Excessive 'privilege' is still a gaping security hole

So what are the barriers to companies dealing with this better?

Many feel they left with little option other than to give admin rights. The security systems we have to work within Windows, Linux, Unix and Mac OS X give us two options primarily: standard user and super user (root or administrator). When you exceed the capabilities of the standard user we are only left with giving them admin rights to keep them productive.

IT is there to help our employees be more productive. A secure environment is currently seen as being one in which productivity is impacted by the coarse level at which we can apply user rights. Many companies have invested time and effort in tooling and processes to help them manage the excess privilege through direct controls through to user training and assessment. User rights management is ingrained in many organisations and it's hard to let go.

What do you think needs to change?

Quite simply, we need to stop trying to manage the problem and start eliminating it. At the base level, it isn't the user that needs the additional rights/privileges, it's the applications and processes they are running. We need to move away from thinking about user privilege and move toward managing application privilege. Allowing us to move to a place where privilege is explicit, not implicit as it is with admin rights. That would remove a wide variety of vulnerabilities straight away.

So what kind of practical processes could companies look at adopting – can you share some best practice suggestions?

Privilege management becomes more digestible when you think more in terms of applications, rather than users. Even in big organisations, there are probably only a couple of thousand apps and the need to apply privilege to these probably only applies to a small number. The privileges around that application are likely to be fairly constant, whereas privilege around users – who change jobs or leave the company – is more fluid.

The principle of Least Privilege, as first stated by Jerome Saltzer in 1974 ("Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."), gives us an approach that we can actually deliver on today. By starting with a standard user, adopting the approach of application privilege (the least privilege necessary for the application or process to run productively) and looking to assign the ability to run privileged applications explicitly we reach control through empowerment.

Without plugging any of your own software, how can tools help companies manage privilege better?

The complexity of our IT environments only seems to be increasing, but within that we do see very important technologies that can help us manage privilege better. Single-sign-on allows us to have a consistent single identity across many applications within our working environment. Technologies that allow you to use a single identity across multiple operating system platforms further reduces the number of identities we need to operate and manage.

This reduction in the number of identities in the environment aid in the most important aspect that tooling can deliver: visibility. The more clear the visibility we have across our environments, the better the decisions we can make to move them forward, to make them more secure while still giving our customers (our users) the facilities they need to be productive. We cannot lose sight of the objective of the technology it's not there for its own sake, its there to help deliver productivity.

How might this fit into an overall security and IT risk management strategy?

Privilege management is one element of having a solid security strategy. Vulnerability management is another (hackers use vulnerability and privilege to exploit company networks) and good configuration management is also vital.

These all contribute to building a solid foundation on which to construct your broader technology services and security. There's no point investing in lots of technology tools to manage security if you haven't got the foundations right. Companies need a solid base of the right policies and processes, together with different security tools (there is no silver bullet) that don't just deal with security problems as they arise, but help to prevent them happening in the first place.

  • Brian Chappell is Director of Technical Services for BeyondTrust in EMEA and APAC