This article outlines 10 logical reasons why every organization should develop a policy of least privilege.
Reason 1: Minimize risk
In a business environment you really need security decisions to be made by IT, governed by business requirements, when it comes to the desktop. Many users don’t understand the implications of configuration changes, such as files within the Windows folder and protected parts of the registry. If these are altered – either accidentally or maliciously, it can make the system unstable and increases the risk of data leakage.
Simply, if IT doesn’t know what applications and changes users have made or installed, then they can’t be sure that sensitive data isn’t being redirected into the hands of an unknown third party.
Reason 2: Improve end-user experience
Security is often seen as preventing users from doing something, but that doesn’t have to be the case. Instead, by adopting a well planned and implemented least privilege policy, you can actually improve the user experience.
Following the example of devices like the iPad and Android Smartphones, which operate in a curated environment, organisations can catalogue a portfolio of programs and applications that are needed, and can be supported. Doing so will help track changes to the system and keep the core system configuration secure.
When users make system-level changes, they can weaken the endpoint or introduce application clashes which can have serious consequences. It also makes it harder to support the enterprise as, if a problem does crop up, IT often get a nasty surprise.
Reason 3: Move to a managed environment
By locking down machines, so that users can only change their desktop configuration and not the core system, you can save time and money – by reducing support costs, lost productivity from network downtime, and the expense of data breach management.
However, to make sure that this facilitates and not hinders the enterprise, thought needs to be given to how the environment will be managed moving forwards. Software distribution, and patch management, at the simplest level could be through Group Policy Software Installation or perhaps System Centre Configuration Manager.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.