Blog / Using User Permissions Properly
Who gets which user permissions can be a thorny issue.
When it comes to cybersecurity, giving employees the appropriate user permissions is essential. While the specific technical issues can be complicated, the overall idea of user permissions is pretty simple; different types of users are given different degrees of access to different systems according to their job requirements. This is especially true in the modern world, as just about any action you take on a computer requires some form of permission these days. For a bit of historical context, let’s look at how computer security and user permissions have evolved over the past century.
User Permissions Through History
In the early days of computing (we’re talking 1930s and ’40s WW2 era punched card machines here), the relatively high cost of computers meant they were really only accessible to the military and major research institutions. Because they were highly specialized, rare, and so large they’d take up an entire room, security could be achieved through purely physical means. All it took was to limit who could actually access the thing and keeps its design and data out of enemy hands. Ensuring that only the people who had permission to use these machines was fairly straightforward.
There were plenty of changes to computing over the intervening decades, such as the switch from punch cards to microchips and a radical reduction in size, but despite these advancements the relative costs kept computers relegated to institutional use as memory and storage were still enormously expensive. It wasn’t until the 1980s that computers reached the general public, becoming increasingly commonplace first in business, then later in people’s homes. However, wireless communications were virtually non-existent, so securing computers was still a real-world endeavour, such as locking office doors and building access points, but also locking away the cassettes, floppy disks, and later the compact discs that software was distributed on back then.
Let’s fast forward again, this time to the modern day. Again, the intervening decades included enormous advances in computer technology, but this time they led to memory and storage orders of magnitudes cheaper than before, a massive explosion in CPU speeds, and of course, wi-fi and the internet. Nowadays computer security, now called cybersecurity, is managed with tools like Bitlocker and multi-factor authentication, which ultimately brings us to the issue of modern day user permissions.
That’s not to say user permissions are a new development, though. Indeed, the point here is that they’ve been around since the beginnings of computing; it’s just that limiting who can use a computer and to what extent used to be managed with locks, log sheets, and security guards, rather than user names and passwords.
Administrative vs. employee user permissions
Insofar as modern computing goes, there are primarily two types of user permissions; administrative, and employee. Many organizations will delineate different levels of each, such as admin and super admin permissions for managers and CEOs, and different employee-level permissions for departments like accounting, sales, and marketing. The specific actions each permission set enables will change from organization to organization and even software to software, but in general administrative permissions are required for high-level items like installing software and on- or offboarding users, while employee permissions relate to things like editing files, viewing their time sheets, and updating tasks they’ve been assigned. Depending on the software, there may be a third, middle-level, for management access, though these are often just a bundle of “low-level” administrative permissions.
There is one other issue to address, and that’s sharing administrative access with employees. This often happens in smaller organizations looking to cut costs by using a single software license for multiple users, but happens at every level of business for a variety of reasons. Whether employees should be granted administrative permissions is a different question, the answer to which is, generally speaking, no, and for good reasons.
- Firstly, administrative access isn’t required for most of what computers are used for. Staff don’t need such high-level access to check email, and shouldn’t even need to install software at all. Even if they have permission to, doing so is still IT’s job and they’re the ones who need the administrative install permission.
- Often the reason people ask for administrative access is just to get around an annoying behavior, usually security-related, they don’t experience at home, which doesn’t have the same security concerns. Make certain administrative access is truly required by the personnel requesting it.
- Secondly, PCI-DSS and PIPA both have rules regarding how administrative access to is managed. PCI-DSS, for example, requires that users have the minimum level of access needed to perform their job. PIPA doesn’t have any specific rules regarding admin access, but does require you to follow any contractual, legal, or regulatory requirements, such as PCI-DSS, that apply.
At the end of the day, handing out administrative user permissions is necessary but can be dangerous in the wrong hands. They should be restricted to those that need it, and that need has to stem from an official responsibility of their job. Remember that most times the computers in question are the property and responsibility of the organization, not their users, and your cybersecurity standards need to reflect that.
For today’s quote I’ll turn to Hamlet: “To be, or not to be, that is the question: Whether ’tis nobler in the mind to suffer the slings and arrows of outrageous fortune, Or to take arms against a sea of troubles And by opposing end them.”
If you’d like help establishing and configuring new user permission standards for your organization, contact a TRINUS cybersecurity technician to get yourself some stress-free IT.
Be kind to each other, courtesy your friendly neighbourhood cyber-man.