Managing exceptions
While the default position should be to tighten user permissions over time, some user types may be treated as exceptions - or seek more flexibility as such. Whether that flexibility is approved or not comes down to a risk appetite and efficiency discussion.
Software developers and engineers, for example, often retain a highly flexible policy set, recognising their tech savvy and existing ways of work. They’re often accustomed to having tool choice and the flexibility to install things on their machines for test or production purposes. They also often need to be able to change configurations to test how code they’ve produced interacts with these various tools and settings. As such, developers are a group that are among the most resistant to the removal of administrative rights. Our advice is to put them in the high flex user group, where they effectively do not lose rights, but where everything they do is collected, audited and logged, such that anything malicious they inadvertently interact with will show up and they’ll be alerted to it.
Business leaders, particularly executives, may also consider their need for administrative and uncontrolled access to be in the same category. However, this should be treated with caution. Leaders are often the ultimate target for threat actors. They are often working on sensitive documents, such as for
business strategy, competitor analysis, product roadmaps and planning roadmaps. These are very tempting as a target for internal and external threats. A more prudent approach to handling these users would be to enforce rigid policies on systems where sensitive documents are handled.
Given the proliferation of attacks today, it is desirable to have executives on the most secure desktops, with the most secure settings. Promoting the secure nature of the setup may also convince leaders of the benefits of being in the most stringent policies with the least amount of flexibility. As a CIO or CISO, you want leaders to know they’re on a very secure machine; you want them to know they can’t install anything, they can’t change any settings, and if they want to do anything they need to have some form of interaction with the service desk, and that this is to keep the business’s most critical information assets secure. This is already in practice in some organisations, where executives even have their own dedicated IT service desk that is accustomed to providing assistance on workstations where sensitive information may be visible or routinely encountered when trying to troubleshoot an issue.
Guided assistance
Of course, it is up to the individual organisation to define the boundaries for each group.