Guest author: Craig Somerville, Managing Director, Somerville
When contributing to an online industry forum recently, I mentioned that we had changed our company security policy to remove local admin privileges from all employees, including the engineers. It sparked an animated discussion about why this is impossible, how it restricts people’s ability to do their jobs and the mighty inconvenience of it all.
So, I saw value in explaining why, as an IT Service Provider, it was important for us to remove local admin privileges from everyone and why every organisation should now put this security control on their agenda. Importantly, I also wanted to share how we implemented it in a way that is positive for everyone.
A shift in mindset
The first and most important step to successfully removing local admin privileges is getting everyone to talk about it with an open mind.
From a security perspective, restricting local admin is a top ACSC Essential Eight control and is widely viewed as being one of the most important things an organisation can do to protect itself against vicious cyber attacks.
Running any business involves making decisions and compromises, and managing your security posture is no different. As a service provider that is part of the supply chain for hundreds of schools and businesses, we are constantly assessing the risks and trying to make the best decisions for both security and productivity.
If you take cybersecurity risk out of the equation, many people would say, “Who cares about local admin privileges?” Allowing trusted individuals to have increased rights makes it easy for them to do their work. However, today’s threat landscape is very different from even a year ago, and technology has evolved to make implementing this control far easier than it ever has been. It no longer makes sense to take the risk.
Apart from the fact that end users are now the largest and most successful attack vector for cyber criminals, our distributed workforce means local admin is now less visible.
Previously, when someone needed escalated privilege to do something, it was discussed around a table and then discussed again a week later to revoke it. Now, privileges are often given in isolation via many one-to-one transactions. This leads to an identity creep and increasing security gap each time it is left in place.
Even when companies go to the trouble of allow-listing applications, application creep begins immediately if local admin is given to individuals. Whenever an employee needs a new app to do something, they download it. It becomes a natural progression for apps to grow, and become unmanaged and invisible to the organisation.
Sometimes the problem isn’t even just elevated privileges. An employee might leave an organisation and their profile, still with privileges, can be compromised without the organisation even knowing. These are all angles that cyber criminals are happy to exploit.
From want to need
At Somerville, we have always been very conscious of security, and we utilise a password management system to enable securely managed access to customer platforms. However, like many organisations, until recently our engineers still had local admin on their machines, arguing it was necessary to do their job.
This year, with the increase in end-user attacks, including ransomware, we decided it was no longer something we could tolerate.
The risk had become unacceptable to me as a business owner and removing admin privileges moved from a want to a need. I could either make it happen with everyone kicking and screaming or do it collaboratively. I chose the latter.
Managing exceptions with structure and automation
There are many good reasons why our employees sometimes need to have their administrative privilege elevated, and if we understand those scenarios and have a consistent process to manage it, the risk is acceptable. However, the minute employees can change the environment without a structure, process or audit trail, we lose control over it – and this is no longer acceptable or compliant.
One of the foundations that made it possible to remove local admin was maturing and automating our end-user device and application security and management across the board with Devicie’s cloud-native platform. In short, we moved to future state.
Enabling employees to have ready access to the applications they need via the portal removed the need for anyone to have local admin. Identifying and setting controls for every exception was also critical.
Then we automated the controls on Devicie, so it has been easy for everyone to follow the policy. Like any security control, having the right structure and process and following it consistently, without exception, has been important to our success. The minute you take away rigid structure, people can do whatever they want and mismanagement becomes a self-fulfilling prophecy.
The benefit of any automation is taking away repetitive manual tasks and executing them consistently, without error. Building automation into privilege access management means we have a more tightly controlled access management platform, that doesn’t rely on humans.
Mindset moving in both directions
The reality is that we all needed to move our mindset a little bit. I needed to understand more about the needs of my engineers. There are times when we need to break the policy so they can get their jobs done effectively, but we built a process that enables us to do that safely in a way that is both visible and auditable. They also had to move a bit. Our engineers have all now lost admin privileges on their machines, except when they need it.
Of course, there are a myriad of exceptions, from a support engineer on a customer site over a weekend who needs to diagnose their network, to engineers wanting to innovate with new or experimental apps. However, when you dig into it, they aren’t that unique, and we now apply security policies to all our exceptions with an automated process to ensure everyone follows it. This enables an engineer to break policy for a legitimate business reason, and I can sleep knowing it is both audited and rectified automatically.
The most common question I get asked about this issue is how I overcame the resistance. The truth is, removing admin privileges from everyone was more a meeting of the minds than a battle won by anyone. Together, we understood the threat landscape has changed, listened to everyone’s point of view, and automated a policy that was workable for everyone. This is what we must do to protect our business and our customers.
It might not be quite as convenient for the engineers as it was before, but with everything structured and automated, that is a marginal call. True inconvenience is when ransomware hits and bank accounts are drained or data is held hostage, because someone’s privileged access has been infiltrated and leveraged by criminals.
Every organisation that cares about their team, their bottom line and their customers should revisit their local admin access controls. Remove them. Like many things in life, the hardest step is deciding it is time to solve the problem. The solution is no longer the challenge.
Craig Somerville is the Founder and Managing Director of Somerville – a leading hybrid IT and multi-cloud solution provider in Australia. With more than 35 years’ experience in IT, Craig is a member of the IT Industry Hall of Fame and is an active member of the channel and the Australian partner community. Somerville partners with Devicie as part of its vision to bringing reliable, intuitive and responsive technology solutions to market.