Delegated Administrative Privileges in the Cloud Solutions Provider (CSP) Program

Monday 10th January 2022

Delegated Administrative Privileges in the Cloud Solutions Provider (CSP) Program

Delegated Admin Privileges (DAP) are required by Bytes to perform specific tasks related to purchasing and provisioning software and to provide technical support to its customers within the Cloud Solutions Provider (CSP) program. DAP is granted to Bytes when the customer to partner relationship is created. This document outlines the extend of our permissions and the security and access controls we have implemented to ensure customer data is secure.

Microsoft Online Services

1. Bytes manage all Microsoft Cloud Agreements through a Microsoft provided online tool called Microsoft Partner Center which grants a limited ability to see Customer data as described in the Microsoft Customer Agreement (MCA).
2. Partner Center Users with any Agent role will have the ability to view a list of Customers’ Azure Active Directory Users
3. Partner Center Users with the Admin Agent or Helpdesk Agent will have the ability to conduct “Admin On Behalf Of” actions on customers’ Azure Active Directory (AAD) tenant. This is known as Delegated Admin Permissions (DAP).
4. DAP is the same level of AAD tenant access as a Customer User with the Global Admin role and the same restrictions to data access apply, for example:
   1. Bytes will be unable to directly view Exchange Online data
   2. Bytes will be unable to directly view SharePoint data
   3. Bytes will be unable to directly view files in OneDrive for Business
5. Office 365 offers a native Audit Logging feature, allowing Customers to interrogate the system for any changes to configuration or permissions. Where this has not already been enabled, Bytes will (at an appropriate time) automatically activate the Audit Logging feature. Bytes would strongly encourage Customers to configure configuration, access, and permission change Alerts as part of the Audit Logging functionality.
6. Customers may choose to remove Bytes DAP. This will restrict the ability of Bytes Agents’ to assist Customers in any reactive support scenario and may prevent certain products from being purchased.

Microsoft Azure

1. Bytes manage all Microsoft Cloud Agreements through a Microsoft provided online tool called Microsoft Partner Center which grants a limited ability to see Customer data as described in the Microsoft Customer Agreement (MCA).
2. Partner Center Users with the Admin Agent or Helpdesk Agent will have the ability to conduct “Admin On Behalf Of” actions in customers’ Azure Subscription(s). This is accomplished by Azure recognising all Agents as a single Foreign User Principal with the Azure Role Based Access Control (RBAC) Owner role. This is an inherited role and is the same role granted by Bytes to the first User that the Customer specifies.
3. The RBAC Owner role allows the download of most stored data types but Customers can enable native AES 256-bit encryption for all stored data and this is a practice that Bytes would strongly encourage.
4. All actions within an Azure Subscription are automatically tracked using the native Audit Logging tool. This can be used to set alerts for all suspicious activity, a practice that Bytes would strongly encourage.
5. Customers may choose to remove Bytes Foreign Principal from any of their Subscriptions. This will restrict the ability of Bytes Agents’ to assist Customers in any reactive support scenario and means that pricing will revert to RRP +3% as per the BMCA.

Access Controls

1. Bytes have adopted the Secure Application Model Framework
2. Bytes monitor the activity logs across all of our Microsoft tenants, including the one used for Microsoft Partner Center, 24/7 utilising a third party SEIM SOC solution.
3. Bytes monitor 24/7 external threats to Bytes Systems, including our Microsoft tenants, using toolsets such as Digital Shadows.
4. We regularly check the "Activity Log" in Partner Center to monitor user activities.
5. Bytes have enabled multi-factor authentication (MFA) along with conditional access policies.
6. Only limited Bytes staff may be granted the ‘Admin Agent’ role through dedicated accounts.
7. All access rights are granted on a “when needed” basis and removed at the end of the working day.
8. Passwords have been replaced with hardware tokens.
9. All Bytes staff must read and agree to the Bytes CSP Customer Data Access Control & Security Policy before admin permissions are granted.

Arm’s Length Systems

1. Most activities that can be completed on Partner Center have a corresponding API, allowing them to be completed using arm’s length tools and systems.
2. Bytes have developed a publicly facing Cloud Dashboard (CDB) allowing Customers to create quotes, change OLS license counts, and provision new Subscriptions according to Microsoft pricelists (including Microsoft). Bytes employees also use this portal as part of internal process to raise and complete Customer orders where directed.
3. The Partner Center APIs have been integrated in to CDB to allow employees to raise quotes, and process orders without any direct access to Partner Center. The APIs used for these tasks do not have any effect on Customer environments other than for generating pricing or provisioning services.

CSP Security best practices

Bytes have implemented all of the Microsoft CSP Security best practices with the exception of Microsoft Passwordless authentication. Bytes have deployed physical secure tokens which Bytes felt offered improved security over Microsoft Passwordless authentication option.

Customer Monitoring and Auditing

We encourage our customers to review and audit Azure AD sign-ins and configuration changes: Authentications of this nature are audited and available to customers through the Azure AD sign in logs, Azure AD audit logs, and the Microsoft 365 compliance center (formerly in the Exchange Admin Center). Microsoft  recently added the capability to see sign-ins by partners who have delegated admin permissions. Customers can see a filtered view of these sign-ins by navigating to the sign-in logs in the Azure AD admin portal, and adding a filter ‘Cross-tenant access type: Service provider’ on the ‘User-sign ins (non-interactive)’ tab.

Nobelium targeted attacks

The Microsoft Threat Intelligence Center (MSTIC) recently detected nation-state activity attempting to gain access to customer data and information of multiple cloud service providers, managed service provider (MSP) partners, and other IT services organizations that use delegated administrative privileges or other elevated credentials to administer customer environments. 

This situation is not the result of a security vulnerability but rather the attacker using a diverse and dynamic toolkit consisting of malware, social engineering and phishing to gain initial access, leveraging trusted relationships to gain access to downstream customers.

Nobelium is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach. Microsoft has notified organizations that the Microsoft Threat Intelligence Center (MSTIC) has observed being targeted or compromised by Nobelium through our nation state notification process.

Bytes have completed a thorough review of our security policies in light of the Nobelium activity.

Want to keep informed? Sign up to our Newsletter