What you should instead be doing is creating role-based groups that are only able to perform the tasks and duties needed for those roles. Don't have a help desk that's full of superadmins. Instead, create role-based groups, each able to perform a task or set of tasks, then add the appropriate members of the help desk to those tasks -- such as reset passwords, add user accounts, modify permissions on a set of file servers, and so on. But I don't want anyone in my organization, help desk or not, having all access to all resources, users, and servers.
Broad or deep, but not both
If you have to give broad permissions (full control), don't give those permissions across all objects. If you must allow someone to have access to a global set of objects, don't let those permissions be deep. I got this concept from a coworker, Laura Robinson, but it really is nothing other than least permission with some guiding boundaries.
If you have users with broad and deep permissions and they don't use those permissions absolutely all the time, limit their access to the permissions. Maybe they have to log on to a secondary account or maybe it's time-bounded by a third-party privilege manager.
Access control permissions aren't everything. Limit access for any single person to be able to "touch" a great number of computers. Each person's access should only allow them to connect to the computers they directly control. Few users need access to all computers. Few workstations need access to all other workstations. Few workstations need access to all file servers. Few file servers need to access all workstations, and few file servers need to access all other file servers.
If this is true, then don't let them. I don't care how you do this, whether it's firewalls, IPSec, access controls, or network access controls. The idea is that no single compromised account should readily lead to all access to all other computers. Instead, what I usually see is a flat network where any user can readily contact hundreds to thousands of computers.
You want to make it so that a single compromised computer or user can damage your environment in only a very limited way. In my organization, I can access a total of eight servers out of tens of thousands. There is comfort that if I do something stupid -- like get compromised by an Internet malware program -- my mistake would only lead to a very limited compromise. I get comfort out of that; so, too, does my company.
I want my attackers to get frustrated. I want them to compromise an account only to find that they can't directly break into everything else. I don't want them to move horizontally and vertically in my organization. I may not keep them away from the crown jewels of the network, but I can sure try my best to frustrate them.
With BYOD and global IDs (Google IDs, LiveIDs, OpenAuth, OpenID, and more), a perfect storm is a-coming. These global IDs will morph in ways that we will have little control over, and they'll be able to access items we, personally, never intended. Authentication hacking will likely get worse in the future, not better. If you segment your environment correctly, you'll be able to better withstand these compromises.
This story, "RSA token attack obscures deeper security flaws," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.