Almost every weekend in the United States, you can find a CosPlay convention going on somewhere. For the un-initiated, CosPlay is short for Costume Play. In its simplest form, it is people dressing up as their favorite fictional character and hanging out with other CosPlayers. The costumes cover everything from video game characters, SciFi Heroes (and Villains), Comic Book characters, and even Disney characters. It seems like the costumes are only limited by the imaginations of the CosPlayers.
Many of you have seen the Special Interest stories on the news showing some of the more elaborate and detailed costumes. Some of the CosPlayers will work on their costumes for 6 months or longer to make sure they get the look that they want. I have even seen a reality show about some die-hard CosPlayers that follows their preparations from one convention to another.
The primary characteristic that sets the die-hards apart from the casual participants is the passion that they have for their costumes and character. They will often spend a lot of time and money on a single costume just to earn the admiration and respect of others. For CosPlayers, there is nothing more satisfying than to have strangers come up and ask to have their picture taken with you, or ask someone says.. that’s amazing.. how did you do that, and yes maybe even win a Best Costume award.
In my role as a Senior Consultant, I get to visit a lot of customers. I see companies falling into the same two general categories when it comes to addressing user privileges on their servers.
Some companies are casual participants in that they really do not see privilege management as all that important. On the Unix side, they either share the ROOT password or grant a limited number of users the ability to SU to ROOT. On the Windows side, they will limit the users who are granted Domain Admin privileges and only grant local Administrator privileges to those who can justify the need. But therein lies the issue.
We have been conditioned over the years to accept that as an adequate solution. Many times, it takes an IT Audit delivering a finding or a incident with serious financial implications to get us seriously thinking about privilege management.
Some companies are completely on-board with ensuring that users are granted the least privileges necessary to perform their jobs. Those companies will dedicate both time and money to addressing privilege management. Sometimes, this includes installing and configuring Centrify’s Standard or Enterprise Server Suite. This allows companies to defines roles and commands at a very granular level to ensure users only have the privileges that they truly need to do their job.
Do SQL Administrators really need local Administrator access on the SQL server to do their job? No, but they may need the ability to run the SQL Management Studio with higher privileges. Does an Oracle Developer need to be able to SU to ROOT with the Root password? In the past, yes that was the approach. But what they really needed was a way to run some commands with elevated privileges.
When we grant a user local Administrator rights on a Windows server, or give them ROOT access on Unix, more often than not we are granting them more privileges than they really need. Anytime that happens, we are empowering them and putting our companies at risk.
Perhaps, it is a result of some of the high profile and very public data breaches that have occurred, but I am seeing an increase in the number of companies that are embracing the concept of least privilege access. Whatever the reason, nothing bad can come from limiting user privileges. In the end, your company is the big winner, since users are able to perform their job function but we have limited their ability to perform other – unauthorized actions. Maybe one day, you will have the opportunity to share your “privilege access” success story when someone says, "that’s amazing.. how did you do that?"