Whether a large enterprise or an SMB, every organization experiences IT hindrances that result in support calls to the help desk. While many will be straightforward, with an obvious underlying cause (such as a forgotten password), there will be some calls that leave the IT team members scratching their heads, sometimes for months. How many of the following sound familiar?
While each call may seem to suggest a unique problem, organizations should realize there is often an underlying basis that serves as their common root—admin rights. This, I believe, is the Achilles heel for many organizations.
The Calls Keep on Coming
With little else to go on, it can be difficult for the person at the help desk to pinpoint what exactly has happened. It’s evident a device isn’t functioning the way it should, but how it got to this state— well, that could quite literally be one of a million reasons. Let’s consider a few common scenarios.
For instance, Linda’s laptop no longer connects to the printer in the office. After unsuccessfully trying to fix the problem herself, she calls the support desk for help. What she fails to mention, is last night she installed a driver so she could connect to her home printer. Eventually, she pieces together the connection to rectify the issue — until she prints at home again. Or, John’s computer has been giving him trouble for months, but he just can’t seem to sort the problem, which started when he was prevented from opening an attachment. He thought he resolved the issue himself, without troubling the help desk, by downloading some software from the Internet. As IT investigates further, it’s revealed that John has been making similar little tweaks to the system for months. Each new modification has inadvertently clashed with other elements, eventually causing the system to crash.
The Common Factor
I would argue that many of these problems have one common factor: users have admin rights, or at least some of them do. Take the problem with Linda—was it a printer driver issue, or the fact that she had admin rights? Or, consider John’s scenario —his numerous computer conflicts made it difficult to pinpoint exactly which caused the final meltdown, but it was his admin rights that allowed him to tinker with the build in the first place.
Giving users control of their desktops in a corporate environment is bad news. They’ll introduce or change things that can, at best, cause compatibility issues resulting in problematic devices. At worst, they’ll cause serious security breaches, costing both money and time.
Take the Path of Least Privilege
Of course, removing admin rights completely is a problem in itself. If rights are too restrictive, users are left struggling to perform everyday tasks. If you go too lenient, the consequences could bring the organization to its knees. But, admin rights do not have to exist at either extreme.
Instead, I recommend the approach of least privilege, which takes into account security and productivity by granting users only the rights necessary to carry out their jobs. Even so, the act of curtailing rights, even moderately, nearly always results in some amount of user pushback—if not managed and communicated effectively.
In fact, even when carefully implemented, the unfortunate reality remains: IT departments are often faced with employee demand for unrealistic service and autonomy levels—especially during a least privilege migration. But, there are measures that can be taken to communicate the benefits of least privilege to the organization at large, reducing friction between end users and the IT department.
- Be Transparent. Create a portfolio that outlines the services the IT department provides and what users can expect from the transition. Lay out reasonable timeframes for how long it will take to receive responses on software install requests and explain the business reasons for rejecting such an ask. Your portfolio should also contain a list of authorized software and hardware.
While least privilege is quick and responsive, users will have to be prepared for a corporate environment in which everything is not on instant offer. Be honest and open regarding any delays that are due to a more careful consideration of additions to the desktop. This helps end users realize their requests are not being ignored or backed up due to inefficiencies. - Develop a Policy on Hardware. Specifying particular brands that users are permitted to purchase helps minimize support costs related to disparate devices and compatibility issues.
- Achieve Successful Backing from Senior Management. Least privilege’s business benefits, such as reduced IT support costs, increased productivity and compliance with industry regulations or standards, including PCI DSS, HIPPA and SOX, should be emphasized over purely security or technical gains.
- Timeliness is Key. Desktop refresh projects, such as moving to a new operating system, are often used as a vehicle to implement least privilege. Doing so also increases acceptance from end users, as an OS upgrade is almost always supported.
When a few employees tie themselves up in knots, organizations may feel a knee jerk reaction to remove all privileges for all users. But, the reality is, it’s impossible to support a completely non-standard user base, where everyone is granted administrative rights. So, if you want to protect your Achilles heel, then your security mantra needs to focus on effective management, rather than restriction, of user rights. By rolling out a well-documented least privilege policy with proper education, users are likely to realize it has been put in place, so the organization can properly defend against exploits, improving the company’s bottom line and protecting customer data.
Paul, great points. As a QSA, I can tell you that the two most challenging aspects of PCI compliance are (1). Determining which of the Self-Assessment Questionnaires (SAQ) to use (they seem to keep adding more!) and (2) developing all the mandated information security and operational policies and procedures for PCI compliance. With the introduction of SAQ A-EP, the laundry list of SAQ documents keeps getting longer and complex. Additionally, if you look at the actual PCI standards, there?s literally dozens of mandated policies and procedures that must be in place for both merchants and service providers. Luckily, you can find free and cost-effective templates online for download. And don?t forget that security awareness training is also mandated, which is highly essential for not just compliance with PCI, but from an information security best practices perspective.