Endpoint privilege management pilot program is underway
The University of Utah will soon change how computer administrator privileges are assigned for university-owned and -managed Mac and Windows computers, as well as command-line permissions. UIT has purchased a BeyondTrust endpoint privilege management (EPM) solution and in the coming months will work with local IT administrators to install EPM packages on qualifying computers across the institution.
With EPM, users have elevated rights to install, update, and/or remove a set of trusted software applications (e.g., Zoom and Google Chrome). For standard users, the current process requires the assistance of local IT support staff, often in the form of remote access. EPM follows the principle of least privilege (PoLP), the practice of limiting access only to resources required to perform routine, authorized activities.
“The EPM program strikes a balance between usability and security,” said Dave Packham, associate director for Identity & Access Management (IAM) in the U’s Information Security Office (ISO). “We want members of the U community to have a reasonable level of control over the tools they need to do their jobs, but not unrestricted administrative rights. Too many privileges, even for users who are extremely conscientious, put critical university data and systems in jeopardy. The policy-based controls of EPM will give users some autonomy without exposing the university to unnecessary risk.”
Led by the IAM team and supported by the Office of the President, EPM is part of a broader university-wide effort to establish a unified set of security tools and better manage the use of privileged credentials in the U’s computing environments.
“The EPM program strikes a balance between usability and security.”
– Dave Packham,
IAM associate director
A pilot program for the EPM tool, which is expected to include 12 groups, started on March 8. The pilot captures information about the most-used applications on U-managed devices with software agents. The collected data will allow the ISO to write security policies that grant elevated privileges to a set of approved applications. The list of applications will vary based on use cases of individual departments, colleges, and organizations.
Packham said participants in the EPM pilot program should experience little disruption. After the software agent is installed, users may notice a new icon in the menu bar or, on Windows devices, the system tray/notification area in the taskbar. EPM-related prompts will occasionally appear when trying to perform an action that requires elevated administrator privileges. The administrative rights for some applications may be elevated without generating any user prompts.
Aside from the benefit of users having more control over commonly used applications and administrator-level commands, the hope is that EPM will lessen the burden on UIT Help Desk, ITS Service Desk, and local IT support staff.
“We expect that EPM will be especially useful to remote workers who otherwise depend on computer support staff to remotely access their devices and update these applications,” Packham said.
Following the pilot program, the IAM team will deploy EPM in coordination with local IT staff to all university owned- and -managed devices at a date to be determined.
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.