Do Business Users Understand the Concept of Least Privilege?
May 10, 2016 | Security and Risk | Amy Burnis
No, they don’t. They only experience the pain of inefficiency if least privilege isn’t set up appropriately to meet authorized business needs. I know this first hand. Prior to joining CyberArk, I worked in a home office for a small company based in NYC. I quickly learned how to be self-sufficient and relatively tech savvy due to limited access to our remote IT support. Eventually, that company was acquired by a large global enterprise, and I received a new laptop with a new set of headaches.
We didn’t have admin rights to our laptops. Now that I work for a cyber security company, I understand the concept of least privilege and why this is a best practice. However, at that time, I just thought it was an example of the “formality” (bureaucracy) of a large global company. It was painful at times.
A classic example – trying to jump on a webinar only to discover I no longer had the latest version of a Java update. Ugh. At that time, I worked with a global team across multiple time zones, so I spent hours each day on conference calls and participating in WebEx meetings. Taking time to contact the IT Help Desk for something I could have done quickly on my own (e.g. update Java, connect to home office printer) if I had admin rights on my laptop was the last thing I had time to do. Consider the following process to submit an IT ticket even for something “simple”:
- First you have to write the ticket. I included screen shots as needed. (That takes a few minutes.)
- Then you receive at least one automated response to confirm receipt of the request, and another email once it was assigned to someone for follow up. (Clogs up email inbox.)
- Then IT gets in touch to set up a time to address the situation. May or may not be the same day, and in any case, too late for the WebEx meeting even if I called help desk. (Frustrating!)
- Finally, you are on the phone with the Help Desk, now you have to explain the problem again – even though it was pretty well documented in email. (Timing consuming.)
- Next it takes a few minutes for IT to get remote access set up. (Timing consuming.)
- Finally they can poke around, which means you are not using your laptop/working.
The above steps were probably at least 30 minutes in total (elapsed over time) for even a quick request. I was grateful for IT help, but I just didn’t have time for all of the extra steps. Frankly, IT didn’t have time for this either. They were a small team supporting a global company.
Fast forward to 2015 when I learned about CyberArk Viewfinity. I immediately understood the concept of least privilege and application control. Love the concept of white listing, grey listing – and IT must love this too! End users may not get the concepts, but believe me they will be very happy to have access to the applications they need – when they need them – without contacting IT for simple updates. The IT Help Desk will be happy not to have to address mundane tasks that skew their performance metrics. They can spend time on other projects.
Furthermore, the IT security team will appreciate that with CyberArk Viewfinity in place, users are only able to elevate privileges for pre-approved tasks, and complementary application controls are in place to quickly identify and block any malicious applications that attempt to avoid defenses by operating without administrative privileges.
In a short 3 minute video, CyberArk’s Senior Product Marketing Manager Lauren Horaist offers recommendations on how to effectively manage local admin rights on endpoints. Watch it to learn how to strengthen security and reduce the attack surface without disrupting the authorized day-to-day tasks of business users.
Editor’s Note: CyberArk Viewfinity with enhanced protection is now CyberArk Endpoint Privilege Manager.