Excessive 'privilege' is still a gaping security hole

News
By published

Companies are taking unnecessary risks with their data security

So what are the barriers to companies dealing with this better?

Many feel they left with little option other than to give admin rights. The security systems we have to work within Windows, Linux, Unix and Mac OS X give us two options primarily: standard user and super user (root or administrator). When you exceed the capabilities of the standard user we are only left with giving them admin rights to keep them productive.

IT is there to help our employees be more productive. A secure environment is currently seen as being one in which productivity is impacted by the coarse level at which we can apply user rights. Many companies have invested time and effort in tooling and processes to help them manage the excess privilege through direct controls through to user training and assessment. User rights management is ingrained in many organisations and it's hard to let go.

What do you think needs to change?

Quite simply, we need to stop trying to manage the problem and start eliminating it. At the base level, it isn't the user that needs the additional rights/privileges, it's the applications and processes they are running. We need to move away from thinking about user privilege and move toward managing application privilege. Allowing us to move to a place where privilege is explicit, not implicit as it is with admin rights. That would remove a wide variety of vulnerabilities straight away.

So what kind of practical processes could companies look at adopting – can you share some best practice suggestions?

Privilege management becomes more digestible when you think more in terms of applications, rather than users. Even in big organisations, there are probably only a couple of thousand apps and the need to apply privilege to these probably only applies to a small number. The privileges around that application are likely to be fairly constant, whereas privilege around users – who change jobs or leave the company – is more fluid.

The principle of Least Privilege, as first stated by Jerome Saltzer in 1974 ("Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."), gives us an approach that we can actually deliver on today. By starting with a standard user, adopting the approach of application privilege (the least privilege necessary for the application or process to run productively) and looking to assign the ability to run privileged applications explicitly we reach control through empowerment.

Without plugging any of your own software, how can tools help companies manage privilege better?

The complexity of our IT environments only seems to be increasing, but within that we do see very important technologies that can help us manage privilege better. Single-sign-on allows us to have a consistent single identity across many applications within our working environment. Technologies that allow you to use a single identity across multiple operating system platforms further reduces the number of identities we need to operate and manage.

This reduction in the number of identities in the environment aid in the most important aspect that tooling can deliver: visibility. The more clear the visibility we have across our environments, the better the decisions we can make to move them forward, to make them more secure while still giving our customers (our users) the facilities they need to be productive. We cannot lose sight of the objective of the technology it's not there for its own sake, its there to help deliver productivity.

How might this fit into an overall security and IT risk management strategy?

Privilege management is one element of having a solid security strategy. Vulnerability management is another (hackers use vulnerability and privilege to exploit company networks) and good configuration management is also vital.

These all contribute to building a solid foundation on which to construct your broader technology services and security. There's no point investing in lots of technology tools to manage security if you haven't got the foundations right. Companies need a solid base of the right policies and processes, together with different security tools (there is no silver bullet) that don't just deal with security problems as they arise, but help to prevent them happening in the first place.

  • Brian Chappell is Director of Technical Services for BeyondTrust in EMEA and APAC
See more Computing News
TOPICS
Brian Chappell
Latest in Computing Security
Dark Web monitoring
How users benefit from Dark Web monitoring
The X logo next to a silhouette of Elon Musk
Who was really behind the massive X cyberattack? Here’s what experts say about Elon Musk’s claims
A person holding a phone looking at a scam text with warning signs around
A massive SMS toll fee scam is sweeping the US – here’s how to stay safe, according to the FBI
View on National Assembly building in Paris, France, with French and European flags flying.
France rejects controversial encryption backdoor provision
ensure data security for your business
The complete data protection system for your business
ignal messaging application President Meredith Whittaker poses for a photograph before an interview at the Europe's largest tech conference, the Web Summit, in Lisbon on November 4, 2022.
"We will not walk back" – Signal would rather leave the UK and Sweden than remove encryption protections
Latest in News
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
More about computing security
Dark Web monitoring

How users benefit from Dark Web monitoring
A person holding a phone looking at a scam text with warning signs around

A massive SMS toll fee scam is sweeping the US – here’s how to stay safe, according to the FBI
AMD Ryzen 9950X

I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
See more latest
Most Popular
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now