Let’s face it, computer networks are complicated and keeping them secure depends on a multitude of factors. At the core of this, however, are administrative rights that make it possible to fundamentally alter the configuration of a desktop, its installations and applications. In fact, when you’re dealing with admin rights, a slight error can result in a malicious attack on the company’s server, potentially compromising the entire network.
And frankly, users with admin rights are loose cannons -- you just don’t know when or where they are going to strike, and the results can be devastating to the company’s security infrastructure. Once a problem occurs, it often unravels into a downward spiral taking your business - and reputation - down with it.
But there are some steps that can be taken to mitigate your organization’s risk that mostly revolves around taking a “least privilege” approach, meaning end-users can perform their jobs with ease but without threatening the organization’s security. Here are 10 steps towards making “least privilege” a reality.
Step 1: Regularly Evaluate Risk
IT specializes in certain areas that standard users ignore, such as files within the Windows folder and protected parts of the registry. If these are altered without IT knowing– either accidentally or maliciously- it can make the system unstable and increases the risk of data leakage. Simply, if IT doesn’t know what applications and changes users have made or installed, then it can’t be sure that sensitive data isn’t being redirected into the hands of an unknown third party. Regular evaluation of security risks, combine with application whitelisting, are essential in providing that extra layer of defense.
Step 2: Encourage Users to Have Fewer Devices
The proliferation of personal devices into the workplace has increased complexity and costs for an enterprise. Considering how rapidly the Bring Your Own Device (BYOD) trend is taking hold, it’s impractical to eliminate personal devices in the workplace altogether. Indeed, a recent Cisco survey of 600 international IT leaders in 18 industries revealed 78% of employees use mobile devices for work. Enterprises must thus create a balance between the use of personal and mobile devices and corporate desktops. If an employee justifies the use of a device, the onus is on the enterprise to establish its compliance with company policy, with a clear strategy to determine who is responsible for support.
Step 3: Move to a Managed Environment
Lock down machines so that users can only change their desktop configurations -- not the core system. This can save enterprises time and money, as it reduces support costs and mitigates lost productivity from network downtime.
Enterprises must also consider how to transition to a managed environment, while still aligning with business objectives. Leveraging Microsoft Group Policy and Microsoft System Center are just two examples of useful ways that will enable the effective deployment of services such as patch management and software distribution.
Step 4: Improve End-User Experience
Security is often seen as too limiting for users, but by adopting a well-planned and implemented least privilege policy, enterprises can actually improve the user experience and give privileges back to those who were previously on excessive lockdown.
When users make system-level changes, they can weaken the endpoint or introduce application clashes, which can have serious consequences. Following the example of devices like the iPad and Android Smartphones, which both operate in a curated environment, organizations can catalogue a portfolio of programs and applications that are needed and supported. Doing so will help track changes to the system and further secure the core system configuration. Furthermore, granting users feedback on activities, rather than completely blocking their access, will subsequently result in fewer help desk calls and will reduce the likelihood of “privilege creep”.
Step 5: Maximize Investment in Active Directory
Most Windows organizations have Active Directory but few realize its impact on achieving centralized management and business-policy driven architecture. Why not use the facilities already built into the product to enable a more efficient and productive IT system?
That said, there are limits to what you can do in terms of control and security, so the best option is to bolster security by using products that are tightly integrated with Active Directory, particularly third party least privilege solutions that enable integration. Doing so will provide more granular control, allowing admin rights to be easily removed without adversely impacting end users and ultimately productivity.
Step 6: Improve Network Uptime
Many organizations fail to recognize the connection between excess admin privileges and lost productivity. For example, without a privilege environment, an infected machine could issue a DOS (denial of service) attack undetected by the user, causing a flood of traffic over the network and bringing routers and switches to a halt. Instead, a least privilege environment not only improves the stability of the desktop but it also improves the quality of the entire network.
Step 7: Regulatory Compliance
Demonstrating compliance can prevent regulatory fines - and a least privilege approach is at its core. Many compliance codes state, either implicitly or explicitly, that users should have the minimum amount of privileges to complete everyday tasks.
For example, PCI DSS (Payment Card Industry Data Security Standard) states that the organization must ensure that privileged user IDs are restricted to the least amount of privileges needed to perform their jobs.
Step 8: Demonstrate Due Diligence
This goes hand in hand with Step 7, and at its heart helps educate staff about safe computing. Additionally a least privilege approach helps demonstrate to customers that you’re taking all reasonable approaches to protect their information. Many organizations and public services have been publicly named and shamed for data breaches, damaging their reputations and eroding customer confidence, which in turn lowers an organization’s ROI.
Step 9: Analyze Support Costs
Simply put, secure and managed systems are cheaper to support, which in turn makes security a business enabler as opposed to an initial expense. The provision of a knowledge base and intranet will also help to reduce support incidents which impact directly on cost, and those who take a relentless incramental approach to their security will continue to see support costs reduce.
Step 10: Reduce Complexity
As we learned in Step 1, the likelihood of data leakage increases when users are able to make unauthorized and un-catalogued changes. Since systems are complex enough without the added complications that come with excess privileges, enterprises should thus simplify its security posture by replacing local administrative rights with standard user accounts.
Boiling these down to the basics, organizations should implement a security strategy tailored for its business objectives as a vital first-step in safeguarding data. Next, removing admin privileges from the majority of users will lower support costs and mitigate security threats. In order to maintain productivity, enterprises should give users flexibility to use the line of business software that they need. On certain occasions, enterprises may also identify any users who may need additional rights to install approved software. Finally, enterprises should leverage least privilege management to achieve a smart balance for an IT environment in which everyone can still be productive while at the same time remaining secure. Introducing a least privilege approach really comes down to a logical decision – do you want the best of both worlds, productivity and security?
Cross-posted from SC MarketScope