Nuvolex Blog

Protecting from Insider Threats

In the world of IT, external security attacks can come from a number of different sources including ransomware, phishing and network breaches. Most Enterprise IT organizations and Service Providers have a set of security procedures they utilize to protect their organization and customers against these external threats. Solutions like antimalware, email security and Multifactor Authentication ensure properly protection. However, there is another security threat that is often overlooked – Insider Threats.

For most organizations, the expectation is that IT professionals conduct themselves in a professional manner and prioritize the protection of company and/or customer data above all else. Unfortunately, malicious activity within any IT organization is much harder to prevent and control compared to external threats.  As seen in the latest attacks on high profile organizations such as Microsoft, Okta, Samsung and Nvidia (to name a few) by the new up and coming hacking group Lapsus$, complex social engineering and opportunistic recruitment of employees of a target organization, or employees of supply chain partners of the target business. As seen most recently with Okta, the compromised access was not of an Okta employee, but of a sub processor whose role was customer support.

It is estimated that 68% of organizations are vulnerable to insider threats, with 53% believing it has become significantly more difficulty to detect insider threats since migrating to the cloud. A single internal breach of an Enterprise can cost that company millions of dollars.  An internal breach of a Service Provider’s customer base can be even more expensive and ultimately fatal to that Service Provider’s business.

The most widely consumed business application across the globe is Microsoft 365.  This SaaS offering is feature rich and includes a number of popular SaaS plications (Exchange, SharePoint, One Drive, Teams, Intune…) that are contained within the Microsoft 365 productivity stack.  Ironically, Microsoft 365 is also one of the most vulnerable application suites when it comes to Insider Threats. 

There’s an extremely limited amount of Access Controls that come with Microsoft 365, which makes it very difficult to control and monitor administrator activity.  The IT administrators that are responsible for managing these applications are often given Global Administrator credentials for each tenant they manage, which provides unlimited access to customer data. This presents a target rich environment for security breaches within an Enterprise or Service Provider. Because of this, IT must be more diligent than ever in protecting against internal attacks given the pervasive adoption of Microsoft 365.

RBAC – Securing the Service Desk

So how can IT organizations and Service Providers ensure that they implement the proper security measures in order to prevent Insider Threats with Microsoft 365?  Below are three steps that one can enact immediately to bolster their internal security posture:

Advanced Role Based Access Control (“RBAC”)

 The Microsoft 365 productivity suite has unique administration consoles for each cloud workload. These administration consoles have very limited ability to provide consistent and granular control over administrator access rights.  A majority of organizations and Service Providers allow their IT support staff to have Global Administrator credentials to every Microsoft 365 tenant that’s being managed, providing their staff unlimited access to customer data.  To prevent against accidental changes by IT administrators and avoid the potential for malicious behavior that comes with unrestricted access rights to customer data, one should seriously consider implementing a “least privilege” model.

This practice restricts access rights for different administrator roles to ensure that each IT administrator can only access the Microsoft 365 customers and data that they are absolutely required to in order to perform routine, legitimate administrative tasks. To help create such a model, IT organizations and Service Providers should consider third party tools that allow for granular control of access rights by IT administrators to the Microsoft 365 customers and workloads they manage. This ensures complete administrative control over all administrators – what tenants/customers they can manage and what actions they can perform (i.e. – only reset passwords).

Advanced Auditing Across Microsoft 365 Workloads

By inciting the use of auditing capabilities, it is much easier to monitor an entire IT staff’s behavior, in order to ensure proper administration regulation.  By having real-time insight into what changes were made when, to which customers and against which Microsoft 365 workloads, IT can easily remediate any unwanted changes or unwarranted administrative behavior. This not only provides strong preventative security measures, but appropriate remediation privileges as well.

Unifying Administration and Access Control for Microsoft 365

 Leveraging a “Single Pane of Glass” web console to not only unify administration across all Microsoft 365 workloads but also enable granular control of administrator access rights should be a top consideration for all Enterprise IT organizations and Service Providers.  This streamlined approach to unified administration and access enables IT to have complete control of all administrator activity across all Microsoft 365 tenants, while purposefully delegating very granular administrative responsibility across IT support staff. This creates not only a much greater security posture, but also significantly increases IT services efficiency.


Internal or External, the number of attack surfaces will continue to rise.  The above suggestions are only a few steps IT organizations and Service Providers should consider taking when creating a robust security posture for delivering IT support to Microsoft 365 customers. There will never be a single solution or best approach when it comes to protecting customer data.   Each IT organization will have their own set of requirements and establish their own security best practice. However, by following the above guidelines and deploying the right technologies, one can begin down the path in creating a future proof security solution that properly protects customer data.             

Share this post