1

Many large companies have IT policies where even low-level IT employees have privileges such as remote access to any company computer (often automatic, able to override user denial, or even silent), or administrative access to any company computer. Basically, these are policies where IT employees have relatively centralized and loosely limited access, even to computers that they may not physically have access to.

This seemingly opens a fair number of vulnerabilities, potentially allowing a single compromised IT computer to do a lot of damage or steal a great deal of data, something that is not merely theoretical; e.g. KnowBe4 recently hired a North Korean hacker to their IT team with predictable consequences (but how many such cases never make the news or are not caught?) However, as mentioned, these are fairly widespread practices.

Is this strategy the best cybersecurity practice? Or are there better ways of doing it?

Improve this question
3
  • 3
    The title and the body of the question seem to contradict. The title asks about the risk of centralized IT access policies. But your body contains only examples for insecure policies by giving users priviliges they don't actually need. Such insecure policies can be configured no matter if centralized IT or not. Similar less broad privileges can be achieved with centralized IT by automatically deriving priviliges from organizational structures maintained by HR and others, i.e. deparment, team, roles, ... . Commented Oct 18, 2024 at 22:46
  • 1
    @SteffenUllrich - I'm specifically asking about "common centralized IT security policies," and I mention which specific ones I mean in the question. I mention "centralized" because it's presumably more of a risk for someone to have certain kinds of access to a larger number of computers than to a small number, or without physical presence versus requiring it. Commented Oct 18, 2024 at 22:48
  • 2
    So you are asking if it is possible to configure more user specific privileges than give all users the same broad privileges? Sure, this is possible - but of course it must be known which users require which privileges in the first place. This has nothing to do with centralized or not. " I mention "centralized" because it's presumably more of a risk" - this is what I mean with title and body contradicting: title asks if this is a risk yet then you simply presume that this is the case and base this on your own specific example. Commented Oct 18, 2024 at 22:58

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.