Least Privilege Security for Windows 7, Vista and XP
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

User acceptance

Users are more likely to accept Least Privilege Security on the desktop if they understand how changes to their PC can help the company as a whole. Therefore it's important to make sure you not only communicate how their computing experience will change and improve, but also explain the benefits for the company.

Well-designed security is a business enabler. Just like seatbelts and good brakes in a car allow us to drive faster, Least Privilege Security on the desktop, as part of a defense-in-depth strategy, allows users to fulfill their responsibilities without being exposed to unnecessary risks and maintains performance and reliability, thereby allowing tasks to completed as quickly as possible. Information and systems security is in the interests of the company, ensuring it can remain competitive and survive an economic downturn.

Least Privilege Security terminology

If you need to justify the reasons for implementing Least Privilege Security, avoid using language such as lockdown and restricted privileges. Such terms don't go down well with users, and create the feeling that draconian controls are being put in place.

If users can no longer perform a particular task on their PC, be ready to provide some justification. An example might be the inability to change the system time. Explain that the time zone can be changed while travelling, but the system time must match that of the servers at head office in order to log on to the network successfully. You could also add that it reduces the amount of calls related to logon problems to the help desk. Ultimately, in a modern system, there shouldn't be any need for users to change the system time. If time synchronization is not working correctly on your network, it's likely to manifest itself in other ways such as logon failures. Therefore, you should nevertheless check that time synchronization is in order before removing the ability from users to change the time and date.

If you decide to implement a parent project such as a desktop refresh, you should try to avoid mentioning Least Privilege Security directly. Following are some more examples of how you can sell Least Privilege Security to users:

  • A faster and more reliable PC: Least Privilege Security will help keep your PC running at optimal levels throughout its lifetime, thus helping you improve productivity.
  • Regulatory compliance: The company is required to run secured desktop and notebook computers for all employees due to regulatory constraints. Though not all companies are subject to regulatory compliance, this is one of the most important justifications for implementing Least Privilege Security on the desktop. Your company will not be able to operate legally in the marketplace if you cannot prove to auditors that your systems are secure according to regulatory requirements. All the major regulatory doctrines require Least Privilege Security on the desktop.

If your company is not subject to regulatory compliance:

  • Best practices: Regulatory requirements are based on best practices, which are developed to secure and minimize operational problems with IT equipment. While our company is not subject to regulatory compliance, we adhere to regulations as a best practice, which helps customers gain greater confidence in our business.
  • PC total cost of ownership (TCO): The cost of maintaining and supporting each desktop and notebook PC on the network counts for a considerable percentage of IT costs. Least Privilege Security is proven to reduce total cost of ownership and improve return on investment.
  • Financial savings: The financial savings reaped from Least Privilege Security on the desktop will be invested in other areas of IT, to help improve services and contribute to the success of the company.
  • Network security: Every desktop and notebook PC that connects to the corporate network is part of that network and cannot be completely isolated. Therefore, PCs must be secured using a defense-in-depth strategy that includes Least Privilege Security. Due to the complex nature of viruses and malware, one PC can infect all other devices connected to the same network, including servers that store valuable business data. Remote users can also infect the corporate network with malware. Comprehensive, layered protection is necessary because some viruses can cause complete data loss, and such an event could prove potentially devastating for the company.

    Viruses can also cause denial-of-service attacks on the network, meaning that if your PC becomes infected, it can attack servers, PCs, and other network devices, making the entire network run slowly and even disrupt service completely. Such downtime is embarrassing and costly for the company. Viruses can also be spread if you connect to the corporate network using your notebook from a remote location.

  • Software Licensing: USA and European law states that the company must provide a valid license for all software installed on company-owned computers. This means you cannot install your own software on company computers, even if you have a valid license. Least Privilege Security on the desktop helps us enforce software licensing. Additionally, free software downloaded from untrusted sources on the Internet poses a security risk, as these free programs can contain viruses and can conflict with line-of-business applications, thereby rendering systems unstable. Such software is also unsupported by the IT department.
  • Competitive advantage: Least Privilege Security on the desktop helps improve service and free up IT resources, helping the company remain competitive.
  • Downtime is expensive: Least Privilege Security is proven to help prevent viruses, malware, illegal software, and unwanted configuration changes that create problems for employees and often result in expensive downtime.
  • Improved service from IT: Least Privilege Security on the desktop helps IT maintain standardized desktop configurations across the enterprise. This in turn makes it easier for the help desk to resolve queries.

Justifying the decision to implement Least Privilege Security

Users may also appreciate understanding how and why the decision to implement Least Privilege Security was taken. Again, if you are implementing Least Privilege as part of another project, offering this information directly may not be necessary, but it should be available if need be.

As no security mechanism alone can prove completely effective, the company considered the various options and came to the conclusion that Least Security Privilege on the desktop was one of the most effective security devices when used as part of a defense-in-depth strategy.

IT has designed desktop images with Least Privilege Security so that systems can be managed with confidence, giving employees flexibility and security at the same time. Users will be empowered to work as productively as possible, benefiting the company as a whole.

上一章目录下一章