This article outlines 10 logical reasons why every organization should develop a policy of least privilege.
Reason 1: Minimize risk
In a business environment you really need security decisions to be made by IT, governed by business requirements, when it comes to the desktop. Many users don’t understand the implications of configuration changes, such as files within the Windows folder and protected parts of the registry. If these are altered – either accidentally or maliciously, it can make the system unstable and increases the risk of data leakage.
Simply, if IT doesn’t know what applications and changes users have made or installed, then they can’t be sure that sensitive data isn’t being redirected into the hands of an unknown third party.
Reason 2: Improve end-user experience
Security is often seen as preventing users from doing something, but that doesn’t have to be the case. Instead, by adopting a well planned and implemented least privilege policy, you can actually improve the user experience.
Following the example of devices like the iPad and Android Smartphones, which operate in a curated environment, organisations can catalogue a portfolio of programs and applications that are needed, and can be supported. Doing so will help track changes to the system and keep the core system configuration secure.
When users make system-level changes, they can weaken the endpoint or introduce application clashes which can have serious consequences. It also makes it harder to support the enterprise as, if a problem does crop up, IT often get a nasty surprise.
Reason 3: Move to a managed environment
By locking down machines, so that users can only change their desktop configuration and not the core system, you can save time and money – by reducing support costs, lost productivity from network downtime, and the expense of data breach management.
However, to make sure that this facilitates and not hinders the enterprise, thought needs to be given to how the environment will be managed moving forwards. Software distribution, and patch management, at the simplest level could be through Group Policy Software Installation or perhaps System Centre Configuration Manager.
Reason 4: Reduce support costs
It’s a fact that secure and managed systems are cheaper to support. This turns security from an initial expense into an enabler.
Reason 5: Encourage users to have fewer devices
More devices introduce complexity resulting in higher costs. Unfortunately, users needs don’t always match business needs so proper justification for using a device – especially if it’s personally owned, must be demonstrated. If you offer a company car you wouldn’t expect to supply a VW Golf for the week and a Porsche for the weekends!
Even if it makes the employee’s life easier - if it’s going to be too expensive for IT to support, then it’s impractical and needs to be deterred. Where a device is to be allowed then it must comply with company policy and a clear strategy of who is responsible for support developed.