Taking the Path of Least Privilege Can Save Your Business Headaches and Money
Whether a large enterprise or an SMB, every organization experiences IT hindrances that result in support calls to the help desk. While many will be straight forward with an obvious underlying cause (such as a forgotten password), there will be some calls that leave the IT team scratching their heads, sometimes for months. How many of the following sound familiar?
- It worked yesterday, but today it doesn’t!
- I don’t know what I did, but now nothing is happening!
- It says there’s a compatibility issue!
While each call may seem to suggest a unique problem, organizations should realize there is often an underlying basis that serves as their common root – admin rights. This, I believe, is the Achilles heel for many organizations.
The Calls Keep on Coming
With little else to go on, it can be difficult for the help desk to pinpoint what exactly has happened. It’s evident a device isn’t functioning the way it should, but how it got to that state – well, that could quite literally be one of a million reasons.
Let’s consider a few common scenarios:
For instance, Linda’s laptop no longer connects to the printer in the office. After unsuccessfully trying to fix the problem herself, she calls the support desk for help. What she fails to mention, however, is that she installed a driver last night so she could connect to her home printer. Eventually, she pieces together the connection to rectify the issue−until she prints at home again.
Or, John’s computer has given him trouble for months, but he just can’t seem to sort the problem that started when he was prevented from opening an attachment. He thought he resolved the issue himself, without troubling the help desk, by downloading some software from the Internet. As IT investigates further, it’s revealed that John has made similar little tweaks to the system for months. Each new modification has inadvertently clashed with other elements, eventually causing the system to crash.
The Common Factor
I would argue that many of these problems have one common factor: users have admin rights, or at least some of them do. Take the problem with Linda−was it a printer driver issue or that she had admin rights? Or John’s scenario–his numerous computer conflicts made it difficult to pinpoint exactly which caused the final meltdown, but it was his admin rights that allowed him to tinker with the build in the first place.
Giving users control of their desktops in a corporate environment is bad news. They’ll introduce or change things that can, at best, cause compatibility issues resulting in problematic devices. At worst, they’ll cause serious security breaches, costing both money and time.
Take the Path of Least Privilege
Of course, removing admin rights completely is a problem in itself. If rights are too restrictive, users are left struggling to do everyday tasks. If you go too lenient, the consequences could bring the organization to its knees. But, admin rights do not have to exist at either extreme.
Instead, a least privilege approach takes into account security and productivity by granting users only the rights necessary to carry out their jobs. Even so, the act of curtailing rights, even moderately, nearly always results in some amount of user push back–if not managed and communicated effectively.
In fact, even when carefully implemented, the unfortunate reality remains, IT departments are often faced with employee demand for unrealistic service and autonomy levels – especially during a least privilege migration. But, there are measures that can be taken to communicate the benefits of least privilege to the organization at large, reducing friction between end users and the IT department.
- Be Transparent
Create a portfolio that outlines the services the IT department provides and what users can expect from the transition. Lay out reasonable time frames for how long it will take to receive responses on software install requests and explain the business reasons for rejecting such an ask. Your portfolio should also contain a list of authorized software and hardware.
While least privilege is quick and responsive, users will have to be prepared for a corporate environment in which everything is not on instant offer. Be honest and open regarding any delays that are due to a more careful consideration of additions to the desktop. This helps end users realize their requests are not being ignored or backed up due to inefficiencies.
- Develop a Policy on Hardware
Specifying particular brands that users are permitted to purchase helps minimize support costs related to disparate devices and compatibility issues.
- Achieve Successful Backing from Senior Management
Least privilege’s business benefits, such as reduced IT support costs, increased productivity and compliance with industry regulations or standards, including PCI DSS, HIPPA, and SOX, should be emphasized over purely security or technical gains.
- Timeliness is Key
Desktop refresh projects, such as moving to a new operating system, are often used as a vehicle to implement least privilege. Doing so also increases acceptance from end users, as an OS upgrade is almost always supported.
When a few employees tie themselves up in knots, organizations may feel a knee jerk reaction to remove all privileges for all users. But, the reality is, it’s impossible to support a completely non-standard user base, where everyone is granted administrative rights. So, if you want to protect your Achilles heel, then your security mantra needs to focus on effective management, rather than restriction, of user rights.
By rolling out a well-documented least privilege policy with proper education, users are likely to realize why it has been put in place, so the organization can properly defend against exploits, improving the company’s bottom line and protecting customer data.