How to Secure your Workforce from Compromise and Attack
Jeff Carpenter discusses the challenges of securing workforce users—employees, contractors, and part-timers—who often have local admin rights on their PCs. He explains how this access creates security risks, as privilege has moved to the edge, allowing attackers to exploit these users. He outlines four key challenges: lack of visibility, credential sprawl, orphaned/stale users, and audit readiness, and explains how to protect your workforce from compromise and attack.
Hello, I'm Jeff Carpenter from Delinea, and may the workforce be with you. Now, all jokes aside, let's talk about how the modern organization can secure their workforce users from compromise and attack. Now when we talk about workforce, what are we talking about? We're talking about employees, part-time employees, contractors, people who are accessing information and working every day on their PCs.
Right now, the challenge is that when these PCs are deployed, many of them still have local admin rights. In fact, most organizations still deploy PCs with local admin rights. And for good reason, right? They want to keep their employees productive. If somebody wants to download software, change a browser, or store their credentials in their browser, things like that, they can do that.
But the challenge is that privilege has moved to the edge. Privilege, meaning the things that users can do, right? It used to be you had admins and you had. Employees, right? But now employees are managing SaaS applications, business applications, and they're doing so through their PCs, their laptops that have local admin rights.
And that's a challenge because the bad guys can come in there, compromise a single user, single account, or credential. Install software on that PC that can then work through the organization, move laterally, escalate until they find something they really like, and then you've got a serious attack, potentially a ransomware attack, something like that.
But the challenge is how do we keep the workforce user productive and happy, but still allow them to do their job? And this is where the challenge of the modern workforce user comes in because there's really four different challenges that we like to outline. And the first is visibility. Now in most organizations they'll tell you, okay, hey, it's great.
We would love to do this, love to take away local admin rights from some of those users that have. You know, that are, that are acting essentially as, as admins for their departments, for, you know, for SaaS applications and things. But there is not a lot of visibility here. We don't know who they are, in other words.
So, the first step here is visibility. The first challenge. The second is sprawl, of course. So, sprawl, meaning users, what do they do? You know, employees, they move to other departments, they move to other divisions, they leave an organization, sometimes they come back. So, you have that challenge there of just credential sprawl.
Sprawl in general of, you know, so this user has access to SaaS application. They're able to create other users for their department, but now they go to another department, and they still have that access there. Another situation here is what we call orphaned or stale users, very similar to this situation here with the sprawl in that.
Users move to another department and these rights still stay in place and they're still, hey, you know, call that person up. You know, they can still create an account for us, but they shouldn't have that access. And that leaves organizations very vulnerable. And finally, being able to pass an audit report out on this and have a good idea, that where your local admins are, and that you're making sure that you're instilling best practices here.
Making sure you're not exposing. Too much stuff to the internet that users can’t download, malicious payloads, software, et cetera, that they're using multi-factor authentication if they indeed are an admin and all that stuff's in place. So, what Delinea does in this situation to solve these challenges is, first for visibility and discovery.
We're looking across all the organization there, from your cloud apps to your on-prem apps, even to the end point. And we're able to discern what is going on in this laptop, whether local admin rights are still in place there today, whether that user should have those rights what we can do best there to manage those things.
And for the credential sprawl we're able to make sure that even at the local level, we can make sure that users' credentials are vaulted, that they have, they don't have standing privileges, meaning they can't get to something all the time. They'll just, with one click, be able to check out.
So, their productivity is not inhibited but check out that credential. It starts a session that can be monitored and audited and making sure that. That this this sprawl is kept in check here. And then finally for orphaned accounts, you'd be surprised how many organizations do a scan of the privilege down at the local level and find that there are tremendous numbers of users that have left the organization, that still have access to SaaS applications.
You want to make sure that we lock down those workstations and those work, those users and take away that access even if they move to another department. That is documented and it's well known. And then finally you want to be able to make sure that you pass an audit with flying colors.
That when your audit team comes in and they say, give us a picture of all your privilege within your organization, that you can say even at the local level there, that we're making sure that we take away things that could potentially cause an organization, our organization, to be a victim of ransomware.
If an admin at this level here gets compromised. They would not be able to have any access beyond what this admin has. So, you're containing that blast radius. So, this is how we address the evil empire. May the workforce be with you. For more information, check out delinea.com.
