- Flash Installer/Updater
- Apple iTunes
- Google Chrome
- Adobe Acrobat Updater
- Blackberry Desktop Manager
- Citrix GoToMeeting
- Cisco WebEx
- HP Universal Printer Driver
- VLC Media Player
- Adobe AIR.
The common solution to this software checkmate that has been available since Windows Vista and Windows 7 is to allow privilege escalation on demand through User Account Control (UAC), but this too comes at a price; admins are bombarded with requests for passwords to elevate application privileges without the visibility to know whether a specific request is justified. Generation Y, meanwhile, is frustrated at even having to ask.
Migration to Windows 7 has turned out to be the important moment where organisations reassessed hardened assumptions about the way employees use and access applications and a growing number have concluded that the rational response is to invest in least privilege management. With this design, users can request application admin privileges on a case-by-case basis after authenticating themselves in a way that offers audited admin oversight.
The user is given the privileges he or she needs and can use applications on demand with the added benefit that admins are given some visibility into which new applications are finding their way on to the ‘required’ list of the workforce. These rights can be revoked when they are no longer needed, which could be as little as minutes later.
This model overcomes the unhelpful cultural barrier that can spring up between those whose job it is to administer software and employees who might be asking for unsanctioned but potentially beneficial applications admins haven’t even heard of.
There’s no simple answer to identifying which applications might be beneficial and which will turn out to be a productivity-sapping chore. It depends on the type of organisation and the specific set of workers. Where might red lines be drawn?
In the blocked group will sit obviously malign applications (i.e. malware) or illegal or inconvenient (e.g. bandwidth-consuming P2P or video), but in truth the overwhelming majority will be tagged rather unhelpfully as ‘grey’, their status unknown.
A good example of this is Skype, deemed appropriate for some users and organisations but not for others required to meet regulatory constraints that an encrypted channel into and out of the organisation clearly infringes. It just depends. With application and privilege management admins will at least have an overview of an application’s popularity inside an organisation the better to make an informed decision.
Opportunity not threat
From the point of view of traditional, centralised IT, BYOD and consumer software are inherently difficult to assimilate. Admins are instinctively wary and with good reason. In conventional IT, the users are the source of most problems starting with the misuse of software. But here’s an intriguing thought; far from being negative and risky, perhaps the way Generation Y adopts new applications could have long-term benefits if a way can be found to accommodate the behaviour.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.