QUICK TIP: Interested in setting up delegation but do not know where to start?
This article will be handy if you are already familiar with the delegation concept and looking for best practices or case studies you can adopt to your company needs.
As a recap, here is a quick overview of the delegation concept. To ensure data security and integrity, Cygna Auditor restricts access to its functionality and enables you to grant granular permissions to entire sources or features; both allow and deny permissions can be granted. For general instructions on how to delegate access in Cygna Auditor, refer to Delegation.
As you install Cygna Auditor, you may notice that only the user who installed Cygna Auditor can operate the web-console. It's time to start implementing your delegation model. There is no universal rule or a general industry guideline for delegating access permissions but here is a list of ideas that can help you figure out how to set up delegation model for your organization and tailor it to your specific needs. The key is to find the right balance between security concerns and addressing user tasks.
In this article:
Planning ahead is always a good idea. Before taking any actions, identity who will use Cygna Auditor. You can start by creating a list of job positions where employees may be interested in audit data. For example, system administrators, security officers, internal auditors, helpdesk personnel, response team members.
As you analyze your organization structure and job responsibilities, make sure the people you have in mind are authorized to see audit data. Try to identify activity patterns and situations when employees will use the product. Do they need access to collected audit data 24/7? Or is a weekly report enough? Do they administer the system or just review data?
ExampleCo is a fictional company that is looking for a way to gain security control over its assets and help support team with their daily chores such as resetting passwords for locked out account.
- John Smith is a chief system administrator. He is in charge of Active Directory domain and other company services, both on-premises and in the Cloud. Everyday John and his team of system administrators add new users, create mailboxes, and manage permissions on shared folders. Although they have extended permissions in ExampleCo environment, they would love to have some kind of reporting they could use on a daily basis.
- Alex Downing is an internal auditor. His job is to make sure the company can proof compliance with various industry standards and regulations. Every so often he needs to review activity data to make sure the company does not violate any rules. He does not really want to dig into system administration details, he would rather get printed reports and keep them for reference.
- Amy Mitchell and Thomas Phillips are the helpdesk personnel. Amy and Tomas help their colleagues with any inconveniences they face. Their daily chores include a lot of investigation such as looking for disappeared files or justifying why some permissions were revoked. In most cases, Amy and Tomas do not make changes to ExampleCo services and often escalate these tasks to system administrators. Still, they need a tool they could use for investigation purposes while assisting their colleagues.
- Jean O'Raily is a security officer. She is charge of handling critical situations. Should a potential breach occur, Jean wants to be notified as soon as possible.
As you can see, each person in example has unique professional needs and daily tasks. They will use Cygna Auditor in a different way focusing on the work they have to get done.
Takeaway: A clear understanding of user tasks is a key to establishing a delegation model that will be secure and efficient at the same time.
At some point, you might find Cygna Auditor to be overly restrictive—by default a single user, a global administrator, is solely responsible for operating the product while others are denied access. Though it seems to be an easy solution, do not fall into temptation of adding as many global administrators as many users will use the product. Global administrators are granted the most extended permissions in Cygna Auditor, so keeping the number of global administrators to a minimum is a good idea.
You might be wondering how many global administrators is enough to keep the product secure and ensure its operability. Basically, two or three will be enough. In most cases, the best candidates are system administrators who take care of the Cygna Auditor server, have advanced permissions in your corporate environment, and are capable of maintenance works.
Takeaway: Keep the minimum number of global administrators required to ensure the Cygna Auditor server operability. Should more people have access to Cygna Auditor configuration and audit data, delegate control granularly, on the source or feature level.
If you work in a larger company that has administrators or helpdesk personnel taking care of a certain system, it may make sense to assign permissions on the source level. In this case, you increase overall security while allowing the maximum flexibility for your co-workers within their responsibility domain.
The fictional ExampleCo company utilizes SharePoint Online as a corporate solution for collaboration and team work management. In previous months, the load was so intense that the company established a new SharePoint Online Support Department for handling issues related to this specific system.
SharePoint Online administrators are determined to assist their co-workers. With Cygna Auditor, they daily review SharePoint Online permissions, track file and user activity, etc. The scope of their responsibility is limited to SharePoint Online and OneDrive for Business so they do not need access to Active Directory data.
Takeaway: To reduce the number of global administrators, delegate control on the audit source level.
To strengthen security within your organization, you can further extend the delegation model by setting granular permissions as low as on the product feature level. You can grant allow and deny permissions on each feature individually: configuration, search, reports, activity widgets, and alerts.
From a security point of view, the less is always better. Carefully review Cygna Auditor users' job responsibilities and break them down to tasks, and then map these tasks to product features. Basically, Cygna Auditor should not provide employees with more information than they could get otherwise. For example, in most organizations regular users cannot modify Active Directory groups or manage shared folder permissions, thus they should not review reports related to your Active Directory structure and file servers.
Based on industry recommendations, grant access to audit configuration only to those employees who are generally in charge of this piece IT infrastructure. Grant permissions to access audit data to employees that are entitled to see it (security officers, auditors, etc.)
- Emma Dallas solely manages Cloud apps. She makes sure Cygna Auditor collects data and investigates suspicious activity. Hence, she needs access both to configuration and auditing features.
- Adam Priest is a helpdesk operator who helps users solve their issues with Exchange Online. He does not reconfigure Exchange Online or Azure AD but rather tracks down the problem's root cause and then passes this information to system administrators. To assist co-workers, Adam needs access to search and reports functionality.
- Mark Simons is a junior specialist at the security analysts group. Throughout the day, he checks each source for activity spikes that could indicate a potential threat. He does not dig into details leaving elaborate investigations to his senior colleagues. Mark will find activity widgets helpful.
- Jean O'Raily is a security officer. She has to stay on top of changes and mitigate risks if a breach occurs. Jean wants to create custom alerts to be notified on suspicious activity and use search to investigate action chains that let to triggering the alert.
Takeaway: Once you have a clear understanding of what Cygna Auditor features your users need to accomplish their tasks, grant permissions accordingly.
Instead of granting access to individual users, create dedicated groups in Active Directory and delegate control to these groups. It's easier to manage user groups, since you can track changes to group membership with Cygna Auditor search and reports.
- John, Sam and Anna are system administrators. They are members of the Cygna Auditor Admins group. This group is assigned the Global administrators role in Cygna Auditor.
- Adam and Joan are the Exchange Online helpdesk operators. John, the system administrator, has created the Mail Helpdesk group and added Jack and Joan to this group. In Cygna Auditor, the Mail Helpdesk group is assigned the rights to see Exchange Online audit data through reports and search.
Takeway: Define delegation guidelines and apply them to user groups. Let the new users inherit group permissions instead of explicitly setting them.
Keeping up to date with our organization's needs is essential. Periodically check your delegation model and adopt it to changes. For example, you can schedule a monthly revision, review current delegations and reassign permissions according to the current workflow and organization's structure.
While reviewing the delegation model, John Smith, the ExampleCo's system administrator, found out that Adam Priest had been moved to another department. Since Adam no longer requires access to Exchange Online data, John removed Adam from the Mail Helpdesk group.
Takeaway: The delegation model is not created once and for all. As your organization keeps evolving, adopt the delegation model to changes.