Least-Privilege Technology Still Swimming Upstream, But Making Progress

Fundamental shift in endpoint security might be easier with rollout of Windows 7, experts say
The third inhibitor -- culture -- may be an even more difficult nut to crack. Analysts and other observers say that many users simply like the idea of having administrative rights on their PCs, and they don't like the idea of their machines being "locked down" to prevent the downloading of applications and data.

"I think the idea of least-privilege is just swimming too hard against the trend of consumerization of endpoints," says Andrew Braunberg, a security analyst at Current Analysis. "There are too many endpoints that are not under that level of IT control. People want to buy their own Mac, or access email through their own smartphone. And there are too many visitors, guests, and so forth on the network."

McCarley agrees that the idea of "lockdown" -- the forced standardization of PCs across large groups of users -- has fallen out of favor in today's Web-enabled world. But IT professionals should be wary of equating least-privilege with lockdown, he says.

"One of the capabilities we have in Privilege Manager is the ability to grant full admin rights to a user who is very vocal -- say, a CEO or another top manager -- and doesn't like the idea of being locked down," McCarley says. "You can give him all those rights, and then monitor what he really does with them. Then, eventually, you can just provide access to those specific applications or tasks, and restrict everything else. You can create a safe environment where a power user can do everything they need to do, without opening up the flood gates to everything."

Can least-privilege overcome all of these inhibitors? McCarley argues that, between them, BeyondTrust and Microsoft have largely solved the technology problem. Mogull believes that with the rollout of Windows 7, the complexity problem will also be significantly alleviated.

But least-privilege still faces a cultural problem -- users resist the notion that any of their rights are being taken away. The U.S. federal government is attacking this problem with the implementation of the Federal Desktop Core Configuration (FDCC) mandate, which essentially forces users to implement the least-privilege concept to increase security in a frequently targeted data environment.

"I think this is one of those cases where the federal government is actually leading the industry," McCarley says. "As the FDCC takes hold, and government agencies see that they can have least-privilege without giving up functionality, the picture will become clearer. And other industries may look over and see that they can do it, too."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading