Ask any organization if it grants local admin rights to users for their machines, the response is likely to be mixed. Knowing the damage it can cause, some may respond in horror – a reaction that is often based on previous experience. Or, simply that IT policy has always reserved admin rights for the Service Desk. Some organizations, however, have yet to address the issue, some are unaware of the risks and consequences – not just from a security perspective but also from a Software Asset Management point of view.
WHAT CAN A USER DO?
The short answer is pretty much anything. Users with full access rights to their machines can:
- Install anything, including software
- Edit the source code for installed, licensed software
- Delete system files
- Delete network files (with network admin rights)
- Copy sensitive data
- Copy and share software
- Breach organizational security policies
The ability to install anything, including software, is a massive threat to Software Asset Management and poses significant risk to the business – I’ll dig a bit deeper into this a bit later. But first, I’d like you to think about how admin rights enable users to edit the source code of installed, licensable software. Users can, for example, modify how software performs certain actions or add new features. Editing licensable software is a clear breach of terms and conditions and will be flagged in the event of a vendor audit. Admin rights enable users to delete files on their machine, including system files, user accounts, and even the operating system. The consequences: machine crashes and a subsequent call to the service desk. Network admin rights enable users to delete network files, possibly removing business critical data, resulting in problems for the organization and time needed to recover backups. Copying and sharing data, including software files, raises security and compliance issues. Data protection laws safeguard vendors and their IPR, making it illegal to copy or share proprietary information. We’ve all heard stories about disgruntled employees whose admin rights have enabled them to steal valuable data, and sell it on. Copying and sharing software files with other users will result in a compliance breach. Users with admin rights pose a threat to IT Security. Admin accounts permit users to traverse firewalls and remove anti-virus software, basically exposing machines to viruses and cyber attacks. Such a security breach could spread rapidly through an organization’s network impacting other machines, servers, and services.
HOW CAN SOFTWARE ASSET MANAGEMENT HELP?
As users with admin rights can install anything on their machines, rights management is not just a security issue it is also a Software Asset Management and compliance challenge. With administrator rights, users don’t need to contact the SAM team or use their organization’s self-service portal to request software, they can bypass routines and download the packages they need from any source that will provide it. The security risk is high; as such software is likely to include viruses, malware, or Trojans. And if nothing else, it is illegal to use software without a valid license. Vendors who discover instances of their software downloaded from an unauthorized torrent are likely to impose hefty fines and the offending organization runs the risk of harming their brand. So, if the stakes are so high, why do organizations grant admin rights to users at all? I believe that organizations want to empower their users to be productive. Have you ever found yourself in the situation where you’re trying to download an application and you can’t because your machine refuses to install it due to your lack of permissions? Well, it’s nothing short of extremely frustrating. In some cases, it may even cause you to fail to deliver, potentially damaging to your business. The good news for organizations is that a solution exists – one that will keep everyone happy. One that enables organizations to restrict admin rights, provide users with the access they want, maintain compliance, and reduce risk.
Snow’s Automation Platform enables organizations to automate processes like granting of local administrator rights. The platform can put a request process in place to, for example, manage the granting of access rights for a given user for a certain period, and then revert the user back to normal settings. Like the way users request software, hardware, and cloud services, Snow’s Automation Platform includes request functionality for access permissions. The process is self-service and relies on automated messaging that is a fundamental feature of the platform, reducing the number of e-mails that typically hop between different teams, users, and approvers in a manual process. Which in turn reduces the time it takes for the process to complete, minimizes downtime in productivity, and improves user satisfaction. In Snow Automation Platform, automated workflows are constructed with out-of-the-box functionality. The process to grant elevated access rights might require several inputs from users; such as their reasons for requesting local administrator rights, start and end dates, and optionally an approval person. The request details are forwarded to the approver, who if not specified by the user may be automatically retrieved from the Active Directory. The approved request automatically grants local administrator rights to the user, with instructions on what, if anything, they need to do next. Optionally, the workflow could create and close a Service Desk ticket to centrally provide information on all tasks completed within the IT environment. Using Snow Automation Platform and Snow License Manager the organization can closely monitor the user’s activity during the period that they have admin rights to ensure they are not abusing the privilege. Regular reports and spot checks in Snow License Manager can be carried out to ensure that no unapproved or harmful software has been installed on the device. Permissions are reverted automatically at the end of the period by Snow Automation Platform. Automating workflows removes manual errors from processes, accelerates messaging and approvals, provides user satisfaction, all while remaining secure and compliant.
SAVING TIME & MONEY
Automating workflows satisfies everyone’s needs. In my scenario, users get the correct admin rights to carry out their tasks, management is content that a valid business justification has been provided, and the SAM team knows to check the user’s device in Snow for any unapproved software installs. Using Automation Platform for workflow management takes a few minutes to build the process, but once established, it can be used by everyone in the organization – with potentially massive time, cost, and labor savings.