Q&A: Setting the Proper Security Rights (Case Study)
Security administrators walk a fine line when they manage security rights. They need to make sure users can do what they need to do to get their jobs done, but not permit them to do more than is necessary. Finding the right permission level is what watchmaker Movado Group was faced with. Giving users admin rights was dangerous, but shutting off all rights was too disruptive.
We learned more about Movado's dilemma and solution from Steve Welgoss, desktop services manager for Movado.
Enterprise Strategies: Tell us about Movado Group and the security problem you faced.
Steve Welgoss: Movado Group is a premiere watchmaker. We design, manufacture, and distribute watches for nine brands recognized around the world. We have headquarters in New Jersey and Switzerland and have multiple sales and distribution offices around the world. Movado Group employs over 1,300 people.
The focus and drive of our organization is to always implement best practices to proactively protect and preserve the prestige of our organization. In our workforce there are over 1,100 endpoints -- about 60 percent are desktops and 40 percent are laptops. These Windows-based endpoints run, on average, more than 30 applications; a few are custom apps. About 10 percent of the staff is mobile, and another 30 percent works in our retail stores.
Our IT team was facing a daily influx of support calls to the help desk about PC performance and reliability issues, from adware/spyware, toolbars being installed that came with pop-ups, the changing of system settings that caused performance degradation, and -- in some cases -- the total failure of applications as well as other debilitating user-caused circumstances.
We had to eliminate these errors and better secure our endpoints, so we removed administrator rights as a whole. In doing so, we found that employees needed administrator rights to install and/or execute certain applications, execute certain system functions, or do something simple such as install printers.
That doesn't sound like a satisfactory solution.
No, it wasn't. Employees had to wait for IT support to make a desk-side visit to fix the problem, which negatively impacted productivity as well as being costly and time consuming.
The IT group knew locking down endpoints was the right thing to do because we needed to be able to manage and control the desktop environment more efficiently, but a wholesale removal of rights wasn't the answer.
What products and/or services did you consider to solve this problem?
We began by looking at managing privileges through group policy and soon realized that wasn't the best solution for us. Through a Google search we came across Viewfinity and immediately liked the lighter footprint they offered due to the hosted infrastructure model.
What criteria did you use to evaluate these solutions and what criteria were most important in making your final selection?
Certainly cost played a big factor which is why we initially tried working privilege policies using Group Policy, but we didn't have the comfort level we needed and it didn't provide the overall view we needed. We liked the Viewfinity management console because it provided the most accurate overall view of what was happening, and we liked the hosted solution. Because of that, Viewfinity separated themselves immediately. It was the single most important decision factor; everything else required a heavier footprint into our existing infrastructure.
For the most part, it was a level playing field, but the separating factors were the deciding factors, namely the management console providing the overall view and the hosted platform.
What solution did you finally choose, and how did you make your decision?
We rolled out Viewfinity as a part of VMware's View VDI so they could apply privileges to virtual desktop images operating in persistent and non-persistent pool models.
We are committed to adhering to the best practice of operating a least privileges environment and Viewfinity allows us to do this without disrupting user productivity.
Overall research took about 90 days or so looking at all options available and third-party vendors. Once we were past the research stage and honed in on Viewfinity, the hosted platform function was a test platform. The evaluation lasted for about 60 days, and we ran the product through a complete test environment and tested the full functionality of the product.
Tell us about your project and your implementation.
We didn't turn the full product on from the start. We ran our environment in audit mode for the first 30 days using the Viewfinity Privilege Management solution. It identified what applications were being used and any other tasks requiring administrative privileges that we weren't aware of. This allowed us to proactively establish policies to take care of user needs right away.
We assigned a senior software engineer as the deployment lead, and working with him were two technical counterparts in Europe and the Far East. The lead software engineer built the deployment schedule with them. Three additional help desk staff were assigned to the project, but everything was automated -- we just had them on hand in the event that we needed backup assistance.
Overall, the manpower allocated was one full-time senior software engineer who was the project lead, with two quarter-time and three half-time help desk staff on reserve. Deployment was purposely designed as a geographically based staggered rollout and ran the project out 30 days. Initially, we tested the solution on the IT department for 2-3 weeks so we could iron out any glitches, then followed with a full rollout to North America. After passing stress testing, we replicated and rolled out out globally.
Now that implementation is complete, how are you monitoring the system?
Policies and permissions are now controlled from a centralized standpoint, so we have eliminated the high volume of support calls. Viewfinity allows us to go in and remove privileges en masse because we were able to predefine policies to fit actual user needs based on applications and tasks needing admin rights.
We are now much more efficient in dealing with these previously troublesome areas. Viewfinity Privilege Management does what it is intended to do: it strips privileges but gives us a flexible way to manage them. Rolling out Viewfinity helped us to control unproductive downtime and predict potential problem areas.
Have you any estimate of your return on investment?
The savings on time and cost is unquestioned. We had a decline in IT support calls -- that speaks volumes on its own. Within a month of rolling out Viewfinity, we had completely eradicated nuisance calls. Take two major sites in the U.S. There are about 250 employees at each, plus two IT help desk employees assigned to each site. At that ratio, being able to cut down on calls has a big impact on the overall productivity of the Movado workforce.
The realization as a whole is that the investment in Viewfinity Privilege Management will pay for itself in areas of our company following best practices and automating compliance regulations. The benefits have been realized by both our end users and IT staff. When they were all local administrators, it was a Catch-22. They needed to be self-reliant to handle issues such as printer installs and Java updates, but by providing wide-spread administrative rights, IT had to pay attention, otherwise end users would install the Google toolbar and other troublesome applications and add-ons.
With Viewfinity Privilege Management, end users can still run updates and install printers but the system is streamlined and controlled from the backend. We allow them to do things they need to do, but block the activities known to lead to problems. Our end users don't necessarily know why it's running better, but they are happy it is, and they still maintain the independence and control they require being in a regional office."