Do you know the security threat levels of the systems within your organization – and, thus, the right way to balance security and usability? With organizations returning to “normal” and ransomware getting more sophisticated, the time is now to assess the threat level of your organization’s systems and the most effective way to balance security and usability for each.
Historically, operating system and application vendors have published hardening guides containing rigid recommendations for how to keep their products secure. While such guides do have their place, their recommendations are not always 100% realistic when it comes to security threat levels. Although security is undeniably important, security has to be balanced against other factors, including perceived risks, end user experience and operational functionality.
Data Security to the Max
A friend used to say that if you really want to keep your data secure, lock it away in a safe and then put the safe at the bottom of the ocean. At that point, the data is secure--but it isn’t usable. That’s the same problem that can occur as a result of using the overzealous security recommendations put forth by vendors.
For example, you’ve probably seen examples of desktop operating systems that were hardened to the point that they became borderline unusable. Users, for example, might find themselves constantly having to enter their password, even though they just entered it a moment ago. Likewise, users may discover that they lack the basic permissions to do even simple things that would make their jobs easier. Desktop operating systems can even be hardened to the point that legitimate applications either will not run at all or are severely impaired.
So, how can an organization strike the perfect balance between keeping their desktop secure and not getting in the way of the end users being able to do their jobs? This is one of those questions that has been debated for years, and there probably isn’t an easy answer. However, by assessing its priorities and security threat levels, organizations can begin to both fine-tune and standardize device security.
Security Configuration Framework
One way in which an organization might be able to strike the appropriate balance between security and functionality is to adhere to the basic principles outlined in Microsoft’s Security Configuration Framework. Although this framework does make specific recommendations such as enabling BitLocker encryption and turning on Windows Hello, the higher-level concepts outlined by the framework can be extended to nearly any operating system. As such, an organization may be able to leverage this framework as a starting point for developing a set of security guidelines that apply to the organization as a whole. From there, the organization’s IT team can begin figuring out how best to implement those guidelines on an operating system by operating system basis.
For instance, an organization might determine that users who access sensitive information from their desktops should be using Windows Hello for authentication. Windows Hello is specific to Windows, of course, but other operating systems may have a similar feature that could be used as an alternative.
Assessing Security Threat Levels
More generally, the Microsoft Security Configuration Framework includes five different security configuration levels. These five levels were designed by Microsoft to mimic the DEFCON levels that the military uses to convey the current threat level.
Microsoft divides the security configuration levels into two distinct categories. Levels 1 through 3 apply to productivity devices, while levels 4 and 5 apply to privileged access workstations. The implication is that if a workstation is to be used for privileged access, then it is a bad idea to also use it as a casual productivity device.
- Level 1 is the lowest security level. Microsoft defines this level as Enterprise Basic Security. It represents the minimal level of security that should be applied to any device.
- Level 2 is defined as Enterprise Enhanced Security. This level is meant to be applied to devices that access at least some sensitive or confidential information. It’s similar to Level 1, except that some of the security controls are more stringent.
- Level 3 is the Enterprise High Security configuration. It’s meant to be used by organizations that have their own dedicated security teams and are at risk of targeted attacks perpetrated by sophisticated cybercriminals.
- Level 4 is designated as a Specialized Workstation. This is the first level at which a device is approved for privileged access. It is intended for use primarily by developers or by IT staff members who have been tasked with testing various systems.
- Level 5 is an Administrator Workstation. This level is for devices that carry the highest risk and therefore require the most stringent security.
Bottom Line: The Time is Now to Assess Security Threat Levels
Organizations can use these levels as a starting point to define and standardize the security applied to different devices in the organization. This will be especially important as organizations adjust to the new “normal,” with end users potentially re-entering the physical office space (for part of the time, at least) after more than a year working remotely. Indeed, this may be exactly the right time to step back and assess the security threat levels of all the organization’s systems.