TL;DR
It’s not reasonable for a Head of IT to have *no* access to email or backup management systems. Complete exclusion creates risks and hinders effective cyber security and disaster recovery. Access should be limited based on the ‘least privilege’ principle, using strong authentication and monitoring.
Solution Guide: Controlling Access for the Head of IT
- Understand the Risk
- Blocking access entirely means they can’t investigate incidents, verify backups are working, or respond to data requests.
- It creates a single point of failure – relying on others for critical tasks.
- Lack of visibility hinders proactive cyber security measures.
- Implement the Principle of Least Privilege
- Email: Grant read-only access to audit logs and reporting features. Avoid giving them the ability to send emails as other users or modify mailbox settings directly.
- Backup Management: Allow access to monitor backup jobs, restore data (with appropriate approvals – see step 4), and view reports on backup success/failure. Avoid granting permissions to delete backups or change retention policies without a second factor of approval.
- Technical Implementation – Email Access Control (Example: Microsoft 365)
- Technical Implementation – Backup Access Control (Example: Veeam)
- Allow ‘View’ permissions on backups, repositories and jobs.
- Allow ‘Restore’ permissions but require two-factor authentication (2FA) or approval workflows before any restore operation can complete. Configure alerts for all restores initiated by this user.
- Implement Multi-Factor Authentication (MFA)
- Centralised Logging & Monitoring
- Monitor login times, data access patterns, and restore requests.
- Set up alerts for failed login attempts or unexpected changes.
- Regular Access Reviews
- Approval Workflows (Backup Restores)
- Documentation & Training
Don’t give full admin access. Instead, grant only what’s needed to perform their duties.
Use Role-Based Access Control (RBAC). For read-only audit access:
# PowerShell example (requires the Exchange Online module)
Get-Mailbox | Where {$_.Name -eq "[email protected]"} | Add-MailboxPermission -User 'AuditLogReaderRole' -AccessRights AuditAccess
Create a dedicated audit log reader role with limited permissions.
Veeam uses roles to control access. Create a custom role for the Head of IT:
Crucially, always enforce MFA on accounts with access to sensitive systems like email and backup servers.
Log all actions performed by the Head of IT within these systems. Use a Security Information and Event Management (SIEM) system to monitor for unusual activity.
At least quarterly, review the Head of IT’s permissions to ensure they remain appropriate.
For backup restores, implement a workflow requiring approval from another senior member of staff before any data is restored. This adds an extra layer of security and accountability.
Document all access controls and procedures. Provide training to the Head of IT on their responsibilities and limitations.