Walking the fine line between tolerable and obnoxious

Even the most forward-thinking organizations can sometimes default to outdated modalities, especially when it comes to security. Savvy ISSOs know that some security must be forfeited in the name of convenience, but modern threats require more security than most users would like.

Lots of products have made big strides in making their security more palatable for end-users: MFA only became ubiquitous when it became painless enough, passkeys are leaps ahead of OTPs or magic links for passwordless logins, and malware filtering sucked way less once it was largely handled at the perimeter rather than pegging our laptop CPUs at 95%.

But when it comes to privileged access, a lot of organizations are a decade—or more! —behind the curve. I know beleaguered colleagues that schlep around 2 or 3 laptops, 2 mobile phones, and multiple security keys for their multiple identities. Nevermind their backs… think of the countless thousands of dollars wasted on unnecessary hardware.

Let’s start with the laptops. Most engineers—myself included—do 99% of their administration through a web browser (and maybe VS Code with a remote PowerShell or SSH session). Why do we need a separate laptop—usually beefier than our standard laptop—to do that work? And because of how locked-down these laptops are, we resort to less-secure methods of transferring files and data just to be able to get our job done. The Teams chat between me and my own admin account contains the keys to many castles.

If you really do need a Privileged Access Workstation, why not leverage virtualization? I don’t even mean paying hundreds for cloud VMs; just spin up a locked-down VM using Hyper-V on the local laptop. If you’re worried about a root-level exploit reaching the secure VM, just make the secure image the base OS and the standard image the VM. Cheap, secure, and now your engineers don’t need to switch between physical keyboards and monitors a thousand times a day. The productivity gains are substantial.

What about mobile devices? Admittedly, I don’t have a snappy answer for this one. I just hate carrying two phones.

But unless your users consent to enrolling their personal devices with your MDM, letting them access company resources on personal devices is a massive security risk. And good luck convincing them to let your Big Brother MDM watch them scroll TikTok and Facebook. The irony is not lost on me.

Finally, I’ve argued for years that separating standard and privileged accounts is largely unnecessary. Every modern IdP has numerous mechanisms available to control access, authorization, auditing, and privilege escalation. If you already require PIM and/or PAM, why do admins need to use a separate “admin” account only to then activate their admin privileges? This may have been necessary in the early days of Active Directory when security group membership dictated access and permissions, but even on-premises PIM/PAM solutions made this approach obsolete a decade ago.

To be clear: this criticism is not a blanket indictment of these practices. There are always edge cases where these additional layers of security are absolutely necessary. But if you’re more than three levels removed from the nuclear football, chances are good that you’re wasting a lot of money and energy on unnecessary security designs.

Aaron Firouz
Chief Architect
Hekima Business Solutions