Rethinking endpoint management in the post-BYOD workplace
Article by ThycoticCentrify international enablement director, Simon Hughes.
Endpoint protection has a reputation for “admin rights being ripped away” from end-users. This is both unfair – given that it is based on what have often been crude solutions and/or poor implementations in the past – and frankly dangerous in the current, post bring your own device (BYOD) workplace.
No one in a professional cybersecurity role needs a lecture on the dangers posed from bad actors on the internet and from unfortunate or malicious activity within an organisation. Whether by accident or design, employees of any organisation can endanger the enterprise’s intellectual property, business continuity or public image.
For IT functions in general, however, the standard operating model is historically one of enablement. Systems users at all levels are given access to the tools and technologies required to keep business processes working. But the flipside to enabling staff is what can worry the cybersecurity professional, and balancing enablement with the twin aims of data protection and breach prevention is a tough call.
Confining exploits to users’ devices
Endpoint Privilege Management (EPM) – as a central element complementing traditional endpoint security solutions in a defence-in-depth strategy – can keep exploits confined to users’ devices and control employee access to sensitive applications.
By creating an environment of least privilege, users that need super-user or administrator-level permissions to systems or applications can have their access privileges carefully elevated only when and where necessary. Employees can happily do their jobs as a standard user and, in doing so, mitigate massive amounts of risk.
Instead of a carte blanche approach, access to systems and applications can be controlled on a case-by-case basis. Fine granularity is possible, like if or when requests for access should be limited to specific file types, or via particular protocols, or come from or be directed via specific routes.
Initial deployment in “listening” mode
Like any sophisticated solution, the deployment strategy of EPM software is constantly evolving. Organisations generally start by deploying agents to endpoint systems in “listening” mode. The software is not there to block applications from running but simply watching and recording what applications users are running.
The major plus, even over short timeframes, is the qualitative data gathered during the initial roll-out. This allows administration rights for users to be removed very early on in the deployment process, rapidly generating value in the form of protection and governance adherence.
What usually becomes apparent in the first few weeks of deployment is that the privilege standard required for most users is precisely that: standard, not administrator. Windows, Mac OS, Android and iPhone client accounts get created at this level by default, and most users never need to elevate their privileges at all.
Even after blanket privileges have been withdrawn, an EPM solution should provide the ability to elevate access rights on demand. This allows users to run with administrative privileges for short period of times, for example, subject to additional controls. This should be part of a bigger picture of other security provisions and be as scalable and elastic as the rest of the IT setup.
Solutions must be realistic and responsive
The key thing to be learned from deployments at over 14,000 leading organisations around the globe, is that solutions must be realistic and responsive, changing and adapting as quickly as today’s business processes. At no stage should anyone attempt to rewind the clock to when IT departments locked down a ‘standard desktop’ and disallowed BYOD across the board.
Far from having “admin rights being ripped away”, the reality for most end-users is not having to worry about complex password policies, increased convenience accessing applications and cloud-based services, and less cyber stress when doing their jobs.