TL;DR: Hiring a Zoho consultant? Discover the secure and correct way to grant them admin access without sharing your own login. Protect your data and ensure a clear audit trail.

The $37 Mistake: Why Sharing a Zoho Super Admin Login Is a Major Security Risk

When you bring in a Zoho Partner or certified Zoho consultant to work on your Zoho platform, it’s very tempting to provide them with an existing admin account for convenience (and save $37/month if we’re talking about Zoho One apps). Please, resist this temptation at all costs. If your Zoho Partner agrees to work under your account, ask them how they intend to distinguish their actions from those of another admin in the audit trail, in case something goes awry.

Zoho does not provide us, its Partners, with any backdoors, admin-level access, or other administrative privileges for obvious security reasons. However, we need administrator privileges to work on your Zoho implementation. In many cases, customers suggest that they do not want to allocate a separate user license for this, instead offering shared access under their existing admin or even super admin account. We never agree to that practice for the following reasons:

  • Audit trail. If we work under your admin account, there’s no way to distinguish our actions from the actions of other people who also have access to this account.
  • Multi-factor authentication. It’s normal to have it; it’s scary not to. Sometimes we need to log in to the client’s platform at a moment when the “real” owner of the account has no option to provide us with the MFA code or confirm the login on their mobile device.
  • Integrations, tokens, and API connections. Due to Zoho’s system architecture, many integrations, authentication tokens, and other low-level system connections are tied to the user who created them. Therefore, all actions performed by these integrations, custom functions, and the like will be reflected in the system logs as having been performed by that user. It makes debugging and security audits really hard because there’s no way to instantly tell if some field has been changed by John Doe or by the automation that John implemented.
  • The Principle of Least Privilege, particularly for the Zoho One apps. For example, if your Zoho Partner works on Zoho CRM, Zoho Books, and Zoho Inventory, they might not need access to Zoho Social or Zoho People. In other words, grant them access only to the specific data and applications that are absolutely necessary for their scope of work.

All in all, there are no benefits in sharing a real admin’s or super admin’s password with your Zoho Partner or consultant (in the context of business automation, we can’t seriously call saving $37/mo a benefit). The security risks and inconvenience associated with “shared admin access” outweigh the minimal savings. As an added security layer, create such a user with your company’s mailbox, and set a direct, unconditional forward to your Zoho Partner’s address with storing all the inbound messages.

In the ideal world, the platform could have a special user type, such as “Implementation Administrator,” which would be allocated only by the organization’s super admin and wouldn’t occupy a “real” user seat. In reality, it likely won’t happen often because there’s no way to prevent its abuse by using the “administrator” role for non-admin purposes.

Besides the separate “implementation administrator” user, there are many ways to leverage Zoho’s vast array of security measures, especially for Zoho One apps controlled by Zoho Directory. If you have to choose between convenience and security, choose security: the convenience never pays for itself. Security does.

Administrator Access
Separate Account
Shared Super Admin Account
Audit Trail
Yes
No
Multi-Factor Authentication
Yes
No
Principle of Least Privilege
Yes
No
IP Address Restrictions
Yes
No

Note: There will be situations when your Zoho consultant will need access as a super admin. It's normal; sometimes we have to act in this capacity. In this case, share the access and simply change the password when the needed operations are completed. If your platform is brand new and doesn’t have any real data yet, it's totally fine to share the super admin password, too.

Zoho One Security: What Else Can Be Done?

As an integrated SaaS platform, Zoho One offers a good amount of the security features that both the Zoho Partner team and the client’s IT department can use easily. Zoho’s own general Security F.A.Q. is also worth reading.

Also consider reading the Best Practices to Keep Your Zoho Account Secure (Zoho Accounts Knowledge Base). 

For Zoho Forms security, review the Zoho Forms Autit procedures and the HIPAA compliance settings. It’s impossible to give a 360-degree security overview for all the Zoho One apps at once; however, even invoking the simplest security functions can have tremendous effect on the safety of your data. 

Read More