# SaaS Admin Hygiene and Least Privilege One-sentence definition: Minimizing overprivileged SaaS admins and risky defaults through config baselines and reviews. ## Key Facts - Enforce SSO/MFA for admins; break-glass accounts with tight controls. - Role-based admin scopes (reader vs config vs billing). - Periodic access recertifications; just-in-time elevation. - Monitor risky shares, external links, and public objects. - SSPM provides misconfig visibility and fixes. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick missing SaaS control that prevents mass data exposure. **Mnemonic:** “Few admins, fewer rights.” ## Mini Scenario Q: Thousands of files shared publicly—what to add? A: SSPM/CASB monitoring with automated unshare and alerts. ## Revision Checklist - Name 3 admin protections. - Define break-glass control. - State one monitoring metric. ## Related [[CASB and SSPM/CSPM Overview]] · [[Cloud Data Protection (SaaS, PaaS, IaaS)]] · [[Data Loss Prevention (DLP)]] · [[Data Sharing and External Collaboration Controls]] · [[Tenant Isolation and Cross-Tenant Risks]] · [[Domain 2 - Index]]