When people think of excessive privileges, SaaS solutions are rarely on their mind. Many organizations end up with excessive numbers of highly privileged users in SaaS solutions.
In fact, the Australian Signals Directorate doesn’t even mention SaaS in their often quoted ASD Essential Eight guide. That guidance is as follows  “Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information.”. All these risks apply when you store and transact your data in SaaS solutions. It is important to adopt a least privileged model to ALL privileged access which includes your SaaS footprint.
Is it possible not to have any privileged users?
In order to implement a least privilege model in not only an organisation but also an individual SaaS solution, it is important to first understand the minimum number of highly privileged users you need. It is unwise to have only a single highly privileged user in any one SaaS solution. That staff member might resign, have an accident or simply forget their access credentials, leaving the business exposed to operational and availability risks.
It is prudent to have at least two highly privileged users per SaaS solution to eliminate the above risks and use delegated privilege user roles for most administrative activity.
How do you end up with excessive privileged users?
Many organizations, instead, end up with excessive numbers of both highly privileged and privileged users in SaaS solutions containing business critical and customer sensitive data. This can occur when staff change roles or need elevated privileges for a short time and access rights are not regularly reviewed as part of BAU operations. Another common reason for excessive privileged users is department managers or C-suite executives who hold onto these rights when not needed for oversight or control purposes.
Now that the decision has been made to manage the count of privileged users in SaaS, it’s worth taking a look at the major SaaS providers’ recommendations:
In addition, some SaaS solutions fix the number of highly privileged users you can have:
This a mixed bag of options and recommendations, so it’s worth establishing a baseline.
So what are Detexian’s recommendations?
Detexian recommends, for most SaaS solutions, between two and four Highly Privileged Users per SaaS. If your organization is geographically diverse (i.e. live / work in different cities), then two is likely correct. If you staff live in the same city and work in the same building, it is appropriate to have more highly privileged users to reduce the availability risk.
If the SaaS solution supports privileged users to do delegated tasks, then these should also be restricted to two to four per role as requested.
For SaaS solutions that only support a single admin or owner account, Detexian’s best practise advice is in line with AWS guidance for the root account:
Find out how many privileged users you have in each SaaS in minutes and keep track of changes at all times. Inquire now for a free demo.