Preventing Good People From Doing Bad Things: Implementing Least Privilege

Front Cover
Apress, Oct 17, 2011 - Business & Economics - 220 pages

In today’s turbulent technological environment, it’s becoming increasingly crucial for companies to know about the principle of least privilege. These organizations often have the best security software money can buy, with equally developed policies with which to execute them, but they fail to take into account the weakest link in their implementation: human nature. Despite all other efforts, people can sway from what they should be doing.

Preventing Good People from doing Bad Things drives that concept home to business executives, auditors, and IT professionals alike. Instead of going through the step-by-step process of implementation, the book points out the implications of allowing users to run with unlimited administrator rights, discusses the technology and supplementation of Microsoft’s Group Policy, and dives into the different environments least privilege affects, such as Unix and Linux servers, and databases.  

Readers will learn ways to protect virtual environments, how to secure multi-tenancy for the cloud, information about least privilege for applications, and how compliance enters the picture. The book also discusses the cost advantages of preventing good people from doing bad things. Each of the chapters emphasizes the need auditors, business executives, and IT professionals all have for least privilege, and discuss in detail the tensions and solutions it takes to implement this principle. Each chapter includes data from technology analysts including Forrester, Gartner, IDC, and Burton, along with analyst and industry expert quotations.

What you’ll learn Why unlimited administration rights are a bad thing Why least privileges is a good solution Effective implementation of least privileges Least privileges on Unix and Linux servers Issues with Microsoft's Group Policy Who this book is for

The audience is segmented into three separate categories, all of which are clearly addressed and weighed-in on in each chapter: the auditor, the businessman, and the IT professional.

Auditor

The first segment are the information technology security auditors. They are the ones responsible for the analysis of technical, physical, and administrative controls in the organization(s) whose security is in question. Their work includes the auditing of data center personnel, computer equipment, all policies and procedures, physical and environmental controls, and back-up procedures. Because their jobs so heavily rely on established protocols for the protection of sensitive information, this segment of the market will find this book a must-read. Their main concern is making sure the companies they are inspecting are in compliance with regulations and are taking the appropriate measures to secure their information and the users accessing them. They will learn how least privilege is the only way to fully satisfy government security regulations, and it will give them necessary and cutting-edge information on how to correctly perform their jobs.

Businessperson

The second segment are the businesspeople. They are the ones who run the companies requiring least privilege. These individuals are driven by the bottom line, and are ultimately concerned with spending and returns on investment. While they may be interested in security and realize its importance, the motivation behind any decisions is saving the company money. They need this book because it will clearly outline the financial benefits of implementing least privilege. It will explain that, from a business point of view, least privilege is the only way to eliminate the misuse of privilege and avoid the extensive costs of security breaches, expensive audits, help desk costs, and costly hours of IT troubleshooting. They will read it and use it as a reference as they prepare financially for a more secure IT environment.

IT Professional

The third and final segment are the IT professionals. They are the ones who appreciate security for security’s sake. They understand the implications of a noncompliant environment. They are on the forefront of the company’s information environment. They manage users and those users’ privileges. They download applications, grant privileges to users, process information, store information, program, install software, perform data management, network machines, and manage the networks they create. They need and will read this book because it will expand their understanding of the concept of least privilege and apply it to the environment in which they work. They will learn how to supplement Group Policy to attain least privilege, how to protect their environments, and how to carry security throughout their enterprise. This book will teach them new ways to look at the principle of least privilege, and it will educate them with the information necessary to receive executive and financial backing to the projects that will secure their network.

Table of Contents The Only IT Constant is Change Misuse of Privilege is the New Corporate Landmine Business Executives, Technologisst and Auditors Need Least Privilege Supplementing Group Policy on Windows Desktops Servers Are the Primary Target for Insiders and Hackers Alike Protecting Virtual Environments from Hypervisor Sabotage Secure Multi-Tenancy for Private, Public and Hybrid Clouds Applications, Databases, and Desktop Data Need Least Privilege, Too Security Does Not Equal Compliance The Hard and Soft Cost of Apathy Final Thoughts for Least Privilege Best Practices
 

What people are saying - Write a review

We haven't found any reviews in the usual places.

