Final Thoughts for Least Privilege Best Practices

“Having a central view of all system administration reduces the costs of forensic investigation and allows for a faster response to security incidents while improving the company's ability to answer tough audit questions.”

—Andras Cser, Forrester Research

You've invested in information technology and the associated infrastructure, applications, databases, and peripherals to assist your company in becoming competitive, ease administration, and satisfy reporting and compliance mandates. You've made decisions on physical servers and desktops. You've decided on what to virtualize for cost saving and improved capacity planning. You may have moved some of that infrastructure to a public, private, or hybrid cloud infrastructure. You've hired an incredible team of employees and implemented IT security solutions to keep hostile outsiders from accessing your mission-critical systems. You've passed most, if not all, of your IT audits and have certificates to prove regulatory compliance. But, are you confident that you've avoided the potential of showing up in the next Wall St Journal article on insider breaches? Have you prevented good people, trusted employees, from doing bad things, intentionally, accidentally, or indirectly?

Intent Versus Action

Insider threats are a global phenomenon. Every company in every part of the world is subject to some level of insider threat. And guess what? Insider villains are just as unidentifiable in the UK as they are in the US. They appear just as innocuous in Poughkeepsie as they do in Perth.

If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally, or indirectly misusing that privilege and potentially stealing, deleting, or modifying the data. There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved. We've observed three types of situations where intent and action may be in question:

1. Intentional misuse of privilege: In this circumstance, the over-privileged user has both intent and ultimate action to do harm.
   
   Remember “Disgruntled Dave” from Chapter 2? Now you know what to keep an eye out for and how implementing a least privilege solution can mitigate this dangerous inside threat.
   
   
2. Accidental misuse of privilege: In this circumstance, the over-privileged user has no intent to do harm, but their actions unfortunately result in measureable damage.
   
   Remember “Accident Prone Annie” from Chapter 2? Now you know what to keep an eye out for and how implementing a least privilege solution can mitigate this expensive inside threat.
   
   
3. Indirect misuse of privilege: In this circumstance, we find both intent and action at play with both an insider and a hostile outsider. The intent of the insider is to do no harm, but the action of harm is perpetrated on their behalf because their over-privileged credentials were hijacked by a hostile outsider. The outsider had intent to do harm and the harmful action is perpetrated by hijacking an unknowing over-privileged insider.
   
   Remember “Identity Thief Irene” from Chapter 2? Now you know what to keep an eye out for and how implementing a least privilege solution can mitigate this hidden inside threat.
   
   

We have reported on several cases already in this book where an insider has done everything from almost nuisance-level harm to the very heights of catastrophic theft in the hundreds of millions of dollars range. We will also analyze more as we delve deeper into the best practices observed. We travel frequently to visit resellers, customers, and prospects around the globe to discuss least privilege for specific business, geographic, and system level requirement (physical, virtual, cloud-based computing platforms). What always amazes us on these trips is the general belief that insider threats are solely a US-based issue and that employees are completely trustworthy everywhere else.

Nothing could be further from the truth. In January 2011, an article at computing.co.uk reported “ICO fines former Direct Assist employee for illegally obtaining NHS data.” We're not sure if his action was matched to his intent, but clearly the results are the same.

Insider Threats Aren't Perpetrated By the Obvious

It would be nice if every villain inside your organization walked around wearing a big sign that broadcasts “bad guy looking to do bad things,” but alas it is only in the cartoons and movies of Hollywood where you can always find the stereotypical bad guy: black top hat, curled black mustache, and sinister grin.

In real life enterprises, insiders look like you and me; just regular employees doing their job and collecting their paycheck. That's why “securing the perimeter within” is so important.

What are the boundaries within your extended enterprise (read: “the perimeter within”)?

