Contributor:
John E Dunn
August 12th, 2013

Whose job is it to watch the Admins?

Administrators, privileged network deities or just a type of ordinary network user much the same as anyone else?  Years into an age where IT security has become a mainstream topic, this remains the sort of polarizing question that can provoke one of two reactions; shock or relief.

Those in the ‘shock’ camp will probably have grown up used to the traditional divide in which there were only two types of network being; the queen bees at the center of chaotic and uncertain network who needed absolute power and were called ‘network admins’.  Everyone else was mortal and had to make do with a support number stating the hours of service.  In too many organizations, the power of admins was not only seen as natural so much as necessary, a benign dictatorship of those ‘in the know’.

This model persists, especially in smaller organizations, but it is obsolete because, quite simply, it creates unquantifiable risk.  For anyone who agrees with this analysis, the realization that admins are just a specialized type of user is more likely to elicit the second response… that of relief.

The arguments that justify the second world view are myriad.  Privilege management for users is a cornerstone of good IT governance; an essential mechanism for making the actions of each and every employee visible regardless of job role.  Everyone is a risk and handing out unaccountable rights to any network user is dangerous because it creates a single point of failure.  Privilege management introduces accountability which benefits everyone, admins included.

Organizations that ignore such principles risk adding their names to the long and dark catalogue of anecdotes about unhappy admins running amok on networks for one reason or another or those where an error caused a botched configuration change with embarrassing consequences.

So much for the theory…but what about making privilege management work on a practical level?

The basic mechanism of control for all network users remains the old-fashioned login, which for standard users will be to access applications and data and for admins is to access the datacenter servers where these resources are located.

Introducing privilege management such as that offered by Avecto’s Defendpoint into this setup allows admins to be granted the on-demand elevation of rights to a server as well as verified elevation where access is best authorized by a second admin.  This adds a layer of authentication for mission-critical resources – those on which the organizations depends – and does so by creating an audit trail recording access through the Enterprise Reporting Pack.

Server access can then be divided very strictly by responsibility so that in the heat of the ‘admin moment’ individuals aren’t tempted to stray on to servers in ways that might have unintended consequences.  All server access is visible through comprehensive dashboards.

The old world of the admin worked satisfactorily at a time when organizations were still working out how IT was going to be used in their business model.  These days, IT is more likely to be the business model and the risk calculation has been turned on its head.  Admins, users, applications and data are the four corners of a secure network and they are all equal.  This is how grown-up organizations work.

More from the Blog

Related technology and security insights