Thursday, February 16, 2006

Safeguarding your enterprise from System Administrators

Tech Republic Blog, in "Stop Trusting System Administrators"

states that:

I'm wondering if anyone else has ever wondered if you can actually stop your most senior IT superuser, your most trusted systems administrator, from being able to operate 'without restriction' in your network.

Is the answer to split the passwords for the highest level access into two, and give half to the systems administrator, and the other half to the senior internal auditor? So that neither could access the highest level account without the involvement of the other.

Why would you want to restrict your systems administrator at all?

Because they have children, wives, and a hundred other ways of being 'turned' by someone who wants to do that badly enough. But wouldn't the audit trails reveal any wrong doing by the system administrator?

Not if they had sufficient access to manipulate the audit files. So all we have to do is prevent the systems administrator from being able to touch the audit files? Yes. How do you do that if they have full access?

Don't give them full access - create an account that
does everything they need EXCEPT the ability to touch the audit files,and give them that.

Call it the Systems Administrator Operations account. Then take the true Systems Administrator access and split the password between the Administrator and the Auditor.

The Auditor won't be using that for their day to day work (they'll have an Audit account), so in fact the Administrator and the Auditor shouldn't need to do the two key trick very often at all.

Would this work, has anyone tried it? Are there ten thousand system administrators out there who would take this as an attack on their integrity?

Should we nevertheless rise above our stung pride and start thinking seriously about accountability?

One commenter replied that this "two key" approach would not work and offers this:

There's an alternative, though: configure all systems on the network to send system and user log data to a given reserved IP address. Don't have a computer at that address: have one outside the network's address range that uses a utility such as snort to "listen" for traffic directed at that address and log it.

This creates an "anonymous" logging server. You can give that server a root password (since it would best be implemented with a unixy OS, I'll not play silly buggers with euphemisms for "root") that is not in the sysadmin's possession, and let the auditor manage that system. Voila, you have accountability without destroying the effectiveness of your sysadmin.

Another commenter agreed with the "two key" system:

There is a clear principle in security that you do not give any one person all of the keys to the kingdom, unless he owns the kingdom.

This "separation of duties" and another important principle, that of "least privilege" go a long way to preventing intrusions and abuse by "authorized" users in the system.

In the enterprise, the duties should be shared by the senior system admin, and the chief security officer. No one person should be wearing both hats for some of the reasons listed in the blog.The norm, unfortunately, is that once you are "in" the network or system there are nothing to stop any insider from accessing anything that he wishes to, unless the organization is lucky enough to have a security savvy administrator.

Finally, here's what I added as a comment to this blog post:

I agree totally with the blog.

I worked, sad to say, briefly as a management trainee at Steak n Shake hamburger restaurant.

A policy was that the store manager had to take someone with her when she took vault deposits of cash to the bank.

Did they not trust their own managers? No, not that. It was: they simply did not trust Human Nature, and they wanted a policy to protect both managers from accusations of theft and the company from theft.

One day, the manager went to the bank without me. Then she left on vacation. The next day, a large amount of money was missing. The assistant managers said, "Someone must have left the vault open slightly, in a hurry, and some customer must have somehow
got into the office, saw the vault open, and took the cash."

Yeah, right. I'm now dealing with gettting fired by a manager, and the company experienced "massive inventory losses" this past year. I know what really has been going on, and I'm typing a letter to the president today.

This is an illustration of the principle of "two keys" as the blog proclaims.

posted by vaspersthegrate
on February 16, 6:12 AM

Most security breaches are inside jobs, disgruntled or thieving employees. IT department heads must not be given a clean slate of freedom from suspicion.

The higher you rise in an organization, the less trustworthy you are (ironic, but true: think Enron), and the more temptations you encounter.Send Me A Message


carrie said...

yes,. when i worked in banking we would say that double custody was to prevent temptation, implication, and accusation. or something along those lines. it's for everyone's benefit.

steven edward streight said...

Carrie: wonderful term, that "double custody".