• Physical: This seems fairly obvious as the physical server and desktops throughout the organization; however, if you dig a little deeper, you discover a whole lot more. Mobile devices have infiltrated the enterprise as has supporting network devices that require individual privileged accounts to exist on the corporate network and a proliferation of databases and directories that also contain sensitive information. When defining the perimeter within, it is important to consider any- and everything that either has privileged account designations or can contain sensitive information.
• Virtual: Nowadays, a server or a desktop isn't always just a physical manifestation of a machine, but can be just one of multiple “virtual images” that exist on one physical machine in order to leverage the unused computing capacity within the enterprise. Don't forget to monitor the virtual sprawl that also proliferated because of this.
• Cloud: The buzz word du jour is cloud. Whether of the public (outsourced) or private (internally managed) variety, this is just making data and applications available via the Internet. Anyone who has been in enterprise computing for longer than three years will recognize this as better marketing for concepts that have been around for decades: SaaS/PaaS/IaaS for public cloud and portal/intranet/extranet for private cloud. Either way, this unique way of managing information also brings unique security, identity management, and regulatory compliance requirements to bear.

Now that you have a better understanding of what the perimeter within looks like, we can move on to talk about the types of things insiders can do to threaten your security, compliance, and governance policies.

Preventing Security Storms

How many times have you heard the old proverb “after the storm comes the calm?” And how many times have you just accepted “storms” as part of life? From our point of view, these downpours aren't actually necessary.

We also find, from an enterprise point of view, that the best kind of storm to steer clear of is the security storm. Do we have to wait for a rough and tumble tempest that completely derails everything we're working toward? Absolutely not—we can prevent the loss of secure information and keep our businesses calm and running smoothly, thus bypassing the storm and going straight for the calm. Let us show you how.

To prevent a “storm” in your company, take a good hard look at your enterprise. Is there a measure in place to secure your sensitive information from being blasted for the world to read? Are your users all operating at the superuser level? Are you setting yourself up for a problem, or have you taken the steps to bypass any damage? The reason for this internal assessment is clear: all around us are unsettling reports of breached databases and purloined trade secrets. We're sure you've seen these intentional security storms: whether it's the Goldman code that was stolen, then sold, or the iTunes accounts that were hacked and up for sale…, both of these incidents point out how prevalent storms are in today's information security sector. But what is at the root of the problem? The answer is shocking. Many think its hackers, thieves, and malware vulnerabilities. While those can play a role, most breaches are caused by the abuse of admin rights.

Preventing security storms in your enterprise is easy. The answer is to take away the admin rights of all individuals who don't need them. Don't let them abuse their privileges; implement and practice a least privilege management solution. Give users access to information based on what is essential to their job. This will stabilize, secure, and streamline your system, thus preventing storms and allowing you to enjoy the calm.

Every organization has its own quirks. Sometimes leadership isn't involved enough for certain projects to be successful. Other times they're too involved. And sometimes it feels like everything is just too much of a mess. This is especially true when it comes to IT security and compliance across physical, virtual, and cloud environments.

It doesn't happen often, but when a CEO gets interested in IT security, often we're breathless. What do we tell her? What would the CEO ask about? CIO Update recently wrote on ten security questions your CEO should ask. So we wanted to put together the five questions you might be asked about administrative privileges and what your answers should be.

Q: Do you trust our staff?

A: Yes, of course! But we don't rely on trust alone.

Q: What processes are in place to protect these privileges?

A: Approvals, mitigated privileges, and keystroke monitoring.

Q: What are we doing to protect us from honest mistakes made by our own staff?

A: Oh dear, we do hope you can say that administrative privileges have been removed from desktop users!

Q: What are we doing to protect the cloud?

A: Enforced SLAs with our cloud vendors to follow the same policies we use internally.

Q: What's next?

A: Don't forget to plug the next project for which you need support and/or funding.

Bad Habits to Kick for IT Security

Isn't it amazing how easy it is to adopt bad habits? The crazy thing is that no one is immune; they plague each and every one of us. Whether we were taught incorrect practices or are just looking for shortcuts to make our lives/jobs/situations easier, each of us yields to poor patterns at some point in our lives.

