Preventing Good People From Doing Bad Things
Authors: John Mutch and Brian Anderson
As the number of known security breaches seemingly rises exponentially with every passing day, business managers and the general public are becoming increasingly aware of a fact that has been very well known to IT professionals for quite some time now: the majority of breaches are caused by insiders (i.e. employees).
Whether they do so intentionally or not it’s beside the point – what’s important is that they are able to. So how can an organization stop that from happening?
About the authors
Brian Anderson is the CMO at BeyondTrust. Prior to that, he served as a CMO for several venture-funded companies and was director of marketing at IBM’s Tivoli Security and Storage.
John Mutch is CEO at BeyondTrust. He served as CEO with a number of software companies and has spent seven years at Microsoft in a variety of executive sales and marketing positions.
Inside the book
History has proven that when it comes to keeping computer networks and data safe, the weakest link is often the human component. It has also proven that when it comes to security, most executives want it tight, but that it doesn’t interfere with productivity.
Add to this the fact that human nature all but guarantees that people will do what’s easier for them and ignore the consequences on their actions until they actually come to pass, and you have a recipe for a security disaster.
IT professionals have been saying for a long time that implementing stricter identity management and the principle of least privilege is the answer to that particular problem. Simply put, don’t give employees enough rope to hand themselves or others with it. So how do you go about doing this?
Picking up this book is a good start. In it, you will be introduced to three types of insider “villains” and “heroes”; the unique requirements of physical and virtual platforms, applications and cloud computing environments; compliance and governance requirements; and best practices.
Each chapter ends with a “weighing in” on that particular subject from the perspective of three insider “heroes” (Secure Sam, Least Privilege Lucy and Compliance Carl), functioning as a very helpful summary.
The authors say that apart from being read cover to cover, the book can also be picked up for its specific chapters. While that might be partly true for some of the chapters such as the one about supplementing group policy on Windows Desktops and those that explain how to implement least privilege when it comes to accessing and mucking around servers and virtualized environments, the book reads so much better as a whole.
The book’s strong point is definitely a heavy inclusion of actual real-world examples and case studies. Add to this information and insight from a variety of sources – media outlets, think tanks, security experts, surveys and researches – and you have a clearly painted picture of what the failure of implementation of the least privilege principle can result in.
This book isn’t a simple and straightforward how-to guide for implementing the least privilege principle, and some IT people might be put off by that. In truth, I think this would be a better read for the decision makers, who might finally understand what the IT department has to deal with on a day-to-day basis and realize that they might be worth listening to when they insist on an idea.