For years now it's been widely understood that the greatest threat to information security comes from inside the corporation. You have to constantly be on the lookout for all the usual suspects: workers with an ax to grind, employees who have given their notice, contractors on their way out, etc. Luckily, you don't have to worry too much about trusted executives or the vast majority of the workforce satisfied in their jobs. Right?

The fact that you do have to worry about the "good guys" is the premise of a new book, Preventing Good People from Doing Bad Things: Implementing Least Privilege by John Mutch and Brian Anderson, chief executives at BeyondTrust.  The authors obviously have an interest in promoting their company's offerings, but the book looks broadly at the problem of excessive privileged access in the IT environment and ways to address it.

"If you have employees with excessive privileges or access to sensitive data, then they are at risk of intentionally, accidentally, or indirectly misusing that privilege and potentially stealing, deleting, or modifying the data," the authors write. "There is a very fine line between intent and action, especially when excessive privileges on IT resources are involved."

Privileged accounts are pervasive, problematic and too often misused, the authors argue in this 188-page book. Drawing from case studies, analysts, auditors, business and IT experts, they warn against privilege-related behaviors that they say exacerbate security risks, including giving employees access to root passwords, allowing desktop users to run as administrators, and bypassing logging.

The book makes a case for deploying "least privilege" technologies to reign in the insider threat, particularly as it pertains to "good guys." Mutch and Anderson maintain that the individuals who need least privilege are the business executives, technologists and auditors. These individuals end up with excessive privilege largely because of the tendency to confuse rank with privilege.

"Trusted insiders tend to want to collapse rank and privilege into one concept, which inherently is why good people get triggered to do bad things," they write. Assuming that the higher rank one holds, the greater knowledge one has can lead to complacency. 

The authors devote one chapter to implementing least privilege in the server environment, which they say is the target of 92 percent of attacks. "In a secure and compliant server environment, end users are not entitled to the root password or even superuser status because organizations can no longer tolerate the security risks posed by intentional, accidental, or indirect misuse of privileges." At the same time, system administrators need privileged access to servers, and too often they share root passwords and manage policy creation and change manually. With a server-based least privilege solution, they can delegate privileges without revealing root passwords, and privileged access is recorded.

I found the book insightful and easy-to-read, although it contains some filler that could have been edited out (such as tongue-in-cheek Top Ten lists of "reasons to care about who has privileged access to your IT" and "reasons good people do bad things without least privilege"). The narrative is also chopped up by the use of three fictional "unsung IT heroes"--Secure Sam, Least Privilege Lucy and Compliance Carl--who "weigh in" at the end of each chapter. It would have been a smoother read if the authors had just summarized each chapter's lessons in their own voice. And if real people were quoted weighing in, that would have been even better. But these are just two small gripes about a book that is otherwise very manageable and offers interesting perspectives on the matter of privileged access. - Caron