It's when we allow these habits to interfere with the mechanisms keeping our enterprises safe that they become a huge problem. Maybe you think your actions won't matter because no one knows about them, or that your exploits won't affect the sensitive information within your company's database, or maybe it” just that you're not concerned enough to switch to correct principles. Whatever your reason for allowing bad habits to fester, it” time for a wake-up call! There's no room for these patterns in today's information security world. With cases like the Goldman Sachs debacle and the Vodafone incident showing how prevalent data leaks and cyber crime are becoming, it's time to shape up. But how can you take your bad habits and turn them into peace of mind? Start by kicking these four bad behaviors and you'll be well on your way:

1. Stop allowing your employees access to root. With this type of access, your people can access everything, including the privileges required to manipulate and share data.
2. Don't let desktop users run as administrators. When you allow your users to run as a local admin, you are opening your enterprise to serious security issues. You may think you're saving money by allowing this instead of multiple calls to the help desk, but in reality you're risking much more than money.
3. Stop bypassing logging. Without this system of checks and balances, you won't be able to granularly control what goes on in your company.
4. Don't assume that because you're using UAC, you're immune to data breaches. UAC is a great tool, but doesn't fully eliminate admin rights. It leaves gaping holes in your protection plan.

If you find yourself on the path to a security breach because you're choosing to maintain bad security habits, make the decision to change today. Kick these habits and introduce peace of mind into your security plan.

Balance Security and Productivity

Almost everyone has read the children's tale about the little girl who happened upon a house in the woods and went about discovering porridge that was too hot, too cold, and just right; chairs that were too big, too small, and just right; as well as beds that were too hard, too soft, and just right. It didn't end well when the bears came home to discover the intruder, but the lesson of extremes was forever implanted in your mind. Unfortunately, this lesson hasn't seemed to stick for most enterprises when it comes to security and compliance versus productivity and user friendliness (Figure 11-1).

Figure 11-1. Balanced security

When it comes to IT security, most organizations that we have interviewed fall into one of the two extreme camps of either:

• Security Conscientious: These organizations lock down every user under every circumstance. Specifically, they set up users without any admin rights and require a manager or help-desk technician whenever functions requiring privilege dictate. On the positive front, this strategy ensures compliance and to a large degree protects against harm, but may also impede productivity to significantly measureable levels.
• Productivity Conscientious: These organizations care more about productivity than they do security and tend to live by the “that can't happen to me” motto every time a new article shows up in the press for another organization's data loss. In this situation, users usually have full admin rights and trust is the only thing that protects from misuse of privilege and/or insider breaches. On the positive front, this strategy ensures very productive users, but the downside is the ever-looming threat of, not if, but when data loss will become a measurable impact.

Since you've continued to read this far into the book, we can only assume that you desire to achieve, or improve, your ability to satisfy both:

• Balance Conscientious: These organizations recognize the delicate balance of security to productivity as well as compliance to user friendliness and have moved to a least privilege environment. Establishing a centralized policy engine that can monitor and control privilege authorizations at a granular level can deliver the best of both previous extreme camps just described.

Delivering balance between security and compliance with productivity and ease of governance is a least privilege imperative. Setting privilege authorization based on set roles and policies facilitates an environment wherein fine-grained entitlements can mitigate the majority of privilege misuses discussed throughout this book. Let's take a look at how a specific organization found balance through least privilege.

Case Study: University Finds Balance

The University of Winchester, located in Winchester, UK, was established in 1840. The university combines their strong heritage with innovative learning and teaching to educate over 5,900 students in 17 different departments with over 650 staff members each year. The University of Winchester promotes the importance of intellectual freedom, social justice, diversity, spirituality, individual importance, and creativity.

