Privilege Management I'm from New England. And, in New England, summers means a lots of road trips to the beaches, the Berkshires, or a trip into Boston for a ballgame. During my last road trip, I started thinking of how for IT security teams, least privilege management is a lot like tending to long roads. On any road trip, there are three things: your passengers in a vehicle, a long road, and all of the scenery (and potential hazards) you spot and avoid along the way. In this analogy, think of your end users as passengers in a vehicle, and your end users’ day to day tasks simply as driving a car down a long country road, heading from point A to point B. You have end users that on a daily basis simply need to get from here…to there: they need to run, update, and install apps; they may have configuration rights to programs, or in general, need the ability to do something that requires admin rights to do so. Rather than have to repeatedly grant them access EVERY…SINGLE…TIME, it’s easier to just give them these rights. In other words, the daily routine is part of their daily commute, and they need permission to drive it. Security, on the other hand, is like a vehicle. As IT security, you’ve put your users in a nice, safe car with some high-tech features that you hope will ensure a smooth ride on this road. The problem is, there are new hazards popping up all the time. So, what do IT security teams need in order to ensure a smooth daily operation and safe travels for our end users? We build bridges, we install more and more ‘latest and greatest’ technology, we put up netting to block falling rocks, and the list goes on and on. Essentially, we’re installing bigger tires, higher suspension, and a roll bar to make our users safer on their road. But aren’t we just masking the real issue? Most problems occur when our users attempt to go ‘off-road’ or perform tasks outside of their day-to-day responsibilities. Most of the preventive measures we take to keep users safe are only relevant if those users have ‘off-road’ admin rights. It isn’t a bigger, badder truck we need, although I do love big trucks. Instead, we need a smoother road. After all, it’s much easier to monitor traffic on a nice paved straight-away then worrying about a bunch of users navigating the cliff side. This is what we mean when we talk about the benefits of implementing least privilege, the concept of starting with a limited set of end-user permissions and rights and building up from there. I completely understand concerns around impacting productivity and making sure users can do their job. This is the key to making sure your organization is both protected and productive. Getting from nothing to functional is where BeyondTrust can help. BeyondTrust PowerBroker for Windows and PowerBroker Mac are endpoint least privilege solutions that can track what users do, how they behave and have a policy ready to go before you move to this security model. This tracking continues forever more so you can quickly respond to new requests. With BeyondTrust endpoint privilege management solutions, you can:
  • Grant privileges to applications and tasks – not users – without providing administrator credentials
  • Leverage vulnerability data from Retina and other solutions for a complete picture of privileged application and asset security
  • Blacklist hacking tools, whitelist approved applications, and greylist applications based on rules to keep systems safe
  • Lockdown enterprise credentials, including shared accounts, user accounts, and service accounts
  • Analyze privileged password, user, and account behavior, and assign event threat levels based on the user, asset, and application launching
In IT security and in life, sometimes it’s ok to let people take an off-ramp. With BeyondTrust solutions, you get the flexibility to customize rules without compromising access. We’re here to help you map the correct roads for a smooth ride! To learn more about how our solutions can help, download our latest white paper, “The CISO’s Guide to Managing Risk for Privileged Access & Credentials in Windows Environments.”