When talking about computer security, we must look at it from at least two angles. The first perspective comes from the "end user", the person who comes to work and calls IT with computer problems. The second part comes from your IT team, the ones responsible for fixing problems.
Ok, the user does not always call IT with problems, but it sure does seem like it sometimes. Typically, your users are logging in, checking emails, browsing the Internet, and performing a job function. We put measures in place to educate these users about phishing scams, virus detection, and the wealth of security threats we face today. Unfortunately, these do not always work. Worse yet, sometimes these breaches affect more than a single user. I have heard stories of entire networks being brought down by a mere end user clicking “I love you.zip”. These are the days we, IT administrators, fear.
Usually when a breach happens, we scramble to get things fixed, figure out what was corrupted and hope that nothing was compromised. This may not be the case for everyone, but it is a familiar concept that we’ve heard about before. If things go poorly, someone may be going home without a job. The reality of this situation is that users, almost always, have too much power.
For those of us in IT, we understand the risks, but it is nearly impossible to put the situation into terms our user can comprehend. So, let’s imagine that we are standing in front of a building. This building has many floors, and on each floor it has offices with locks on the doors. The user is given a "key" (login), and that gives them access to the "building" (machine). Unfortunately, that key also opens an LOT of offices, on all of the floors. IT finds a vulnerability, the user is in a room they are not supposed to be in, and they have to change the lock. This continues to happen until all the vulnerabilities have been addressed. Then, the cleaning crew (OS updates) come through and damages a few locks. The cycle repeats, and we end up with a reactive security system.
This is what we face every day, constantly fixing loopholes, and reacting to threats. By this point, I am expecting a few people to be shouting at their screen, “This does not happen with *NIX systems!” It is hard to disagree, *NIX systems are typically designed with security in mind, relying on a “deny all” primary function. Problems can occur, but it is usually a rare occurrence. However, our end users are not using *NIX systems. The end user usually has a machine that has a “key” with too much access to the “building”.
Building upon the best security practices of *NIX systems, Centrify has a product called Direct Authorize for Windows. We take the “deny all” approach and grant permissions explicitly. I will not claim that your environment will be perfect, security threat, and virus free. However, I can tell you that you will not regret a proactive approach to security, rather than a reactive approach.
While I only talked about an end user approach and using Direct Authorize for Windows, our product expands far beyond this realm. I would love to talk with you about using “Roles and Rights” to go above and beyond traditional security. We can apply these concepts to every facet of your environment. Email firstname.lastname@example.org to learn more about our proactive approach to security.