Ian Short, Applications Infrastructure Manager for the University of Winchester, is part of the IT management team responsible for the operation of the IT environment across the university campus. The university predominantly runs a Microsoft site. All of the back-end servers run Windows Server 2003 and 2008 within an Active Directory domain. Ian's department also supports over 1,500 Windows desktops on campus (all running Windows XP) that includes over 7,000 user accounts. Many of these desktops include laptops used by remote employees in various locations. In addition, Ian and his team are responsible for 120+ applications, with a number of extra locally installed applications.

The challenge of managing user privileges in an environment full of students is complicated enough, but the dilemma only increases when you account for required applications. The team universally understood that they needed to eliminate administrator rights in order to decrease malware attacks and increase security. However, they also knew they couldn't lock down the entire network because of the 120+ applications they manage. Originally, the university used Admin Studio to deal with specific issues, but found this solution to be too time-consuming and unreliable.

“It became clear that in our environment something needed to be done,” said Ian. “We were noticing a worrying growth in security risks and so managing user access became a priority.”

Implementing a least privilege solution offers a simple, centralized approach, which reduces the threat posed by malware and elevates only necessary privileges. It satisfies all security protocols to restrict access to privileged users to a least privilege model.

“With this solution, we were able to lock down our users' access while still allowing applications to run where necessary,” Ian explained. “It's the perfect solution for our IT needs. No longer are we required to ‘punch holes’ in our security in order to complete certain tasks.”

With their least privilege solution, the University of Winchester has completely removed administrator rights among their users, while simultaneously providing adequate rights to perform the tasks that students and staff need. Some of the key uses include elevating privileges for 8 multimedia packages in their multimedia center, 24 applications on their desktops, and around half a dozen Windows functions. It also has significantly decreased the amount of time Ian and his team spend on support issues, which has significantly reduced cost, as well.

Passwords Authenticate for Least Privilege

Most of you already know that getting users to choose effective passwords is hard. This is particularly important to those of you looking to implement a least privilege solution that functions correctly, as you will need to accurately authenticate a user to know what access privileges to grant them. While new technologies for user authentication are on the way, they aren't here just yet.

There are several options today for improving user passwords, but they all have issues. Requiring users to choose strong password often leads to them writing theirs down a yellow sticky pad so they can remember it. Password rotation is standard defense against password-cracking attacks, but a recent Microsoft study suggests password rotation just causes people to choose easier-to-remember phrases as passwords. Biometrics are expensive and far from foolproof. Two-factor authentication should be the norm, but is perceived as expensive and inconvenient. Even if implemented, it's still susceptible to social engineering and phishing attacks.

So there are no easy answers to ensure a user is who they say they are. As with all security decisions, you need to weigh the costs of a solution versus the risks, but practically we recommend three things:

1. Enforce strong passwords, but make it easier for people to create them. You can provide guidance about better ways to create strong but memorable passwords or suggest the use of passphrases rather than passwords. Finally, you could publish links to password strength testers like Microsoft's so people aren't surprised at the moment of truth when asked to input their new strong password.
2. For more secure situations, like systems administrators who may be able to access critical corporate systems, go with two-factor authentication; it's the current gold standard.
3. Finally, recognize that authentication will never be perfect. So implement least privilege at all levels to limit exposure. Not every user needs to be an admin on their desktop and not every system admin needs to access all systems with all commands

Implement Least Privilege Now Not Later

By now, you've seen the value of implementing a least privilege solution to establish boundaries instead of creating the proverbial security walls. This will facilitate not only a balance between security and productivity, but also assist with real-time governance changes across the ever-changing extended enterprise. Before we close the book, we'd like to offer a few key steps to success.

Figure 11-2. Least Privilege in the Enterprise.

