Believe it or not, CLA-OIT does not seek out ways to annoy you. Restricting what a faculty or staff member can do is never a great way to get ahead in higher ed. Although recent projects like the Google migration may have been difficult transitions for some, it is the new security rules that have pushed many people too far, and it is getting increasingly common for tech staff to be called police or even the TSA.
First, a Little Background
The Regents recently passed a new Securing Private Data Policy that applies to everyone at the University. This policy is resulting in many changes to how CLA-OIT provides services. We are doing our best to minimize restrictions and shield our users from the technical details, but there are a few things that will affect you directly. Today, I'll talk about the concept of "least privilege."
Until recently, CLA-OIT had an unwritten tradition of providing the most privileges to our users. You had almost unlimited privileges and the ability to install software or make any change at will. This practice is almost unheard of in the corporate world where the user experience is much more regimented. Such a restrictive environment is not considered acceptable in higher ed--but, lucky for me, it is my job to change that.
Many of us today understand that the Internet can be a dangerous place, full of identity thieves and other criminals. Since you have an interest in protecting yourself, and the University is required by law to protect certain information from exposure, the concept of "safe computing" should be on all of our minds even if most of us are not security experts.
One of the most important strategies to safeguard our data is the concept of "least privilege." What this means is that each of us should use only the minimum of access rights to accomplish our day-to-day activities. Obviously, everyone should be able to access the web, send and receive email, print, and use the applications necessary to do their jobs--it would be silly to restrict these activities. But when browsing the web or sending email, we don't need the ability to install new software or set up a printer. These elevated privileges should be separated from our daily activities.
For many people, this isn't usually a problem. However, for those accustomed to maintaining their own computers and doing what they want whenever they want, least privilege is a frustrating problem.
What's the Worst that Could Happen?
It is easiest to operate a computer with full privileges or what is called "admin access." Until recently, out of the box, each computer automatically gave the user admin access and very few people ever changed this. In fact, many programs required it and a technician's standard practice was to turn it on.
Let's apply this "admin access" to your home. Logging into your computer with full administrative privileges is like coming home, unlocking your front door, and instead of locking it behind you, you unlock every other door, window, cabinet, and car in your entire house. Convenient, yes. Safe, no.
With all the advertisements on the web today, there is a very good chance that one or more will be hiding malicious software. In effect, simply browsing the web is the same as inviting criminals over to your house everyday--imagine if you had unlocked each door, window, and vehicle when you got home! And on your computer, if you are logged in with full administrative privileges, you have exposed yourself just the same. Unless you disconnect your computer from the Internet altogether, you cannot prevent exposure to this stuff.
But I Haven't Been Hurt Yet!
Are you sure? A cyber-criminal's goal is to break in, steal what they can, unlock a backdoor so they can get back in later, and do it all without you knowing they were there. How sure are you that your computers are safe?
A few practices like firewalls and anti-virus software may help protect you a little, but many otherwise-important strategies like using a strong password, encrypting your hard drive, and using a cable lock on your laptop will not mitigate the risks of using admin access. Bars on your windows don't help if they are unlocked.
Implementation in CLA
Least privilege is not only a good idea, it is part of University policy now. It is my job to both implement the policy and also keep CLA's faculty and staff happy with our services. Thus, we do not outright prohibit admin access; we just manage it.
This is how we are doing it:
* Everyone gets a standard user account for basic day-to-day activities.
* Anyone who needs elevated privileges will get it. The safer option will be a so-called "run as" account, but we can also provide full admin access if necessary.
* We have a form for documenting the request, identifying the reason, and managing the changes to your account.
* We "eat our own dog food" here in CLA-OIT. Security rules apply to all technicians and other staff in CLA-OIT--myself included. Techs use a "run-as" account to do their support duties, but they use a standard user account for everything else. If they can do it, everyone else can, too.
The concept of least privilege has nothing to do with trusting or not trusting our users. Anyone, no matter how smart, trustworthy, or skilled in Internet security, is just as vulnerable as everyone else on the web. In fact, it is the smart ones who limit their exposure and browse with the most restricted access.
I hope you can understand the importance of practicing safe computing and the reasoning behind least privilege. I also hope you believe me that it is not our intention to waste your time or make your job harder. If you'd like to know more or discuss this further, talk to your technician or send me an email.
For those interested, here are the specific clauses in the policy that relate to least privilege:
* Access to an account with administrative level privileges for desktop/laptops must only be provided to a user when an account with a lower level of access is not sufficient for conduct of University business. Such administrative access must be approved annually in writing by the unit supervisor (and documentation retained) due to the increased risk level.
* A separate standard user level account must be used for daily tasks such as email and web surfing. Use of the administrative level account must be limited to those actions which require administrative access.