Slashdot Mirror


Sys-Admins Reading the Bosses Mail?

PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"

7 of 398 comments (clear)

  1. It is all part of the job by cyanics · · Score: 5, Insightful

    Would you be upset if your alergist (doctor) had access to your blood work? No. It is his job. Trust is a huge component of system administration, and any company, or corporation, who doesn't understand that the administrator has the keys to the system, needs to take a better look at their corporate layout.

    Admins have access to everything. Or at least they should have access to virtually everything. Because who would you call if it was broken? certainly not the corner office.

    Trust is necessary. You have to trust your admins. And if you have an admin that leaves under suspicious or grievious circumstances, you protect your corporations ass with a dismissal agreement.

    1. Re:It is all part of the job by Orange+Crush · · Score: 5, Insightful
      The still do not need access to the text of the email. Sorry, but here are quite a number of methods by which the admin could track down an errant email or such without knowing its contents.

      That depends on who you work for/with. My boss likes to ask for things like:

      "Can you print me a copy of that e-mail I sent about our new sales strategy a few months ago? I think I deleted it."

      "Do you remember who you sent it to?

      "No."

      "Do you remember the date you sent it?"

      "Oh, a while ago."

      "What was it about?"

      "Sales."

      So anyway, when you work for people who routinely ask you questions that are about as specific as: "Hey, can you find me the thing I wrote about something just the other day?" it's helpful to be able to do fulltext searches and keep blunt throwable objects out of arm's reach.

  2. Dog bites man. I by wwest4 · · Score: 5, Insightful

    If you don't have a chain of trust in your IT department you're fucked... even if you do spend bank on "secure internal IT infrastructure."

    The rest of the article is all over the place. There's some mention of rogue admins reading executive e-mail rolled into boilerplate security talk about how X% of security risks are insider threats, and then it finishes up with a vaguely related sales pitch for RSA products, owned by... yep, EMC. The guys providing ComputerWorld with ad revenue on that sidebar.

    Hopefully those scared VPs will hire consultants and purchase EMC products to "secure" their infrastructure from "rogue admins" who are probably reading their e-mail RIGHT NOW.

  3. Re:there is no procedural or techical solution by Anonymous Coward · · Score: 5, Insightful

    If you do not trust your staff, you have other problems.

    In my consulting work I have worked with systems containing sensitive information. Outside the workplace and outside the context of my particular role the information was of no interest to me.

  4. This is normal and necessary by compunut · · Score: 5, Insightful

    At least in small business, and probably in all business, it is completely necessary for upper IT staff to have complete access to everything. I've lost count of how many times upper level management has come to me with the 'I forgot my password, can you get my stuff back?' request. This is a normal occurrence. If we take away the privileges of IT to access upper management data, then upper management is very likely to lose that data.

    As an anecdote, one of my customers (I am an IT consultant) lost the password to the video surveillance system. They immediately came to me, and were shocked and annoyed when I said 'Sorry, I wasn't involved in the installation of that system and was never informed of the passwords.' In the end, we found that a user had written down the password at one point and were able to get back in that way!

    The point really should be that companies better find upper IT staff that they can TRUST! If they can't trust their IT staff, they have big problems.

  5. Re:Clearance Control by petes_PoV · · Score: 5, Insightful
    The biggest problem with this is the way lazy exec's just reply to all for every comment they make. If a request for info is sent out to (say) 20 people, it's very possible that all 20 recipients will get all the traffic on this subject - whether it's "sorry I don't know" or "don't bother, we're closing that location" or anything in between.

    You can't back security into an organisation. Either the individuals are prepared to put up with the extra work it needs, or they aren't. Without some effort from everyone, your level of security drops to that of the weakest link (usually the boss)

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  6. Re:Clearance Control by chris_mahan · · Score: 5, Insightful

    Who keeps the systems where your private key is stored?
    On your desktop machine? Who keeps your desktop machine?
    On your USB? a) Are you violating a policy for using a USB device? and b) When then USB is plugged-in, it's part of the machine (see above)

    If it's passphrase encrypted, are you 100% sure that there isn't a software keylogger on your machine?

    Trust me, you can't hide anything from competent sysadmins.

    The only way to make sure you control your machine is to install it, secure it, and manage it yourself, but then you've become the sysadmin.

    And it may very well be that the company won't allow anyone but an experienced and trusted sysadmin to plug such a machine into the corporate network (for good reason I might add).

    So you might as well get used to the idea that sysadmins have access to everything on the network.

    [puts on sysadmin hat]
    Ad that is how it should be anyway if you want the network to even start down the path of better security.

    --

    "Piter, too, is dead."