors by IT staff are an underappreciated risk. In our experience, even trusted staff may find certain unacceptable usage situationally tempting in permissive environments without formal procedures and accountability.

Keep in mind that if your IT staff are operating with full admin privileges and no oversight, they can currently read every email and open every file in your environment. That doesn’t necessarily mean that they are doing so, just that there’s no way to stop them and often no way to know that they’ve done so if you don’t already have the right tools in place.

• Outsider threats: IT staff operating with full admin rights for daily use are a tempting target for hackers. With admin rights in place, an account compromise of an IT admin can turn into a full lockout of all of your access for all your users across the organization, or a major ransomware incident. So it’s important for IT staff to use minimal-privilege (usually, standard user) accounts in their daily workflows and have separate accounts or Privileged Identity Management (see below) in place for elevated, Just-in Time access to critical system.

What are our options?

Below are some options by category. These are complementary, not mutually exclusive. We recommend at least taking on the first one (Policy and Procedures), even if you don’t accompany this with any limitation of access for now. Likely, you’ll want to implement some combination of these measures. Depending on your compliance requirements, you may benefit from, or be required to, implement .

1. Policy and Procedures: Organizations should have in place an Acceptable Use Policy specifically for IT. This should detail at least the following:
   1. What parties should be Consulted and Informed on IT initiatives? This may vary depending on the type of initiative (for instance, managers of affected departments), but should typically include at least Informing external IT (GreenLoop), and should codify what information is expected to be communicated to senior management.
   2. Who makes the final decision on IT initiatives? Typically this should not be by the IT staffer who originated or is implementing the change.
   3. What usage is not acceptable in any situation (for instance, installation of certain software, piracy, personal use of company resources, etc)?
   4. What usage must be either approved in advance, or notified immediately after by senior management (for instance, viewing an employee’s mailbox, opening a directory containing critical business files, creating non-named user admin accounts in key systems)?
   5. Defines procedures for critical incidents: Define what constitutes a “critical incident”, and what should be done: who needs to be informed or consulted? How quickly? For instance, you may want to define that, for any security breach or suspected breach: 1) senior management must be quickly informed; 2) external IT should be quickly informed and brought in to provide oversight and assistance.
2. Approval Workflows or Privileged Identity Management (PIM): This adds to the above by putting in place either a manual, automated, or semi-automated system where internal IT staff have to (1) request admin rights when they are needed and justify their requirement; (2) (optionally) be approved by a senior decision maker or external IT; (3) Privileges are automatically revoked after some period of time. Even if you choose to not do step #2, this provides a layer of accountability and protects from outsider threats. GreenLoop uses such an automated system for our internal IT operations. This is easy to automate a workflow for on Microsoft 365. Internal systems like .

We recommend putting in place automated or semi-automated PIM for 365 admin operations, and either an automated or manual (via GreenLoop’s ticketing system) approval for network admin operations.

3. Auditing, Reporting, and Alerting: Event auditing in key systems should be turned on, and policies should define retention periods and what information should be captured. In particular, admin operations, and access to sensitive data locations you have defined should be logged. Reporting (regular insight into what has happened, and by whom), as well as real-time alerting for key events can optionally be layered on with additional tools. You’ll want to make sure to include both on-prem and cloud-based systems containing sensitive business data when evaluating what controls to put in place.

Current situation for most SMB clients: Microsoft 365 already includes 90 days of audit logs built-in, and GreenLoop already performs real-time alerting on some of the most critical event detections. Some very limited event logs are retained on servers for your network environment. But additional tools would be required to retain logs longer, add log retention for things like firewalls, ensure the immutability of log data, and provide comprehensive reporting and alerting. Most clients who choose to go this route have external compliance requirements and these tools are often costly.

Next steps

Your GreenLoop Account Manager and vCIO will be glad to work with you to determine the options that are best for your organization.  Once this has been decided, make sure to send us a copy of any finalized policy documents so that we can keep a copy on file for our reference.