Comment: The Hard Cost of Misunderstanding Least Privilege

Boundaries, not walls, say John Mutch and Brian Anderson
Boundaries, not walls, say John Mutch and Brian Anderson

To understand the cost of apathy in relation to breaches and least privilege, we must first understand that how we manage risk impacts human behavior. If we box people in by removing all privileges, then they will feel suffocated and likely rebel or withhold. If we give too many privileges, people will either feel scared of screwing up and breaking something, or take full advantage of their privileges and abuse the system. The key is to give them what they need, when they need it, and only then will they will feel safe enough to do their job well.

Regardless, it’s just a matter of time before apathy leads human nature to cause measureable harm on your security, compliance and productivity.

Let’s face it – organizations cannot simply build walls to protect vital information anymore. However, in the process of adapting to this new virtual collaborative environment comes the enormous challenge of ensuring that privileged access to critical information is not misused. Walls that may have worked a decade ago are now practically irrelevant as users seek ways around, over, or under these obstructions because it interferes with their duties.

So, as we move forward in this evolving era, it’s important to develop an awareness of how to protect our resources – whatever they may be – using boundaries to guide us, not walls. The fact is that corporations today are no longer information silos to be protected like a castle from the Middle Ages; they have instead evolved into information eco-systems with fluid dynamic points of information exchange. Recognize this, and then the ‘boundaries versus walls’ metaphor begins to make sense.

Walls are built to keep things inside or outside of a specific perimeter. In information security terms, that means setting electronic boundaries around IT resources so that only select people may access them.

Boundaries, on the other hand, are built to guide things along a specific path to ensure proper use of a specific perimeter. In information security terms, that means setting the electronic authorizations so that specific people can do specific things under specific circumstances.

Having well-defined awareness of boundaries enables end users and applications to communicate freely within an IT environment without worry of intentional, accidental or indirect misuse of privilege. Boundaries allow a more productive and compliant dialogue to take place between users and the IT department and proactively deters attempts of misuse. If boundaries are respected, then IT remains in control of security, compliance and productivity, and has the authority to take proactive steps in which to protect the enterprise.

It may surprise you to hear, however, that the best group inside your organization to identify the insiders – and the different boundaries they require – is your human resources (HR) department. HR provides you with not only each employee and sub-contractor’s current status level, but their role and authority levels as well.

Because of this, the interface between the IT department and HR must also be solidified in order to avoid the misuse of privilege and prevent data breaches by insiders. Both organizations need to come together to understand that ‘rank’ and ‘privilege’ are two completely separate concepts.

In nearly every organization there is a boss and a subordinate. The bigger the organization, the more layers of management there are likely to be found. Ranks define the hierarchy of this reporting and decision making structure. Authorization – or privilege – on the other hand, is not just about who has access, but also what the user does once they have leveraged that access. It doesn’t matter whether the system is physical or a virtual server, a desktop, database, application or cloud, the principle remains the same.

All too often rank is confused with privilege, and those higher up in the organizational pecking order are automatically given more IT privilege; usually an excess amount of privilege for their rank because the thought of fine-grained entitlements has not been considered. Fine-grained entitlements are simply calibrating the levels of authorization for a specific computing environment to a specific setting based on policy or role.

For example, application and privilege controls can provide HR visibility into how businesses and individuals access and manage applications. With HR and IT in concert on privileged user parameters and administrative rights, policy enforcement can become more distributed and effective.

The challenge of managing insiders gets a bit difficult when migrating to cloud computing. While you can control the hiring practices of your own organization, what about those you are outsourcing to? What are the IT employee hiring protocols or security checks employed by your cloud provider? The lack of visibility into the hiring standards and practices for cloud employees, as well as provider processes and procedures, make preventing data theft a potential nightmare. Depending on the level of access granted, a malicious outside-insider may be able to harvest your organization’s confidential data or even gain control of the entire infrastructure with little or no risk of detection.

Demanding visibility into cloud suppliers’ technology and processes to ensure the appropriate level of administrative privileges is a first and essential step businesses today must take before considering migrating to the cloud.

Security is an on-going, collaborative process. Constant review of both policy and technology is necessary to safeguard corporate networks. And although you can never eliminate risk completely, when you improve relations between HR and IT, so that policy and technology go hand in hand, an organization’s security becomes a great deal tighter.

Adapted from Preventing Good People From Doing Bad Things: Implementing Least Privilege, published by Apress Oct 2011.


John Mutch has been an operating executive and investor in the technology industry for over 25 years and has a long, sustained track record of creating shareholder value through both activities. Prior to joining BeyondTrust as chief executive officer in 2008, Mutch was a founder and managing partner of MV Advisors, a strategic block investment firm that provides focused investment and strategic guidance to small and mid-cap technology companies. Prior to founding MV Advisors, he was appointed by a US bankruptcy court to the board of directors of Peregrine Systems in March 2003. He assisted that company in a bankruptcy work out proceeding and was named president and CEO in July of 2003. Mutch ran Peregrine Systems, operating the company under an SEC consent decree, restating five years of operating results and successfully restructuring the company, culminating in a sale to Hewlett Packard for $425 million in December of 2005. Mutch holds a master's in business administration from the University of Chicago and a bachelor of science degree from Cornell University, where he serves on the advisory board for the undergraduate school of business.

Brian Anderson has more than 25 years of global enterprise software and security industry experience. He has a track record for award-winning branding and product launches, as well as inbound and outbound marketing models to low-touch, scalable, measureable, and predictable results. Anderson is a frequent industry spokesperson and a published author. Since 2009, he has served as chief marketing officer at BeyondTrust, where he is responsible for all aspects of corporate brand development, as well as lead and demand generation to increase awareness and interest in all customer and investor segments. Prior to BeyondTrust, Anderson served as a serially successful CMO for several venture-funded companies and senior executive at publicly traded companies. He received his bachelor of science degree in computer science from the University of New Orleans.

What’s hot on Infosecurity Magazine?