Challenging mindsets on admin privileges

According to the International Data Corporation (IDC), 70 per cent of security threats originate from user endpoints. And, according to industry reports 82 per cent of data breaches in 2021 involved human error. 

Be it from stolen credentials, misuse, outdated applications, software vulnerabilities, or phishing—these attacks are preventable. 

Mitigating risk and strengthening business security is always a topic that dominates the cybersecurity conversation.  

What doesn't seem to dominate the cybersecurity conversation is the need to remove admin privileges—despite being an ACSC Essential Eight recommendation. 

When contributing to an online industry forum recently, I mentioned that we had changed our company security policy to remove local admin privileges from all employees, including the engineers. This sparked an animated discussion about why this is impossible, how it restricts people’s ability to do their jobs and the mighty inconvenience of it all. 

So, I saw value in explaining why, as an IT Service Provider, it was important for us to remove local admin privileges from everyone and why every organisation should now put this security control on their agenda.  

In this blog, I share how we implemented removing admin privileges in a way that was, and continues to be, positive for everyone. 

A shift in mindset

The first and most important step to successfully removing local admin privileges is getting everyone talking about it with an open mind. 

From a security perspective, restricting local admin is a top ACSC Essential Eight control and widely viewed as being one of the most important things an organisation can do to protect itself against vicious cyber-attacks. 

Running any business involves making decisions and compromises, and managing your security posture is no different. As a service provider that is part of the supply chain for hundreds of schools and businesses, we are constantly assessing the risks and trying to make the best decisions for both security and productivity. 

If you take cybersecurity risk out of the equation, many people would say, “Who cares about local admin privileges?” Allowing trusted individuals to have increased rights makes it easy for them to do their work. However, today’s threat landscape is very different from even a year ago, and technology has evolved to make implementing this control far easier than it ever has been.  

It no longer makes sense to take the risk. 

Invisible identity

Apart from the fact that end users are now the largest and most successful attack vector for cybercriminals, our distributed workforce means local admin is now less visible. 

Previously, when someone needed escalated privilege to do something, it was discussed around a table and then discussed again a week later to revoke it. Now, privileges are often given in isolation via many one-to-one transactions. This leads to an identity creep and increasing security gap each time it is left in place. 

Even when companies go to the trouble of allow-listing applications, application creep begins immediately if local admin is given to individuals. Whenever an employee needs a new app to do something, they download it. It becomes a natural progression for apps to grow, and become unmanaged and invisible to the organisation. 

Sometimes the problem isn’t even just elevated privileges. An employee might leave an organisation and their profile, still with privileges, can be compromised without the organisation even knowing. These are all angles that cybercriminals are happy to exploit. 

From want to need 

At Somerville, we have always been very conscious of security, and we utilise a password management system to enable securely managed access to customer platforms. However, like many organisations, until recently our engineers still had local admin on their machines, arguing it was necessary to do their job. 

This year, with the increase in end-user attacks, including ransomware, we decided it was no longer something we could tolerate. 

''The risk had become unacceptable to me as a business owner and removing admin privileges moved from a want to a need. I could either make it happen with everyone kicking and screaming or do it collaboratively. I chose the latter". 

Managing exceptions with structure and automation

There are many good reasons why our employees sometimes need to have their administrative privileges elevated, and if we understand those scenarios and have a consistent process to manage it, the risk is acceptable. However, the minute employees can change the environment without a structure, process or audit trail, we lose control over it—and this is no longer acceptable or compliant. 

One of the foundations that made it possible to remove local admin was maturing and automating our end-user device and application security and management across the board with Devicie’s cloud-native platform.  

In short, we moved to future state. 

Enabling employees to have ready access to the applications they need via the portal removed the need for anyone to have local admin. Identifying and setting controls for every exception was also critical. 

Then we automated the controls on Devicie, so it has been easy for everyone to follow the policy. Like any security control, having the right structure and process and following it consistently, without exception, has been important to our success. The minute you take away rigid structure, people can do whatever they want and mismanagement becomes a self-fulfilling prophecy. 

The benefit of any automation is taking away repetitive manual tasks and executing them consistently, without error. Building automation into privilege access management means we have a more tightly controlled access management platform, that doesn’t rely on humans. 

Mindset moving in both directions

The reality is that we all needed to move our mindset a little bit. I needed to understand more about the needs of my engineers. There are times when we need to break the policy so they can get their jobs done effectively, but we built a process that enables us to do that safely in a way that is both visible and auditable. They also had to move a bit. Our engineers have all now lost admin privileges on their machines, except when they need it. 

Of course, there is a myriad of exceptions, from a support engineer on a customer site over a weekend who needs to diagnose their network, to engineers wanting to innovate with new or experimental apps. However, when you dig into it, they aren’t that unique, and we now apply security policies to all our exceptions with an automated process to ensure everyone follows it. This enables an engineer to break policy for a legitimate business reason, and I can sleep knowing it is both audited and rectified automatically. 

The most common question I get asked about this issue is how I overcame the resistance. The truth is, removing admin privileges from everyone was more a meeting of the minds than a battle won by anyone. Together, we understood the threat landscape has changed, listened to everyone’s point of view, and automated a policy that was workable for everyone. This is what we must do to protect our business and our customers. 

It might not be quite as convenient for the engineers as it was before, but with everything structured and automated, that is a marginal call. True inconvenience is when ransomware hits and bank accounts are drained or data is held hostage because someone’s privileged access has been infiltrated and leveraged by criminals. 

Every organisation that cares about their team, their bottom line and their customers should revisit their local admin access controls.  

Remove them. Like many things in life, the hardest step is deciding it is time to solve the problem.  

The solution is no longer the challenge. 

Craig Somerville is the Founder and Managing Director of Somerville – a leading hybrid IT and multi-cloud solution provider in Australia. With more than 35 years of experience in IT, Craig is a member of the IT Industry Hall of Fame and is an active member of the channel and the Australian partner community. Somerville partners with Devicie as part of their vision to bring reliable, intuitive and responsive technology solutions to market.