Contents

The Only IT Constant Is Change
1
Misuse of Privilege Is the New Corporate Landmine
22
Business Executives Technologists and Auditors Need Least Privilege
41
Supplementing Group Policy on Windows Desktops
61
Servers Are the Primary Target for Insiders and Hackers Alike
79
Protecting Virtual Environments from Hypervisor Sabotage
97
Secure MultiTenancy for Private Public and Hybrid Clouds
112
Applications Databases and Desktop Data Need Least Privilege Too
127
Security Does Not Equal Compliance
141
The Hard and Soft Cost of Apathy
163
Final Thoughts for Least Privilege Best Practices
176
Works Cited
191
Index
198
Cover
206
Copyright

Other editions - View all

Common terms and phrases

About the author (2011)

Brian Anderson brings more than 25 years of global enterprise software and security industry experience to BeyondTrust, where he will be responsible for all aspects of corporate brand development, lead and demand generation to increase awareness and interest in all customer and investor segments. In addition, he will be responsible for building a VAR channel to expand distribution for BeyondTrust products globally. Prior to BeyondTrust, Anderson served as a serially successful chief marketing officer for several venture-funded companies. At Siderean Software, his branding efforts garnered rave reviews and numerous awards, including “innovator” status in the Gartner Magic Quadrant. At Avamar Technologies, his leadership resulted in a huge revenue increase and numerous awards. Avamar was subsequently acquired by EMC. Prior to Avamar, Anderson was director of marketing at IBM’s Tivoli Security and Storage, a role he inherited after successful building industry leader Access360’s brand and sales pipeline through successful positioning for a sale to IBM. Anderson also served as chief marketing officer of HNC Software, which experienced tremendous growth during his tenure and was successfully acquired by Fair Isaac in 2002. Anderson served for seven years prior to HNC at FileNet Corporation, culminating in his role as vice president of worldwide corporate marketing. At FileNet, Anderson built a tremendous global channel organization that ultimately represented almost 50 percent of the company’s revenue. He received his bachelor of science degree in computer science from the University of New Orleans.

John Mutch has been an operating executive and investor in the technology industry for over 25 years and has a long, sustained track record of creating shareholder value through both activities. Prior to joining BeyondTrust as chief executive officer in 2008, Mutch was a founder and managing partner of MV Advisors, LLC, a strategic block investment firm which provides focused investment and strategic guidance to small and mid-cap technology companies. Prior to founding MV Advisors, Mutch was appointed by a U.S. bankruptcy court to the board of directors of Peregrine Systems in March 2003. He assisted that company in a bankruptcy work out proceeding and was named president and CEO in July of 2003. Mutch ran Peregrine Systems, operating the company under an SEC consent decree, restating five years of operating results and successfully restructuring the company, culminating in a sale to Hewlett Packard for $425 million in December of 2005. Prior to running Peregrine, Mutch served as president, CEO and a director of HNC Software, an enterprise analytics software provider. Under his leadership, the company nearly doubled revenue and successfully spun out Retek in an IPO which returned more than $2.5 billion to shareholders. HNC Software was sold to Fair Isaac Corporation in August of 2002 for $825 million. Prior to HNC Software, Mutch spent seven years at Microsoft Corporation in a variety of executive sales and marketing positions. He previously served on the boards of Edgar Online (NASDAQ: EDGR), Aspyra (Amex: APY), Overland Storage (NASDAQ: OVRL) and Brio Software.

Mutch currently serves on the board of Adaptec Inc. (Nasdaq: ADPT) as a director designee of Steel Partners and the board of Agilysys (Nasdaq: AGYS) as a director designee of Ramius Capital. He holds a master's in business administration from the University of Chicago and a bachelor of science degree from Cornell University, where he serves on the advisory board for the undergraduate school of business.

Bibliographic information