For reprints of this case study, contact Elton Wong at [email protected] or 646-638-6101.
A community college in Texas found a tool that enabled it to fend off viruses while coming into compliance, reports Greg Masters.
When a laptop came into his office with a record number 893 viruses, John Colville had seen enough.
The instructional technology director for Kilgore College (KC) and his IT staff were already experiencing a high number of virus attacks and malware, partly due to the fact that most of the college's staff and faculty had administrator rights. Complicating the situation, the community college – located in Kilgore, Texas, with another satellite campus in Longview, Texas – was moving toward taking more online credit card payments, driving a need for payment card industry compliance.
"When a machine was inundated with viruses and malware, our common course of action was to reimage and completely rebuild the machine, leaving the staff member without a machine for up to several days," says Colville. Plus, it would cost the staff hours in operating expenses.
It was time to find a cure and his IT staff got on the case. The first step involved reviewing and deciding on the solutions necessary to address the problems the institution was facing. Colville and System Engineer Luke Saintignan took charge of testing out a number of possible solutions and selecting the best one.
They chose an agent-based solution from Viewfinity that can be implemented through the Waltham, Mass.-based company's SaaS/cloud platform, via on-premise servers as a private cloud, or as an extension to Group Policy. This flexibility allows policies to be managed through the standard Group Policy Management tools, says Leonid Shtilman (left), Viewfinity's CEO.
"Through the use of automated policy settings, companies control end-user and privileged user rights for applications and systems which require elevated permissions," he says. "Our granular-level control enables companies to create policies based on segregation of duties for configurable, logical groupings: departments, applications, end-users, connectivity status, time of day and more."
The tool elevates administrative rights for certain processes or applications, rather than at the user account level, he explains. When permissions are raised, the elevation is performed directly within the security token of the specific user process. The application or process is started using the current user credentials as opposed to using credentials of another account.
These functions were just what Colville and his team at KG were looking for. "We chose Viewfinity because of its ability to support off-campus laptops, especially during the summer months when staff works remotely and the fact that policies are always active regardless of connectivity status," he says.
The deployment went very well. The IT staff decided to start its deployment with the biggest power user: the college's president. After he threw everything at Colville's team, they moved down the line to the VPs, deans, and eventually to nearly seven thousand students.
With the move to a least privilege environment and with the help of Viewfinity, Colville says his team has been able to better protect strict data from unauthorized users through elevated privileges. Users are given only those rights needed to perform their daily job functions and cannot access data to which they are not authorized.
Moving to a least privileges environment also enabled the IT admins to reduce faculty downtime and achieve PCI compliance. Additionally, says Colville, certain Texas administrative codes that cover state agencies and institutions of higher education have strict data protection policies. By locking down PCs and using Viewfinity to manage privileges, he was able to better adhere with the state codes, as well as PCI compliance.
"The tool is different because of our technology and automated approach to successfully implementing and managing a least privilege environment," says Viewfinity's Shtilman.
The offering's server-model architecture provides extensive auditing and reporting, which is critical for compliance validation, he says. "Our architecture supports telecommuting workers who are not members of Active Directory domain, including connections via the public internet."
Viewfinity manages multi-domain clients from a single management console, supporting multiple AD domains or Forests. The product collects events which require administrative rights, such as applications and administrative actions, from thousands of endpoints, and automatically creates policies to support these events.
One thing that made the deployment at KG go smoothly was the real-time policy propagating, says Colville. "This is critical, as all end-users need to be able to work without productivity being impeded."
The Viewfinity Privilege Management software is easy to manage and operate, he adds. "The implementation of Viewfinity has far exceeded our expectations because Kilgore College has been able to better adhere with Texas Administrative Codes and PCI compliance with locking down PCs and using Viewfinity to manage privileges.
Seeing as how the tool has lightened the workload of the college's IT team, reduced faculty downtime and achieved PCI compliance, the goal now is to expand the implementation and deploy Viewfinity Privilege Management to new desktops and devices.
Kilgore College, like other higher education institutions, is always facing threats of unwanted virus and malware attacks, says Colville. "Everyday there is a new virus or malware created to infiltrate networks. With the implementation of Viewfinity Privilege Management, the threat of these attacks has been greatly reduced because our end-users are running without administrator rights."
Shtilman adds that Viewfinity software updates can be pushed out in several ways: using the Auto Agent update process that is built into the Viewfinity console, via the Viewfinity Software Delivery feature, through native GPO software delivery, or via any third-party software delivery solution, such as Microsoft System Center Configuration Manager.
In regard to policy propagation, all policies are applied in a real time and do not require users to cycle through the logon process. Viewfinity doesn't require desktops to be part of the domain or to be attached to the corporate network in order for privilege elevation policies to be delivered. As soon as the PC connects to the internet, Viewfinity delivers the policies and rules established by the IT administrator. Once delivered, all policies continue to be enforced even while working offline.
Additionally, KG's IT team has been able to continue to use all of the fundamental tools and applications in which it invested because they are able to grant privileges to their custom college program and other programs that require administrator rights.
"Everything is working fine," says Colville.