Fear of malware and other uninvited nasties sits behind many IT policies that severely restrict administrator privileges to a very select few employees. The belief that this mitigates the risk of being compromised, however, can prove to be false, as workarounds and poor practices make a company much more exposed to attacks. Meanwhile, business users silently – or not so silently – fume that they can’t run genuine applications without involving IT support, due to security restraints. In a nutshell, a balance needs to be struck between protecting company systems and keeping users working securely.
Business users need to run, install or update applications that require administrator privileges on a daily basis. A blanket ban on these privileges forces them all to call IT every time they need to carry out one of these day-to-day tasks. This frustrates users and renders them non-productive until the issue is resolved. It also increases the number of calls to – and therefore cost of – the IT help desk.
To get users up and running again, IT may temporarily grant local administrator privileges. These are often not revoked once the task has been completed. This results in ‘privilege creep,’ with an unidentified number of users in the organisation having access rights they’re not believed to have or supposed to have. With no record of who has access to what, control is lost and any permissions policy is effectively rendered null and void – which in turn expands the attack surface.
Notwithstanding that, by restricting administrator privileges, companies can end up with a false sense of security. This can even make them complacent about control and threats. Believing users can’t install anything on their machines, there may be no monitoring of the applications on them at all. This is a worry, because some malware doesn’t require administrator privileges to run, so undesirable elements could still enter the infrastructure. Initially unchecked, they can begin to do their damage.
‘All or nothing’
The ‘all or nothing’ approach that gives administrator rights to only a few individuals in the organisation creates a handful of extremely powerful accounts. With far-reaching access to the company network and its data, these are the accounts that become the target for cyber attacks which, if breached, provide attackers with the keys to the kingdom.
With such powerful privileges, IT, which should be the core of an organisation’s defence, can itself become a threat. This could be in the shape of an inexperienced IT administrator who, by virtue of their extensive access, runs a command in error that causes damage. A rogue team member could also access and exploit data that should never have been accessible to them in the first place.
Of course, there is no single solution to prevent insider threat, but very few individuals need unfettered access to everything. To protect the organisation in the best possible way, access privileges should be set at the minimum level required. This can only be achieved by being clear on who needs access to what. System administrators, application owners, database administrators and so on should have their own appropriate permission settings. In reality, however, this rarely happens.
Flexible, automated control
Setting the right level of privilege and application control strikes a balance between security and usability, effectively reduces the attack surface and keeps users productive and secure. Flexible tools that automate the management of local administrator privileges and application control can help IT departments achieve this.
For example, automated privilege access controls allow trusted applications to identify the privileges they require and create policies accordingly. They can also elevate and revoke local administrator rights as needed and ensure a ‘least privilege policy’ for administrators. Based on each IT administrator’s job role, the commands and tasks they’re able to execute is controlled – eliminating the need for unnecessary ‘one size fits all’ access.
We’ve seen that locking down administrator accounts doesn’t provide infallible protection – they could be in the hands of a rogue employee or in the throes of an attack – so it shouldn’t be assumed that whatever they are accessing is legitimate. The Thames Valley Police officer who was sentenced this month for emailing confidential information on court case witnesses and gangland shootings to his father, for example, caused a serious data breach, despite having the appropriate privileged access. Tools that proactively monitor these credentials can detect and flag up any anomalies to be swiftly addressed. They can also provide a secure, auditable mechanism for storing administrator account credentials automatically in a central repository and, for extra security, rotate them after each use.
It would be fair to assume that, when it comes to security, you can’t have too much of a good thing. Not that it should be ‘belt and braces’ all the way, but security needs to provide protection without hampering productivity. By striking a balance between security and usability, a ‘least privilege’ policy, backed up and enforced by automation can minimise the attack surface, be non-intrusive for users and free up IT resources.
Matt Middleton-Leal, Regional Director UK & Ireland at CyberArk
Image Credit: Juliannedev / Shutterstock