IT security is at greater risk from the bad habits of system administrators than from bad guys actually hacking into infrastructure warns Centrify Asia-Pacific Regional Director Matt Ramsay.
Mr. Ramsay calls for a fresh look at the core problems bedevilling our enterprise security. “Do we only need to guard against the bad guys trying to hack our infrastructure?” he asks. “Or do we need to defend ourselves from the bad habits of the good guys who manage that infrastructure?
“The bad guys are a given: Their hack attempts are driven by every motivation from greed to ego. But the bad habits of the good guys – your beloved systems administrators – are another matter.”
Mr. Ramsay said the problem of privilege affects System Administrators for both Windows and Unix-style enterprise infrastructure. “On the Windows side, many administrators find it difficult to allocate and maintain finely grained user privileges with standard tools such as Group Policies,” he said
“As a result, admins get into the bad habit of only deploying coarse-grained privileges in practice. This creates the situation where sites are either overly permissive, and thus insecure, or so restrictive that users are annoyed by the need to petition IT to make even a tiny change.
“The same problem exists in Unix-like environments. The result is that Unix administrators employ the same bad habit of coarse-grained privilege allocation.
“In addition, Unix sites frequently resort to the unsecure practice of shared accounts to deal with the lack of sophistication of enterprise-grade Unix privilege management.”
Mr. Ramsay said some of the problems arising from coarse-grained privilege allocation include:
- A permissive setup means than any disgruntled users may have Domain Admin rights
- When an over-privileged user leaves your organisation, the IT department may have no idea what to turn off – if they even know that a risk exists.
- An overly restrictive setup is onerous and expensive for administrators – who are forced to deal with many petty requests – and annoying for the user
- Frustrated users may find alternate ways of getting things done – that is, circumventing security or finding a grey area such as a SaaS portal to sidestep IT altogether.
Mr. Ramsay said the balance between restrictive and permissive access is called “Least Privilege” – and can be implemented with easy-to-use tools that can quickly configure and maintain fine-grained security policies. “Security tools need to work more like plumbing than rocket science – they should be affordable and predictable with modest training requirements,” he said.
“At the moment, expecting a well maintained Least Privilege outcome from the goulash of Group Policies, sudoer files and resulting policy outputs is as silly as suggesting that programming in Assembly will deliver high quality ERP software ‘if you just try hard enough!’
“Admins need the tools to visualise what has occurred and when so they can easily answer questions like: ‘why does John have backup rights on those machines?’ and ‘how did that come about?
‘Rather than rely on guru-like admins with super-awareness, we need the tools to grant and manage fine-grained rights that are as simple to use as adding computers and users to appropriate groups.”
Matt Ramsay is Regional Director APAC for Centrify Corporation, which delivers integrated software solutions that centrally control, secure and audit access to cross-platform systems and applications by leveraging an infrastructure you already own — Active Directory. For more information, visit http://www.centrify.com
This release is based on a blog by Matt Ramsay which is published at http://www>.firstpointglobal
For media assistance, call John Harris on 0414 789 995 or email firstname.lastname@example.org.
- Today’s IT security needs tools not gurus How to secure the enterprise with Least Privilege By Centrify Asia-Pacific Regional Director Matt Ramsay It’s time we took a fresh look at the core problems bedevilling our enter...
- Avoiding pitfalls on the productivity path to the Cloud Are you thinking of moving to Google Apps or Office 365? Or do you already use Dropbox, Box, Webex, Salesforce or one of the many Cloud services now on offer? Or do you want to kno...
- Simple but strong: Why IdM (done right) is a no-brainer For the latest proof that passwords are passé, just look at the 4Chan nude celebrity photo uproar. Allegedly hacked from online storage services such as iCloud, intimate photos of...
- The Upside of Heartbleed The Heartbleed bug has generated a lot of catastrophic commentary and reverberating repercussions since it was publicly disclosed on April 7. ‘Catastrophic’ is the rig...