When attaching an application to Prisma SaaS, it’s natural to want to stick to the principle of least privilege. This can be a problem because Prisma SaaS needs elevated privileges to perform important tasks. Some of those tasks include quarantine of malicious files found during the scan.
Occasionally, somebody notices that it’s possible to attach Box to Prisma SaaS using a co-admin account. On the surface, that looks like a pretty good idea. The account isn’t a full admin, so the principle of least privilege is applied. Prisma SaaS gets attached, scanning happens, and assets are discovered and classified.
The biggest problem is the co-admin account doesn’t scan the super admin’s Box account. Why is that a problem you ask? Think about it for a minute. Your admins are admins in your IT organization. As such, they have elevated privileges in one or more areas. If there’s malware on their SaaS application, then it has potential to detonate with that admin user’s elevated privileges. That’s a pretty bad scenario. Not scanning that account’s assets means no visibility for an important person.
I was chatting with a couple of team members, both Customer Success Engineers on the Prisma SaaS team. One expanded on my thought, “Some groups can be associated with the other admin user and we are unable to see that data too.”
That's whole groups potentially left unscanned. Again, the big problem here is a lack of visibility. In the end, that’s what Prisma SaaS is all about—providing visibility into your sanctioned SaaS applications.
Another problem with the co-admin account is that visually looks about the same as when it’s running with super admin. By looking at it, you have the impression that everything is working just fine when in reality you’re lacking visibility. During the attachment process, the app logic is smart enough to present a warning, but when it's running, it looks like it's running.
From a timely conversation with another colleague,
“If a user account is used to install a Box app, the installation will be blocked. But if a co-admin is used the installation will be allowed but an error will be shown in the app details that full admin is not used. For apps like Box, customers can install with co-admin. We will allow them to install with co-admin but it will show a warning in the cloud apps overview page and in the cloud app details page.”
While it’s possible to attach the application using a co-admin account, a best practice would be to attach as the Super Admin instead.