by Dwain Kinghorn, SageCreek Partners
Numerous standards have been developed that define how desktops should be configured in regulated industries. These standards include PCI, HIPPA, and FDCC. These standards embody numerous best practices that have been developed over many years of experience. At their core, a number of the best practices help ensure the security and integrity of the information that these desktop system access.
Many organizations do not have to comply with these various standards and are not subject to tight regulation. However all organizations have business confidential information such as customer lists, internal product plans, and competitive intelligence.
While not all information may be deemed as sensitive as credit card numbers, personal health care information, or financial data, all organizational proprietary data is an asset. Thus the standards and best practices that have been defined for various regulated industries do have applicable principles that apply to just about any corporate computing environment.
One key principle that is part of a variety of standards is the principle of least privileged access. In an article on “Principle of Least Privilege” on Wikipedia, it states,
“When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible…The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer security).” See http://en.wikipedia.org/wiki/Principle_of_least_privilege
Removing local administrative rights from end users is a fundamental part of the principle of least privileged access. Organizations of all sizes have more secure and stable desktops when users do not have local administrative rights on their desktops. Systems are less vulnerable to malware and less prone to have inappropriate configuration settings when users do not have administrative rights.
Experience has shown that just about every organization will have challenges when removing administrator rights from end users. Some applications simply do not run. Certain tasks such as installation of approved software may be more difficult, and some tasks such as adding new hardware may no longer work without the user seeing a User Account Control (UAC) prompt. In order to move to an environment where all users, even remote and mobile users, do not need administrator rights on their systems, an organization will need an effective privilege management solution.
A good privilege management solution lets organizations adhere to the key principle of least privilege and provide a more robust and secure computing environment for their organization. The principle of least privilege is a great example of how a standard for a regulated industry applies to just about any organization.