Too many staff have privileged work accounts for no good reason, reckon IT bods

all too often the data you need, but aren't authorised to have is something very trivial (my company locks down FX rates because the guy who set it up didn't think) or is something that can easily be worked out - I can't see company set up in our ERP - but have table access in dev to see the same and it only shows things like company code currency and hierarchy which are public information anyway!

We have everything locked down. You only get access to what you need. Occasionally people will need additional access. The owner of the affected data gives their okay and access to the data is added to that user's rights.

It works just fine. Even as IT administrators, we don't have admin privileges on our standard accounts and we only have access to IT related areas or to projects in other departments that we are working on.

We could give ourselves access, but we don't.

Also, since GDPR, giving the users access to more data than they need is a problem and our DPO is very strict about ensuring people don't get access to sensitive information that they don't need access to.

Sounds like an ad hominem attack to me. It really doesn't matter what this company sells; it matters whether they're right.

Quite frankly, the percentage of people with too much access that they found is an average. From experience I can tell you that some companies are much closer to 100%...

As for your statement that "locking everything down is rarely a good idea", that's simply misguided. Access should be based on "default deny", not on some expectation.

Regarding your complaint about "systems are so locked down that you really struggle to do your job", you may be surprised that such an approach is not considered to be secure.

Security has three requirements: Confidentiality, Intergrity, and Availabliity. If you can't get to the stuff you truly need to get to it cannot be considered secure.

Unfortunately, and you are right in this, too many people think that full security means locking everything and throwing away the key.

Oh, how I wish companies would require everyone (including the brass!) to take basic cyber security training. Just an hour or to convey the basic principles would put an end to a lot of the issues.

Since I know people that got their own laptops for work to avoid having to use portable apps to be able to do anything at all, this was a few years ago mind you, before Windows 10, I can say is a bit of both.

There is both people without enough access and people with too much access.

"What I am trying to say is, rather than trying to lock down everything and contrain your employees into narrowly defined processes of what management thinks is their job; hire competent people, give them all the access they ask for, and trust them to use that access appropriately. That is how you get work done."

So which bit did Morrissons get wrong? It was the trust bit, I suppose?

The threat is NOT from the employee, but from whomever is controlling the interactions between the employee's computer and the rest of your network.

In a world of company-issued laptops that we are encouraged to take home, that's the real threat.

Try reworking the balance of costs with that in mind.

We just went through this with each department head.

We actually listed out all of the access the users in that department had, checked what was actually necessary and put that into roles, as opposed to individual users within a department having differing access.

Apart from 2 overseen access groups in one department, the roll-out went smoothly with no complaints. A few users received more rights than before, many had rights taken away (E.g. had moved departments and still had access to the old departments data, which they shouldn't).

Re: You just never know who is watching you!

Our managers need to review and sign a sheet annually which details the access rights their staff have.

They also have to ensure their staff are trained annually in data protection and record keeping.

If they fail to do either of these they are destined for a disciplinary within 3 months if not rectified.

Access permissions are audited annually at random within the organisation and several times managers have been caught out as staff have left, moved etc and the list hasn't been updated.

Jumping through hoops for access

There should be three levels of access:

1) no access

2) permanent access

3) "on-demand" access

For #3 you have an automated procedure set up where access can be requested to something you've already been approved for on a time-limited basis. You input that you need the access starting Wednesday at 9AM until the following Monday at 5PM, and why you need the access, and the system enables it for you without human intervention, and automatically disables it at the specified cutoff time.

That prevents people from having permanent access to something they only occasionally need, and maintains logs so you can you go back and see who is requesting access, what they say it is for, and so on. Maybe you have 50 people who might need access to sensitive HR data at one time or another, but only 5 who need that access at all times, so you limit the scope for potential breaches and if something happens it is easier to figure out.

This would also help for phishing type schemes as someone having to put in a reason to enable access to something might make them think a bit more about that email they received and become suspicious enough to start asking questions first.

Re: Employ people you trust, trust people you employ

And the person who you trust clicks a booby-trapped email and their excessive access lets the destruction spread.

Then you start to wonder whether open access was a good idea. Experience is a dear teacher. Do you really want to learn lessons like that the expensive way?

Re: Employ people you trust, trust people you employ

My experience with git repos is that there is a culture in many developers of "give the world access", even to those individuals who have no legitimate reason to access the repo in question. It's a battle I'm currently fighting, that I do not need access to the git repos. My boss agrees with me. But devs repeatedly try and give me access in an effort to make me do their job for them. All because I "might need" access to the repo.

Re: Employ people you trust, trust people you employ

DPA , GDPR and SOX are very clear that trust is not a defensible plank of security provision.

You have to prove people have the minimum amount of access to fulfil their role and that access to sensitive data is logged where possible.

I am so glad I no longer have responsibility for granting access because so few companies understand that it is a business problem.

Now if the business finds this restrictive then they need to get on board and define what access they need. Most businesses if asked could not tell you what access they need to their data.

After SOX I started an annual review of roles and had a lot of push back taking rights off users until the CFO realised they were eligible to share a cell with BUBBA if it went wrong. From then on I just supplied the data and finance did the restricting, for those feeling the pain can I recommend this option?

Data and access are a business problem administered by IT. Not an IT problem, we can help fix it if you want.

Re: Opportunity Cost of lockouts

I think you're describing a situation where people who should be on a project team aren't. Lax security isn't a solution to non-security problems.

Re: The sub-header: ever seen a Trello board...

"At a previous organisation Trello was rolled out by means of an unexpected mass-emailing from an external organisation inviting one to follow a URL and log in at an external website with one's company credentials."

How not to do that - and anything else.

You've reminded me of a former boss I had when I was a day to day sysadmin.

Near direct quote from said manager of sysadmins:

"If you give me an account on the servers, you get written up. If you give me root to the servers, you're fired."

The manager pointed out, they were the manager, not the sysadmin. They also didn't have the training to be safe as a sysadmin. One of the two best managers I've ever had.

I currently need access to a particular server at work for HPC. As I am the only authorized user of this computer, and I only need it for HPC, and it does not need access to the rest of the work network, I suggested that that server be disconnected from the work network, so that I don't need to perform achingly slow TFA to do some work on it.

While things need to be locked down, we also have to think imaginatively about how to allow effective working while maintaining security. It doesn't matter if this particular machine gets pwned. There's no sensitive data on it, and it can be wiped and reimaged in less than an hour. It's better to put the firewall between it and the rest of the network than slow my access down. (An ideal solution would be to put the machine under my desk at home, but amazingly that wasn't an option.)

So don't do it then. Let them admin their own devices. Just make sure that it is clearly documented that they are responsible for the admin of that device not you. Many engineers are experienced and capable people who don't need their hands held when operating a computer. There's no need to jump on the bandwagon of "all users are idiots, we must lock away all the sharp and pointy objects so they don't hurt anyone".

They ALL run their devices with local admin, the trouble I'm having trying to roll this back to least privilege is driving me insane!

That may be the least privilege that they need.

Explain to someone sufficiently senior to be on the hook when the shit hits the fan that they are on said hook and that it's their problem, not yours.

You have a marketing department that doesn't have access (probably inducing access they really shouldn't have) to names and addresses of customers and a lot of other contacts?