BeyondTrust privilege management solution provides solid support for managing internal security
Ian Short is Applications Infrastructure Manager for the University of Winchester, a 175 year-old university that in 2014, was ranked among the top 20 universities in England for overall satisfaction in the National Student Survey 2014. Ian is part of the IT management team responsible for the smooth-running of the campus, including a strong emphasis on security and within that, managing any vulnerabilities inadvertently caused by staff and students. Here, Ian describes why and how they have implemented privilege management from BeyondTrust as part of the university’s security strategy.
“Our security policy is very much prevention rather than cure: we have to protect and support around 1500 Windows desktops, across approximately 8000 students, around 1000 members of staff across 16 different departments and over 160 applications. As well as running Windows on the desktops, we also have Windows back-end servers running in an Active Directory environment.
We are quite fortunate in that we have not had any security breaches, but there is no room for complacency. For instance, the network is set up so that both staff and students cannot just connect their own devices to back end systems and access is limited to the Internet (since much of the content that students require is available online anyway, this does not limit what they are able to do). Staff have very clear guidelines about protecting any data they take off site.
Several years ago, we identified the fact that managing user privileges was a simple and effective way to make our security more robust. Privilege management is about eliminating unnecessary rights – for example, administrator rights – to minimise the risk of malware attacks. It is well known that in any IT environment, users can be the often inadvertent cause of allowing the spread of malware within an organisation, so removing that element of human error immediately mitigates a whole class of security risks.
However, we know that we could not lock down the entire network, because that would limit the flexibility that some of our users require. For instance, some staff – typically very knowledgeable and IT-savvy - need their privileges to be elevated so that they can install and manage applications themselves.
Also, while we could see the need to manage privilege, there was a concern about ensuring it did not create further additional administration workload. We wanted an approach that would automate the privilege management process as much as possible, while retaining the flexibility we require. After a thorough investigation of the marketplace, we implemented privilege management software from BeyondTrust called PowerBroker for Windows Desktops and Servers, a centralised solution that uses a ‘least privilege’ model. It has proved a perfect fit for our needs.
Since we took that step, we have completely removed automatic administrator rights among our users, while simultaneously providing adequate rights to perform the tasks that students and staff need. Some of the key uses include elevating privileges for staff using multimedia packages in our multimedia centre, 30 applications on their desktops, and around half a dozen Windows functions.
The net result is that no longer do we need to ‘punch holes’ in our security in order to complete certain tasks. The added bonus is decreased time spent dealing with user support issues, meaning that the team can spend more time on other activities.
With the help of least privilege management from BeyondTrust, the University of Winchester has consistent, robust security policies campus-wide, balancing the need to give staff flexibility when it is needed, without impacting on security or creating additional workload for the IT department.