This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
It’s been a busy year in the cyber security arena so far, and it doesn’t look like the pace will be slowing down. From hacking schemes like Heartbleed to significant data breaches at P.F. Chang’s and the Montana Health Department, criminals are stepping up their game. But as organizations adapt their security strategies in kind, there is one key stakeholder who often goes unnoticed: the end user.
Most of the next-generation attacks we see today have external origins, however they are often exacerbated by people within the organization, particularly users with administrative privileges. This is because once malware makes its way to endpoints it doesn’t just seek admin privileges, it requires them to embed itself in IT systems and propagate across machines, causing destruction over the entire organization.
While full removal of admin rights seems to be the obvious solution, it introduces significant implications for end user productivity. Users often require admin rights to do their jobs, even for the simplest tasks, like downloading software or connecting to a printer. For IT organizations in particular, restricting admin rights presents users with a major roadblock to effectively (and happily) completing their tasks.
So, organizations are faced with a seemingly impossible trade off: should security be optimized at the expense of the user?
Let’s say that security is top priority, as it is for most enterprises, and the organization decides to restrict admin privileges on their systems. Getting pushback from frustrated users is to be expected, but it also impacts the IT department. When users’ rights are removed and they’re forced to go through formal processes for application or software downloads, it places greater burden on the help desk, which then has to deal with explaining these processes and supporting the users throughout. Adding to this is the financial burden of those unnecessary service desk visits.
Organizations should strive to find a middle ground, a way to administer control over their systems, while at the same time providing users with flexibility in their roles, and a positive working experience for everyone involved. Let’s look at a couple ways this can be achieved.
Least privilege management
Instead of full removal, a least privilege environment can be established where users’ rights to download applications or make changes to corporate machines are limited to those necessary for the scope of their job. This means that privileges are assigned to applications instead of users, and elevated only when needed. With least privilege, employees can log into systems as a standard user instead of an admin user, which prevents attackers from gaining access to privileged accounts and makes it more difficult for malware to take control.
This not only yields security improvements, it also drives user empowerment by giving employees the freedom to install applications and manage application updates as needed. At the same time, IT should see a reduction in service requests and incidents, freeing up resources to allocate to bigger, more strategic projects.
A least privilege environment will be especially empowering for tech-savvy Gen-Yers, those that have grown up in the Internet era and are accustomed to (and even expecting) access to what they want, when they want. By providing them with autonomy over how they manage their systems, organizations will be better able to embrace and cater to this new breed of user.
A big part of user empowerment is making users – especially those who might be less informed than the resident techies – feel as though they’re tuned in to IT’s processes, providing them with education around the limitations of their downloads and what next steps might be required.
User Account Controls (UAC) are a standard pop-up feature on most Windows machines that were traditionally responsible for doing just this. But fixed-messages filled with technical jargon do more harm than good, especially when it results in repeated calls from confused users to the IT help desk or worst still, the user clicking continue to a piece to malware.
By thinking from a user’s perspective about how those messages are presented, organizations can create more customized messaging that feels truly human, rather than an automated response. These messages might offer, for instance, multi-lingual support and corporate branding. And with localization, reasoning and help desk integration, all in terms that are easy to understand, users are not only provided with a better sense of what they need to do next, but a heightened user experience.
At the heart of any organization is its employees. To attract and retain talent means organizations must transform their working environment to reflect a user-first mentality, rather than one that is IT-led. By taking a more flexible approach to privileges, organizations can harness the abilities of their more tech-savvy employees that demand greater access and power.
And with a more personalized approach to their messaging, they can improve end user education among their less technical workforce. Perhaps most important is that neither of these methods have to come at the expense of security – in fact, they enhance it in the best way possible, by transforming its practice into a more productive, positive, and empowering experience.
This story, "Restoring user freedom in the security-first enterprise" was originally published by Network World.