Steps To Success

1. Set Security as a Corporate Goal: Enterprises may have trouble maintaining security because everyone is too busy trying to reach other goals. If you have problems maintaining security in your company, consider adding security as a goal for every level of management.
2. Provide or Enlist in Training as Required: For security to work, everyone needs to know the basic rules. Once they know the rules, it doesn't hurt to prompt them to follow those rules.
3. Ensure All Managers Understand Security: It is especially important that all members of management understand the risks associated with unsecured systems. Otherwise, management choices may unwittingly jeopardize the company's reputation, proprietary information, and financial results.
4. Communicate to Management Clearly: Too often, system administrators complain to their terminals instead of their supervisors. Other times, system administrators find that complaining to their supervisors is remarkably like complaining to their terminals.
   
   If you are a manager, make sure that your people have access to your time and attention. When security issues come up, it is important to pay attention. The first line of defense for your network is strong communication with the people behind your machines.
   
   If you are a system administrator, try to ensure that talking to your immediate manager fixes the problems you see from potential or realized misuse of privileges. If it doesn't, you should be confident enough to reach higher in the management chain to alert for action.
   
   
5. Delineate Cross-Organizational Security Support: If your company has a security group and a system administration group, the organization needs to clearly define their roles and responsibilities. For example, are the system administrators responsible for configuring the systems? Is the security group responsible for reporting non-compliance? If no one is officially responsible, nothing will get done. And accountability for resulting problems will many times be shouldered by the non-offending party.

Weighing In

By now, you've figured out that we believe least privilege is a crucial component to IT environment security. Without it, over-privileged users can access (and abuse) sensitive resources and mission-critical information. Without it, under-privileged users can be so locked down that they are ineffective at doing their jobs without some level from the help-desk or management support to get past admin credential requirements. Protecting your data from insiders and their accidental, intentional, or indirect misuse of privileges is paramount to the success of your company's IT strategy. Let's hear what our experts think about that.

Secure Sam:

Governing an IT environment takes very granular attention to a lot of moving parts. It gets complicated, but having a well-defined plan mitigates most of the chaos that can come with sensitive data. As you know by now, least privilege is a necessity within that security plan. There are benefits that come from limiting access to mission-critical resources. We've talked about them throughout the book, but they're the driving reason that least privilege is in effect. To be able to centrally and efficiently manage a network of desktops, servers, and databases is paramount to the security of those devices. It's equally as important to prevent the risk of insiders destroying the delicate balance of a secured network, in addition to being compliant to federally mandated regulations regarding the protection of sensitive information. All these benefits are the result of least privilege, and are easily obtained by allowing employees access to only those resources they are entitled to based on their job descriptions.

Least Privilege Lucy:

As humans, it's very easy to fall into grooves. Some of these are good, and some of these are bad, but it's natural for us to create behavioral patterns. This is true in the IT world, as well; however, most of the habits formed tend to err on the side of bad. As an IT manager, it's a huge risk to allow people to run free among the resources I am responsible for. Even if people are the most trustworthy employees, accidents happen and inadvertent things come up. Privileges are misused, whether it's accidentally or intentionally, on a regular basis, and corporate security is too steep a price to be paid. Bad habits should not have a place in an IT environment, and least privilege is the way to counteract that. Users that don't need to run as administrators shouldn't, employees should never have access to the root password, and all activity should be closely monitored. The way to keep an enterprise secure is through least privilege.

Compliance Carl:

The best thing about compliance is this: by implementing it, most security infractions are mitigated. Earlier in the chapter, we discussed security storms. These can be prevented if compliance is a priority in your enterprise. If an organization takes the time to plan and execute a security plan that preemptively allows for the avoidance of breaches of secured data, that company is in a much better place as far as security tempests go. The best way to get compliant fast is to implement a least privilege solution. By now, you're aware of what that is. By now, you understand how crucial it is to the protection of your mission-critical information. Letting users have full access to data they don't necessarily need is both irresponsible and in direct violation of regulations provided to protect your enterprise's greatest asset. It's easier than it seems, and such a principle makes logical sense. Give users access to information based on what is essential to their job. This will stabilize, secure, and streamline your system, and make your enterprise a compliant environment.