Managing least privileges from the Cloud
While Douglas County (Colorado) Libraries is a county governmental agency, we make every attempt to adhere to best practices set forth by federal agencies, one of which is the U.S. Government Configuration Baseline (USGCB). Formerly known as the Federal Desktop Core Configuration (FDCC), USBCB continues to be one of the most successful governmental IT programs aimed at helping to increase security, reduce costs and accelerate the adoption of new government technologies, while creating a more managed desktop environment. The driving force behind these mandates is the principle of creating a “least privileges” environment.
We've taken the proactive step even further and have secured our environment by operating in a least privileges environment. All of our users are restricted users, with no local administrative rights to their machines. While this better secures our desktop environment, it presents its own set of desktop management challenges.
For example, software deployments and upgrades usually require administrative rights on the endpoint to complete. We were fortunate to work with Viewfinity, which provided us with a very seamless and secure solution via its Privilege Management feature. This provides us with a method for securing our endpoints by elevating privileges at the application level, or for desktop functions, rather than providing total administrative privileges.
This solution means our systems are less at risk without sacrificing user productivity or increasing support call volume, thereby offering us a cost effective approach to providing a secure and productive desktop computing environment.
Scope of the initiative
Our first step involved upgrading Microsoft Office 2003 to Microsoft Office 2010. Using Viewfinity's software distribution, we upgraded more than 200 computers in one-tenth of the time it had taken us previously. This substantially reduced our normal upgrade time -- a project that typically took us six to seven weeks took less than a day. We created a customized setup file that allowed Office to install completely silently and then push this out to all the computers and install silently. Thus, no interaction was required physically at the computer location, or with the end-user. If we had done it manually, it would probably have taken hundreds or thousands of person-hours to visit each computer and complete the installation.
We also had the installation of the Microsoft BPOS software suite. This was very similar to the Office installation, except that this had five programs that had to be installed in a specific order. We were able to install these to hundreds of locked down computers, again saving a lot of on-site installation, and using the Cloud-based solution to control the elevated permissions.
Another major project was our Integrated Library System application that runs our entire organization. We had to upgrade the entire system to a new version, which required an upgrade of the client on the staff computers, as well. We were able to use the Cloud solution to set up distribution tasks to upgrade each branch after closing. This was a large task, but we were able to upgrade the clients of the entire district in just two hours. Since our IT staff did not have to spend time upgrading the clients, we were able to complete the back-end Server OS, DB and Applications upgrades the next morning in a record four hours and were back up-and-running 100 percent.
Business value from the Cloud
Using the Viewfinity Cloud-based solution has saved Douglas County Libraries significant time and money on IT administrative tasks, as well as ensuring that user productivity is not hindered. As an IT organization, we have succeeded with the age-old struggle to create the appropriate balance between a secure and productive user management environment, and ensuring enough flexibility to enable user innovation and productivity. Our struggles for cost efficiencies have been aligned tightly with the critical balance needed for managing users. We are leveraging all their features in order to achieve balanced management of our IT environment.
With more than 450 desktops to support, tasks and upgrades like these required us in the past to hire temporary IT staff to augment our desktop staff. We no longer have a need for this. This directly translates to more than $18,000 in savings per upgrade project. And we’ve handled more than 10 different upgrades and deployment projects since we started the program, for an initial year rollout savings in excess of $180,000.
When other libraries in our region have attempted similar upgrades, their systems were inaccessible to the public for at least two days. Because of the time that our approach saved us, our process completed in approximately four hours and still allowed limited access to services for our customers during the process. Using a Cloud delivery platform, there was no need for us to build an in-house infrastructure; thus, there are no servers to purchase or maintain and no software to keep current, thereby reducing implementation costs dramatically.
Monique Sendze is Associate Director of Information Technology for Douglas County (Colorado) Libraries. She can be reached at:
|Event Details||Dates of Event|
|SANS Counter Hack 2013||Nov 7 - 14|
|SANS Pen Test Hackfest 2013||Nov 7 - 14|
|SANS Korea 2013||Nov 11 - 16|
|Military Exports & Compliance Asia||Nov 12 - 14|
|NCT: Counter IED Asia, 12 - 15 November 2013, Bangkok||Nov 12 - 15|
|School Safety Symposium||Nov 13 - 13|
|Southwest Microwave Perimeter Defense Seminar||Nov 13 - 13|
|OWASP AppSec USA 2013||Nov 18 - 21|
|GovSec West Conference & Expo 2013||Nov 19 - 20|
|Southwest Microwave Perimeter Defense Seminar||Nov 19 - 19|
|Oracle 7th Annual Federal Forum||Nov 20 - 20|
|World BORDERPOL Congress||Dec 3 - 4|
|Critical Infrastructure Protection and Resilience Europe||Feb 12 - 13|