Shyam Senthilnathan
January 25 · 5 min read
Developers work with a variety of tools, often experimenting with multiple things. They would need to upgrade their OS, change settings to replicate bugs, downgrade/update software, and even build their own tools. Most of these actions require programmers to have local admin rights or root access on their systems.
While developers can work better with administrative access on their workstations, security teams need to lock down admin privileges for a secure environment. This creates a lot of back-and-forth arguments between the teams.
Security heads simply cannot allow installations of quick utilities without thinking about compromising security. Even though developers are tech savvy – they aren't immune from phishing attacks and being malware targets. Government institutes, and other regulated sectors are forced to control the freedom developers would normally like to have.
Admin access to development tools, even though being a necessity, introduces a security risk, as malware can drop into critical production systems with something as simple as a website visit. A few cases highlight how software tools are easily cracked into:
Build pipelines handle continuous integration, delivery, and deployment on a regular basis. They help handle version control and automate the rapid development process for services and applications. More often than not, this requires software that can manage and organize the pipeline. A few leading tools in the CI/CD domain are Jenkins, GitLab, and Kubernetes (K8s), used widely by several organizations.
These tools in some way provide privileged access to the user or developer who may need them for a particular task. This access is the point-of-attack that is targeted by cybercriminals. Getting hands on the production environment not only undermines CI/CD security but also paves the way to full unrestricted admin access by lateral movement. Thus, turning build pipelines into high-value targets.
IDE’s allow developers quickly code applications allowing multiple utilities to be manually configured and integrated as part of the setup process. With IDE workbenches offering different utilities through extensions etc., new developers can easily get up to speed on a teams tools and workflows.
In recent times, malware has evolved to target the supply chain, and is distributed through open source software. Popular package repositories like npm and PyPI top the list for containing malware. But this doesn’t mean that less popular open source repositories are clean of malware.
Last year, malicious actors manipulated popular IDE software - Visual Studio Code. The VS Code Extensions Marketplace was targeted to increase the chances for developers to install malicious extensions into their development environment, which would then infiltrate their systems.
While regulated industries are forced to revoke the admin rights from programmers, other organizations do it for the sake of better endpoint security. From a corporate licensing compliance perspective, it is still better to have a gate than not. Making them hop through awkward and complex hoops wastes their time and demoralizes them.
Eliminating the admin access altogether locks them out from performing basic job responsibilities and causes frustration. Developers even go to the extent of quitting if they are unable to efficiently perform their tasks. Finding a common ground boils down to balancing the scales between security and developer productivity.
Controls put in by IT administrators to stop devs from having local admin are often bypassed by developers with sound technical ability.
Experienced and determined engineers will always find a way to go around if you do not give some flexibility to accomplish their tasks. If not, the worst thing that could happen is that you’ll end up with shadow IT in your system. Flexibility, however, must be granted according to business needs and must be in line with security best practices.
This could mean different things for different organizations, while a small organization may prefer to grant admin rights to their developers while monitoring all their access activity, a large enterprise may have to full revoke admin rights and provision them access on-demand.
While the use-cases between companies vary, the crux of the problem remains the same – difficulty in granting admin rights in accordance with company policies while not affecting your engineers' day-to-day tasks.
Keeping both parties (IT Security team and DevOps) satisfied - requires defining granular policies that are intricate to an organization's requirements. The most common use cases surrounding developer admin access are:
Endpoint privilege management (EPM) solutions come in handy, they let you tackle multiple scenarios by controlling admin access through policies. With an EPM solution, the system administrator, or security person in charge would define centralized control policies for developers in the organization.
This can be done comprehensively, allowing certain users to access certain applications on certain computers. Developers can also be given the option self-service admin rights, for when their requirements are not defined by a control policy, or they wish to install a new application.
Securden EPM has all the capabilities that organizations would need to control admin access to development tools in the way that suits them. An overview of what you could achieve with Securden EPM:
Securden EPM lets you secure endpoints across the organization and prevent malware – while keeping user productivity high. Whether you organization is fully self-hosted on-premises, hosted completely on the cloud or has a hybrid environment – Securden Endpoint Privilege Manager can cater to its needs.
Try it out for yourself now with a 30-day free trial!.
Mother of all breaches – Reinforces the need for enhanced password security
Yes, you read it right. 26 billion records have been leaked online. Researchers from Security Discovery...
Zaheeruddin Ahmed
Feb 7 · 4 min read
Local admin rights for Developers – Balancing the scales between basic necessity and security risk
Local admin rights for Developers – Balancing the scales between basic necessity and security risk...
Shyam Senthilnathan
Jan 25 · 5 min read
Privileged Access Management Best Practices for Unparalleled Security
Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...
Pradhyumnan
Dec 21 · 5 min read
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...
Shyam Senthilnathan
Oct 10 · 3 min read
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
The debate over giving unrestricted admin rights is a constant struggle between IT staff and ...
Shyam Senthilnathan
Oct 6 · 4 min read
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!
Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a...
Himaya Presthitha
July 25 · 6 min read
Password management best practices: Practice or Pay!
Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst...
Shyam Senthilnathan
May 26 · 5 min read
Identity thefts and data breaches - The aftermath of privileged access mismanagement
Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals...
Zaheeruddin Ahmed
Dec 27 · 4 min read
Spate of cyberattacks rock the land down under
Lack of API security, exposed credentials, and misuse of privileged access continue to cause harm...
Rajaraman Viswanathan
Nov 25 · 4 min read
Make this Thanksgiving a memorable one. Treat yourself to a surprise!
We're planning to make this year's Thanksgiving extra special.
Zaheeruddin Ahmed
Nov 21 · 2 min read
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us...
Shyam Senthilnathan
Oct 20 · 4 min read
We're at GITEX, Dubai. Come, meet us!
Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a ...
Zaheeruddin Ahmed
Oct 10 · 2 min read
May God defend me from my friends
As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to...
Raja Viswanathan
Dec 21 · 4 min read
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse rampant, hackers...
Balasubramanian Venkatramani
jun 7 · 5 min read
Eliminating Admin Rights and Controlling Applications (Part 3)
One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and...
Raja Viswanathan
May 17 · 4 min read
Looking for a Passwordstate alternative?
Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between...
Jithukrishnan
Apr 30 · 3 min read
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and...
Raja Viswanathan
Apr 06 · 3 min read
Top 10 password policy recommendations for sysadmins in 2021
Passwords are omnipresent in our personal and business digital environments. An average person has at least...
Jithukrishnan
Jun 12 · 8 min read
Local Admin Accounts - Security Risks and Best Practices (Part 1)
We are all too familiar with the local administrator account that gets created automatically when installing a Windows...
Raja Viswanathan
Mar 19 · 4 min read
Poor password security practices cause massive security breaches
Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials...
Balasubramanian Venkatramani
Mar 13 · 6 min read