Managing the Social Impact of Least Privilege

Monday, December 10, 2012

Paul Kenyon


Before Windows Vista, there were several technical problems associated with using Windows without administrative privileges.  But with the emergence of User Account Control  in Windows Vista, 7 and 8, some organizations have eliminated admin rights altogether. 

This has left many stuck either believing Windows users must have either full – or no – control of their PCs, resulting in unexpected technical problems or mutiny in the ranks.  Given the extremity of these responses, neither really lends itself to enhancing both organizational security and productivity.

To do this, I recommend the approach of least privilege, which takes into account security and productivity by granting users only the rights necessary to carry out their jobs.  Even so, the act of curtailing rights, even moderately, nearly always results in some amount of user pushback – if not managed and communicated effectively.

Change and Company Culture

The unfortunate reality is, at some organizations, IT departments are met with resistance at every step with employees demanding unrealistic levels of service and autonomy. This can be especially problematic as organizations migrate to a least privilege approach. But there are measures that can be taken to communicate the benefits of least privilege to the organization at large, reducing friction between end users and the IT department.

For one, create a portfolio that outlines the services the IT department provides and what users can expect from the transition. For example, lay out reasonable timeframes for how long it will take to receive responses on requests to install software and explain the business reasons for rejecting such an ask. Your portfolio should also contain a list of authorized software and hardware.  

This foundation will make the move to least privilege easier for both the IT department and users.

It’s worth noting, while least privilege is quick and responsive, users will have to be prepared for a corporate environment in which everything is not on instant offer.

Taking this into account, it’s best to be honest and open regarding any delays that are due to a more careful consideration of additions to the desktop. This helps end users realize their requests are not being ignored or backed up due to inefficiencies.

Keep in mind, users may have to be weaned away from “fast food software,” so it’s best to make sure they know that their request may have residual effects on others that the organization must plan for.

Beyond software, it’s important to also develop a policy on hardware. Otherwise, organizations may be confronted with increased support costs related to acquiring a number of disparate devices, configurations and drivers. Specifying particular brands that users are permitted to purchase helps minimize support and compatibility issues.

Remember, all of the software and hardware which an enterprise intends to deploy needs to be thoroughly checked beforehand to ensure compatibility with all other deployed software, devices and peripherals.

Essential Management  Buy-In

Backing from senior management is crucial for a successful least privilege security desktop project. For the successful backing from senior management, the business benefits of least privilege, such as reduced IT support costs and increased productivity, should be emphasized over purely security or technical gains.

To do this, gather data from a pilot project where select users are transitioned to standard user accounts. Other business benefits might include compliance with industry regulations or standards, such as the Payment Card Industry Data Security Standards (PCI DSS),the Health Insurance Portability and Accountability Act (HIPAA) or Sarbanes-Oxley (SOX).

Desktop refresh projects, such as moving to a new operating system, are often used as a vehicle to implement least privilege. Doing so also increases the chances of acceptance from end users, as an operating system upgrade is almost always supported.

Inevitably, there will be users and managers who believe they should be exempt from the least privilege security project, without any solid justification. It will be at this point that upper management must show their resolve and ensure no exceptions without a valid business reason.

Driving User Acceptance

If it’s difficult to share files, users find workarounds even if it breaks company policy, such as telling colleagues their account passwords or using removable USB drives. IT policy should be balanced so that users can do what they need without any significant barriers – and that applies equally to security.

By rolling out a well-documented least privilege policy with a proper education, users are likely to realize why it has been put in place and organizations can properly defend against breaches or malware. Employees should understand how running as a standard user can increase productivity, improve the company’s bottom line and protect customer data. Here’s an analogy that you can use to help:

In the same way traffic laws map out the acceptable road behavior, least privilege security on the desktop provides rules while enabling users to carry out their responsibilities in a timely manner without crashes or breakdowns.

In organizations where IT policy hasn’t been enforced or where users expect to have full autonomy over PCs, the transition to least privilege desktops must be carefully planned, so the IT department doesn’t face a user revolt.

Make sure to set users’ expectations accordingly – before they arrive to work one morning to find their admin privileges have been removed.

Cross-posted from Credit Union Times


Possibly Related Articles:
Budgets Enterprise Security Policy Security Awareness Security Training
Information Security
Compliance Enterprise Security Network Security Privileges
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.