In business environments, the days, months and years go by and we assume everything related to IT is in check. Your administrators go about their days putting out fires and working on new projects. You've got your own management-level stuff to deal with that keeps you busy and often out of touch. Everything seems hunky-dory. Or is it?
Do you really know how your IT administrators are spending their time and what they're getting into? Everyone knows that administrators have the keys to the kingdom. How do you know they're not abusing their privileges? We hear about IT administrator incidents quite often. Having been an administrator myself, I understand what's involved. Furthermore, I work with tons of IT administrators and I've never come across a bad apple. Most people are, indeed, trustworthy. That said, I suspect there's more dubious activity going on inside many networks than we imagine.
There are long-standing information security principles to deal with this very issue. The concept of separation of duties creates a checks and balances system to help ensure that no one person does everything. There's also a business need to know standard that states if you don't have any business accessing a system then, well, you shouldn't have access. I'll bet you can find many scenarios in your environment where you should implement one or both of those standards. You could do it for data backups, user provisioning, network maintenance and even employee monitoring.
But do you need to? Probably not. In fact, such controls often create more problems than they solve, especially if there's no good business reasoning behind them.
Your best bet is to hire the right person in the first place and keep things in check by staying in touch with your IT staff (it's this second part of the equation that many managers overlook). For one thing, you can never assume that just because your IT personnel passed background checks, have good references and seem like decent people that they don't have their own issues. It's part of being human. And it's your responsibility as their manager to oversee their actions. For instance, some managers run periodic and/or random background checks to ensure their employee's "status" has not changed. Not a bad idea. Others stay in touch with their employees on Facebook, Twitter and related sites. What a great way to see what's going on in the person's life and hear what they really think.
Perhaps the best thing to do is include your IT administrators in the scope of employee monitoring. This is something that you as a manager or someone in HR should be responsible for. Unfortunately, it's usually the IT administrators who do it, which is a bad idea for many reasons -- especially given the fact that they control some or all of the monitoring system (specific triggers and filters, log files, user access and more). And that sort of taints the evidence if you know what I mean.
The sixth law in Microsoft's Immutable Laws of Security states that "A computer is only as secure as the administrator is trustworthy." Never lose sight of this fact. I'm not advocating any sort of Big Brother situation that doesn't give administrators the benefit of the doubt. You just have to be smart about things and practice the old adage of trust but verify.
|Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.|
This was first published in December 2009