Balancing Security and User Experience: Implementing the Principle of Least Privilege at WWT
In this case study
Challenge
World Wide Technology (WWT) aims to continuously enhance their information security posture and adhere to state and federal regulations. In the latest endeavor, the IT End User Computing (EUC) team implemented tools and controls to attain level 3 of the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC).
One of the primary challenges encountered by the IT EUC team was implementing the principle of least privilege on the endpoints. Although WWT employees had access to an extensive software catalog, not all requests were appropriately routed through IT before being downloaded and installed. This posed a risk of improper software installation, potentially compromising security. The IT EUC team diligently implemented the necessary controls and procedures to mitigate this risk.
Solution
To comply with the principle of least privilege and achieve CMMC compliance for federal customers, the IT End User Computing (EUC) team selected BeyondTrust's Privilege Management tool to streamline the privilege management process. While several methods exist to implement least privilege, the most restrictive approach involves central management of all applications and configurations. Although this approach is highly secure, it can significantly impact the end-user experience and requires an impractical staffing level. Therefore, the EUC team aimed to balance security and compliance with the end-user experience without overburdening the team's capacity.
Initially, an audit of all software in the environment was conducted, and a risk assessment was performed to address two fundamental questions: Can this software be allowed in the environment? And can it be whitelisted for everyone, or does it require business justification? Based on the findings, rules were created in BeyondTrust's Privilege Management tool to block any software that was not necessary for end-user productivity and to allow software with a valid business justification. This upfront effort significantly reduced the number of IT support tickets related to blocked applications upon implementation.
The roll-out to end-users was conducted department by department, starting with the least technically complex department (Operations) and ending with the IT department. For each deployment group, communication was extensive, including VP-to-VP socialization and weekly office hours were hosted to address any questions or concerns. Listening sessions were also held with the most technical user groups to prepare for unique configurations. The process took 11 months, with one group deployed weekly, reaching over 12,000 workstations.
Conclusion
WWT's IT End User Computing (EUC) team successfully implemented the principle of least privilege within the environment, creating almost 100 application rules to enable the business to leverage over 2000 applications with the correct privileges. This significantly reduced the risk of compromise due to unmanaged software and elevated rights, meeting the Cyber Maturity Model Certification (CMMC) requirements. Administrative privileges were reduced from all 8000+ WWT workstation users to 1700 users, with the goal of continuing to reduce the number of employees with full administrative rights over time. This solution effectively limited the actions that can be performed on a workstation, preventing unauthorized changes and reducing the attack surface for potential threats.
A positive outcome of this project was the engagement from all parties involved. The results were remarkable despite the challenges of revoking administrative privileges on end-user workstations. By providing a platform for end-users to voice their concerns and collaboratively addressing them, a sense of partnership and investment in the project was fostered among all team members. This project's success demonstrates that by adhering to WWT's Core Values and empowering end-users, even the most challenging projects can be accomplished and appreciated by both IT and end-users.
Key technologies utilized:
- BeyondTrust Privilege Management
- WorkspaceOne for agent deployment
- Microsoft Teams for end-user communication
- Moveworks for end-user communication
This case study was written with assistance from generative AI.