The ‘insider threat’ may have been particularly topic during the past year thanks to Edward Snowden, but the problem has been there for a long time (Forrester reported a couple of years ago that around 43 per cent of data breaches are from internal sources). Giving staff excessive admin rights and privileges over their software is like handing them the keys to every door in the organisation.
For the uninitiated, ‘admin rights’ is a term that covers what computer users are allowed to do with their software. This can include changes to configuration, installing a device driver or downloading new software.
In small businesses, it may not even occur to anyone that this is an issue, while ‘admin rights’ can be a contentious issue in larger organisations that have an IT department, not least because admin rights are with-held, users then have to contact the IT team or helpdesk every time they want something fixed or changed.
So why not just give out blanket admin rights and privilege –what can really go wrong? Quite a lot. On Windows 7, over 70% of known vulnerabilities are only exploitable when the user has administrative privileges. In short, as long as there are users with excessive privilege, companies are leaving the door wide open for this to happen every day. Devastating security breaches can stem from innocuous actions such as downloading unauthorised applications, tools or content that brings in malware.
Know Who’s Doing What?
More frightening is the fact that many organisations don’t have a clue who has got access to what: I bet if I were to quiz most businesses, they would be hard pressed to provide an accurate list. Using the building analogy again, it’s as if they’ve lost the floor-plan.
This is why I believe that there needs to be a move from implicit privilege to explicit privilege: or ‘least privilege’, in other words, providing administrator privileges only where needed. If the IT manager is now going white at the thought of managing this, I’d argue that applying privilege does not have to be onerous. Here’s what I mean:
Least Privilege In Practice
- Focus on applications, not users – even really large organisations are only using a couple of thousands apps at most and generally, the need to apply privilege only applies to a very small number of these. Plus, the privileges for an application is likely to remain fairly constant, unlike users, whose application requirements vary. Suddenly, the workload to manage privilege looks a lot less daunting.
- Stop users from automatically operating as administrators on their own desktops – that will eradicate a whole host of vulnerabilities straight away.
- Stop bypassing of logging – without this system of checks and balances, companies cannot have granular control over what is going on, let alone work out what the root cause was when something goes wrong.
- Invest in the right tools – compared to a few years ago, the current generation of privilege management tools are designed to be straightforward to apply and can automate much of the work (music to the IT department’s ears).
Least privilege is important and completely achievable. Preventing unnecessary data breaches is within the grasp of any organisation and surely prevention is better than cure.