If you were to tell your organisation’s IT team that you plan to revoke their admin privileges, chances are you’d be met with howls of protest. They’d argue the privileges are necessary for them to undertake their roles and removing them would be akin to confiscating their laptops or mobile phones.
Revoking admin privileges might be restrictive, but it’s a logical step when you consider the current security threat landscape. They are increasingly being acquired and used by cyber criminals to move laterally through IT infrastructures to steal data and install malware.
Interestingly, the strategy is nominated as one of the Australian Cyber Security Centre’s Essential Eight security recommendations and is widely viewed as being one of the most important things an organisation can do to protect itself against cyberattacks.
Managing any organisation involves making decisions and compromises and managing its security posture is no different.
It’s clear that today’s threat landscape is very different from that of even a year ago. At the same time, technology has evolved and makes implementing security controls far easier than ever before.
The world of work has also changed. With remote and hybrid working now a standard feature within most organisations, the approach being taken when it comes to IT security has had to shift.
Previously, when someone needed escalated privileges to do something, it was discussed around a table and then discussed again a week later when they were revoked. Now, privileges are often given in isolation through one-to-one transactions. This can lead to an identity creep and increasing security gaps each time those increased privileges are left in place.
Even when companies go to the trouble of listing applications, application creep begins immediately if local admin is given to individuals. Whenever an employee needs a new app to do something, they download it. It then becomes a natural progression for apps to grow, unmanaged and invisible to the organisation.
In some cases, the problem doesn’t begin and end with elevated privileges. An employee might leave an organisation and their profile, still with privileges, can be compromised without the IT team even being aware. This is a situation that cybercriminals are happy to exploit.
Life without admin privileges
While there will be good reasons why some staff will sometimes need to have their admin privileges it should not be an ongoing state. The minute they can change the environment without a structure, process, or audit trail, control over it is lost.
An effective approach is automate end-user device and application security and management across the board using a tool such as Devicie’s cloud-native platform. In short, this means moving to a future state.
Enabling employees to have ready access to the applications they need via such a portal removes the need for anyone to have local admin privileges. Auditing access with Devicie is also automated so it is easy for staff to adhere to policy and exceptions are discovered and handled quickly.
Like any security control, having the right structure and process and following it consistently, and managing exceptions, is vital. The minute you take away rigid structure and people can do whatever they want, mismanagement becomes a self-fulfilling prophecy.
Automation also takes away repetitive manual tasks and ensures they are executed consistently andwithout error. Building automation into privilege access management means there can be more tightly controlled access management platforms that don’t rely on humans.
Exceptions will exist
Naturally, there will be a range of exceptions, from a support engineer on a customer site over a weekend who needs to diagnose their network, to engineers wanting to innovate with new or experimental apps.
However, when you dig into it, these circumstances aren’t that unique, and it’s possible to apply security policies to exceptions with an automated process to ensure everyone follows it. This enables an engineer to break policy for a legitimate business reason, but the IT security chief to also sleep soundly at night.
With the threat landscape continuing to evolve at a rapid rate, removal of admin privileges is a step that serves to significantly improve security defences. Some resistance might be encountered, but the greater good should prevail.
Craig Somerville is the managing director and CEO of cyber security solutions company Somerville.