Rethinking endpoint management in a post-BYOD workplace
No one in a professional cybersecurity role needs a lecture on the dangers posed both from “out there” bad actors on the internet and from unfortunate, malicious activity internally within an organisation. Whether by accident or design, employees of any company can endanger the enterprise’s intellectual property, business continuity, or public image. Protection and prevention go hand in hand as parts of the rattle-bag of cybersecurity tools deployed in most companies today.
For IT functions in general, the standard operating model has become one of enablement: giving stakeholders at all levels access to the tools and technologies required to keep the business processes working. But the flip-side to enabling staff is what can worry the cybersecurity professional, so balancing enablement with the twin aims of protection & prevention is a tough call.
Over the last few weeks, we’ve focused on the solutions offered by Thycotic, an established leader in smart technologies used to help the enterprise exist in what can be a threatening digital environment. It’s the end-user interacting with the internet and local subnets where the quiet war between black- and white-hatted experts takes place, and endpoint security methods are something of a specialty for the US-headquartered company.
Thycotic’s endpoint privilege management system at one end of the spectrum works without nailing down every endpoint so they’re unusable, and at the other grants unfettered use of the entire IT stack. After hearing about the company’s approach and having read Joseph Carson’s “Definitive Guide to Endpoint Privilege Management“, we spoke to Simon Hughes, the company’s International Sales Engineering and Enablement Director for some broader context and discussion. He acknowledges that when poorly done, endpoint protection has a reputation for “admin rights being ripped away” by end-users.
However, Thycotic Privilege Manager creates an environment of least privilege for users, with applications that need super-user or administrator-level permissions carefully elevated when and where necessary. Hughes describes end-users, therefore, as able to “happily do their job as a standard user and mitigate massive amounts of risk.” Instead of a carte blanche given to elevated users, applications can be examined on a case-by-case basis, and the need for each to be elevated — and by whom — is assessed.
However, further granularity can be used, like if or when the application’s requests for access should be limited to specific file types, or via particular protocols or come from or be directed via specific routes.
Like all software worth its salt, the Thycotic Privilege Manager platform is all in the research and deployment strategies enacted. Hughes noted that “historically, the favourite option has been to deploy the agent, but just in listening mode […it’s] not there to start blocking applications from running or really doing anything other than watching and listening and recording what applications users are running.” But the twofold problem here, and what Thycotic hopes to solve, is that throwing the switch to “live” can take a long time. With compliance requirements hanging over the business, a long time is…too long.
The Thycotic approach gives the ability to elevate actions on demand, allowing right click-type activities right away but running with administrative privileges. “But we’re only going to do that for a very short period of time, and we can still apply controls around that,” Hughes says.
The major plus, even over short timeframes, is the qualitative data gathered during the initial roll-out. Administration rights for users have been removed very early on in the deployment process, giving value — much more quickly– in the form of protection and governance adherence.
What becomes apparent in the context of the first few weeks of deployment of Privilege Manager is that the privilege “standard” for most users is precisely that: standard, not administrator. Both Windows and Mac OS client accounts get created at this level by default, and most users never need to elevate their privileges at all.
Simon was happy to state that the EPM from Thycotic doesn’t work on every device under the sun (although it does run on *nix, iOS, Android, Microsoft and Apple clients). Older BYOD Android devices running legacy OSes, for example, will need to be replaced. The cost of a replacement program for those users’ devices needs to be factored into the overall security budget planning — and that’s a process Thycotic wants to be in on early.
Likewise, EPM should only be part of a bigger picture of other security provisions and be as scalable and elastic as the rest of the ideal IT setup. The Thycotic difference is that all its solutions are realistic and responsive, changing and adapting as quickly as today’s business processes. Plus, they don’t attempt to rewind the clock to when IT departments locked down a ‘standard desktop’ and disallowed BYOD across the board.
If the Thycotic approach appeals to you, we recommend reading Joseph Carson’s “Definitive Guide to Endpoint Privilege Management” (we spoke to Joe a few weeks back on Tech Wire Asia, and you can trial Privilege Manager for your own organisation.