It seems we should start with the great elephant in the living room: User rights. I have done work in literally hundreds of organizations from 50 nodes out to 550,000 nodes in the last 14 years. The arguments both in favor of and against varying degree of user rights are consistent. They are also crap.
For each case of a user is screaming they need Administrative rights to something and the use is legitimate there are twenty that just want rights because they have always had them. We as administrators know this to be true but don’t want to have the political battle. It is easier to grant exceptions and rights.
Paradoxically the number of security technologies we deploy that are bizarrely draconian and don’t really address the issue is quite large. Many instances of NAC, DLP and HIPS are like this. We lock down the things that don’t matter and leave the barn door open.
Individual data resource users are like people voting for speed limits in the neighborhood the live in. They want everyone else to obey the rules… but somehow each user feels they are the exception... And each user feels that they are the one that ‘knows better’ and will be ok if they speed. This is identical to the logic of installing of ITunes or Angry Birds on a work PC.
We as the managers of the information kingdom have been guilty of not towing the line again and again on our own security policies. In virtually every case I have ever been, small companies and large, we are making exceptions to every policy for squeaky-wheel users before the ink is dry on the new policy. I am sure all of us have seen the virus outbreak or the penetration that “just got in somehow” and after an expensive and disruptive cleanup we still do not tighten up the policies as it is a political hotbed and a difficult piece of administration.
An aggravating factor is the disappearance of the gateway. There are tens of millions of smart phones out there with tethering or the similar, everyone has their own private internet access point if we make things too tough. If we, as IT security, make things too difficult on the users to do what (each user) considers reasonable they will hack around us… android and apple have made it all so easy.
We are in the brave new year 2011. The soft cost of a breach can be enough to end a company. We have all seen it happen
We must start treating our IT resources with the respect we do our buildings. No sane facilities administrator would throw open the doors on Superbowl Sunday for the employees to have a party. We trust them because they are our employees, Right? No facilities administrator would want to be cleaning the guacamole off the ceiling.
We do not need to be the hated PC Nazis to be secure, but we do need to stop kidding ourselves. Using technology like application whitelisting or VDI we can strike a balance. Allow users to install certified apps, or on a host PC but not on a VDI or ACE.
The problem about user rights is that it is not about rights at all. It is about users feeling comfortable with the way we have made them secure. It is a neat balancing act but a very achievable one if we have vision and focus to do so.
This leads to the next topic on how we are killing ourselves with applying old process to new products and information systems and are the root of our own issues…. But that is for next time.
There is one other alternate solution. If it becomes necessary to allow certain amounts of rights to the user, the workaround becomes parallel networks and platforms. One Laptop/Desktop for work and a small slate/tablet for internet access is a reasonable expense from the point of view of a breach quantitative risk analysis.
ReplyDeleteWell, that is the big question. Many IT enterprises have this fundamental issue. Do the give local admin rights to their employees. This ultimately is a decison for exec management. I am sure their is a direct coorelation to the helpdesk and security incidence costs when user have local admin rights. Overall, this is a culture change that will need to take place for the user community in a corporate enterprise to embrace. If you take a look into academia, they will "scream" if local access control is take away. They believe they have the academic reedom to own their own intellectual property on a computer. The bottom line is what is the cost is to having users having local admin rights to their computers. .
ReplyDelete