Leonid Shtilman has nearly 20 years of experience founding and running leading-edge security software companies. Currently, he leads Viewfinity, which provides privilege management and application control for desktops, laptops and servers.
Identity Week recently spoke with Mr. Shtilman about how organizations can effectively implement a least privilege management solution, and to get his insight into new and emerging security threats in IT.
1. Today it seems like a common practice for some organizations to allow normal users to run as administrators. So, how did we get here? How did this insecure practice become so commonplace?
With the release of Windows 7, this is not as much of a common practice as it had been previously. The Windows 7 desktop refresh has prompted most organizations to re-assess their approach to PC lockdown. We ran a survey that indicated a 456% jump in demand to implement privilege management software for companies planning to migrate to Windows 7. The data further shows that 63% of survey respondents deem it critical to manage administrative privileges for end users to ensure security and reduce vulnerability. The key element here is that companies recognize the fundamental layer of protection that is achieved by removing administrator rights, and with that, they want the transition to least privilege to be as non-disruptive to user productivity as possible. That’s the business value gained by using a solution like Viewfinity Privilege Management. The principle of least privilege is enforced, and when done properly, most users are not aware their environment has changed in that regard.
2. How can organizations balance the convenience of users being able to access and run all the systems and applications they need to be productive, with the organization’s need to avoid downtime and protect sensitive data?
A project to transition to least privilege, done properly, requires upfront analysis to determine user needs and to prepare the environment. A privilege management solution should provide an end-to-end best practice approach that helps enterprises identify needs based on actual user activity, which then balances the rigidity of locking down end points with the needs of user customization. It provides security and operations professionals with a method for securing the end-point by elevating privileges at the application level, or for desktop functions, rather than providing total administrative privileges. Systems are less at risk without sacrificing user productivity or increasing support call volume, thereby offering a cost effective approach to providing secure and productive desktop computing environments.
3. From your experience in IT security, today what threats are organizations least prepared to handle and why?
Organizations are not fully prepared to mitigate advanced security threats, i.e. threats which are not yet covered by antivirus. One of the most popular ways to infiltrate servers is to exploit administrative rights on laptops and, through that path, get into a position that allows for an attack on the vital part of the enterprise infrastructure. A growing and highly-regarded opinion among IT professionals is that controlling rights on personal computers and servers is a crucial part of any security solution. Adhering to the principle of least privilege is in the best interest of all companies, whether in the commercial sector, healthcare, within government agencies, etc.
4. When it comes to IT security, what’s the most common mistake you’ve seen among IT professionals?
Having an unbalanced approach when planning the risk mitigation of internal versus external threats is something we hear about quite a bit from both prospects and customers. And it’s an underlying theme that we often read about when security breaches are publicized. While external threats have most traditionally been covered by firewall and antivirus, the internal threats and the breaches brought on by advanced persistent threats now mandate several layers of protection. Among them: implementation of least privilege principle on desktops and servers, secure password stores, and other systems and platforms that are vulnerable to security risks.
5. What new IT security threat do you see on the horizon and how can IT groups protect their organizations from it?
There is no magic solution and, for now, it appears to be a permanent war between “good guys” and “bad guys”. One cannot propose any bullet proof solution, but rather, in order to minimize damages, organizations must take a best practice approach whereby implementing all layers of protection is necessary. Post-breach damage control is a must in this equation as well, so in addition to the proactive, protective measures that can be taken, IT security professionals should enhance “post attack” readiness by using tools for localization and termination of damages.
Leonid Shtilman is Chief Executive Officer of Viewfinity. Prior to Viewfinity, Mr. Shtilman served as Senior Vice President of CA Inc. who acquired XOsoft, a company which Mr. Shtilman founded in 1999 and served as President and Chief Executive Officer. After leading XOsoft through a restructuring and repositioning in 2001, the company placed among the top emerging companies in the disaster recovery/business continuity software industry, exceeding 2,500 customers and receiving multiple product excellence awards. Under his vision and leadership, Mr. Shtilman brought the company to its successful acquisition by CA.
Prior to XOsoft, Mr. Shtilman founded Identify Software and C3D Inc. He also served in various positions at NASA, MIT, Princeton University and was a tenure professor at Tel Aviv University and The City University of New York. Mr. Shtilman holds multiple patents and two Ph.Ds: Mathematics (Israeli Technion), Mechanical Engineering (Tel-Aviv University).