Behind the scenes: Endpoint protection in the cloud
The cloud has certainly been a game-changer, driving innovation and growth. Companies that adopted cloud services experienced a 20.7% average improvement in time to market, an 18.8% average increase in process efficiency, and a 15% reduction in IT spending. Together, these benefits led to a 19.6% increase in company growth.
These savings and benefits, among many others, are driving 90% of companies to have some portion of their portfolio in the cloud by the end of the year. Yet, when it comes to security technologies, the transition seems to be slower. Within the Privileged Access Management (PAM) space, in particular, Gartner predicts only 30% of deployments will be in the cloud by the end of this year. Though this shift may be a bit lagging on the security side, it is clearly the wave of the future.
When a large consumer products enterprise with an aggressive cloud-first strategy came to Delinea looking for a cloud solution to secure their endpoints, we jumped at the opportunity.
Wanted: a cloud solution to protect tens of thousands of endpoints
Like most of our customers, this retail giant was seeking to improve its security posture by removing administrative privileges from more than 40,000 endpoints. The reason is simple. When logged in as an admin, every application running has unlimited access to that computer. If malicious code gets executed from a program or browsing to a site automatically downloads something malicious, that application also gains unlimited access.
So, managing privileged accounts, which includes local admin and root accounts, is a necessary element of a successful cybersecurity strategy – especially on endpoints. Does this endpoint problem sound familiar?
Unlike the bulk of our customers (though we see an increasing number) this large organization was seeking a cloud-based solution first and foremost—executing on their corporate-wide cloud-first strategy. Why the emphasis on a cloud-first strategy? Global enterprises with customers around the world, like this one, benefit greatly from the assurance of georedundancy found with a cloud PAM solution provided as a scalable service. Cloud is also synonymous with high availability which means 99.9% uptime. In addition, they required a solution with the ability to scale easily to match the growth of their privileged accounts, applications, and users, without losing control or slowing down other resources.
This last point is critical. In the competitive world of consumer products, the productivity of business users is paramount. No level of business disruption or slow-down is acceptable—even if it comes at the expense of security. When companies remove local administrative privileges from business users without considering the downstream impact, there is great potential for end-user disruption. Suddenly unable to download applications, run programs, install printers or make other system changes, users can become confused, frustrated, and unproductive. Those frustrations are going to land squarely on the plate of the IT desktop and support team.
Application control works behind the scenes to enable the applications users need to do their jobs without requiring local admin rights
For this reason, application control was a key part of their evaluation. Application control works behind the scenes to enable the applications users to need to do their jobs without requiring local admin rights. For most tasks, users experience no change and there is no impact on the help desk. This type of control prevents programs, not on approved lists from running and provides users attempting to run them with a message box to ask for approval. This is also customized to explain why an application or program was denied and what users need to do to justify their request.
The team chose to take a 3-stage approach to roll out Privilege Manager to better ensure minimal impact to business users. First, they began by monitoring and taking an audit of endpoints being used. Second, they entered “teaching mode” during which time they defined and built policies based on their analysis of their initial audits. Finally, the automated allowing and denying end-user devices and ensured unknown applications have an automated path towards approval.
Ease-of-use for their help desk team was also an important factor in choosing the right solution. This staged rollout allows this team to become familiar with Privilege Manager as well as respond to requests easily using an intuitive interface. As more applications are reviewed and added to global application control policies there will be less need for the help desk to respond to user requests.
Successfully implementing a least privilege security model and controlling rights on endpoints can seem like a daunting task. But it doesn’t need to be difficult, not even for an organization managing hundreds of thousands of endpoints. Scalable across hundreds of thousands of machines – Privilege Manager has easily installed so large enterprise organizations, like the one in this article, can complete installation on all endpoints without causing disruption. Privilege Manager automatically removes admin rights from domain and non-domain managed endpoints, including hidden or hard-coded credentials. Machines in large deployments can simultaneously communicate with Privilege Manager, check policies and execute application control 24/7, and manage through a single, streamlined dashboard.
Privilege Manager makes it possible for companies to implement least privilege policies and protect endpoints in large, diverse deployments, and manage them more effectively than ever before.
Related reading: Cloud Security Best Practices Checklist
Implementing Least Privilege shouldn't be hard