The Principle of Least Privilege is an IT security basic. Unfortunately, its implementation is often left out from organizations. The principle of least privilege states that an individual should only have as much access as needed in order to perform their job. Preventing Good People From Doing Bad Things – Implementing Least Privilege by John Mutch and Brian Anderson discusses least privilege for an organization and all the surrounding issues.
The book takes an explanatory role. It addresses three audiences: auditors, business people, and IT professionals. It explains the difference between access, authentication, and authorization. One theme that is often brought up is that rank should not equal privilege. Just because somebody came in at the VP level doesn’t mean they get local admin rights. Preventing Good People from Doing Bad Things promotes the concept of Privileged Identity Management and Super User Privileged access Management/Shared Account Password Management. Successfully implementing least privilege requires teaming up with the human resources department to keep track of who has left an organization or what their job description entails so their privileges can be updated accordingly. A human resources management system might be able to assist and automate this task for an organization.
The book is very credible. It cites recent reports and statistics to help make its case (from page 29):
Gartner also estimated managed desktops, or users who run without admin rights, produce on average a $1,237 savings per desktop and reduced the amount of IT labor for technical support by 24%.
It also has timely examples and cites the recession as a time with mass lay-offs which creates armies of vengeful ex-employees or a financial incentive for employees to sell customer info.
Preventing Good People includes these chapters over 189 pages:
- The Only IT Constant Is Change
- Misuse of Privilege Is the New Corporate Landmine
- Business Executives, Technologists, and Auditors Need Least Privilege
- Supplementing Group Policy on Windows Desktops
- Servers Are the Primary target for Insiders and Hackers Alike
- Protecting Virtual Environments from Hypervisor Sabotage
- Secure Multi-Tenancy for Private, Public, and Hybrid Clouds
- Applications, Databases, and Desktop Data Need Least Privilege, Too
- Security Does Not Equal Compliance
- The Hard and Soft Cost of Apathy
- Final Thoughts for Least Privilege Best Practices
The authors explain that the book is meant to be read cover-to-cover but each chapter is self-contained so you can skip around if desired and I found this to be true. The chapters are broken up every few paragraphs and I found this to make for very disconnected reading and some chapters seemed really disjointed when topics would change when it felt like they were just about to drive home a point. The first chapter really felt like it had a hard time gaining traction since it kept changing topics, the rest of the chapters at least had a consistent thread to them.
One way that the book uses to explain the importance of least privilege involves using these characters at the ends of chapters:
- Secure Sam
- Least Privilege Lucy
- Compliance Carl
- Disgruntled Dave
- Accident Prone Annie
- Identity Thief Irene
and perspectives of others around the corporation like the CEO, CSO, Tech Support, Development, Admin Assistant, VP of Marketing, IT, CIO, systems administrator.
To me, those characters were very annoying. Not once did I reflect and think “I’m glad I read that section.” The authors, with ties to BeyondTrust.com, apparently use these characters often as seen here in this blog post that explains why they’re against open-source software, also explained in the book.
So, was the whole book just a big advertisement for BeyondTrust? No, the book was very fair and neutral. It pushed for a Privileged Identity Management system without giving a sales pitch. I have attended a webinar about their product before and it had the same strongly opinionated stance as the book.
Do I recommend the book? That depends. If you’re an IT Professional with an inclination towards security elements and you’re familiar with the principle of least privilege, I would pass over this book unless you’re trying to make a business case for implementing it in your organization. The book will serve well for that purpose because of its stats and recent examples. If you’re a business user or exec, this book might be more speaking your language and help you get caught up on thinking through least privilege.
You can find Preventing Good People From Doing Bad Things at Amazon and more information at its entry on the publisher’s website.