Slashdot Mirror
The IT Department as Corporate Snoop?
coondoggie writes with a link to a NetworkWorld article about the dangers of IT department snoops. A study released today is likely to exacerbate the trend of failing trust in employees; it shows that one in three IT employees poke through systems and prod at confidential information while on the job. The survey was done by a firm specializing in password security, so some salt might be required for this particular article. "The survey found that more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, with no one to stop them. More than 200 IT professionals participated in the survey with many revealing that although it wasn't corporate policy to allow IT workers to access systems after termination, still almost 25% of respondents knew of another IT staff member who still had access to sensitive networks even though they'd left the company long ago."
Like in government (cough cough cough), powers should be divided amongst a number of people i.e. hardware admins, web server admins, database admins, 'maintenance admins', et cetera. But for the majority of places this could easily be too many people. Of course, this is pretty impractical too, and I for one know most admins don't like having obstacles; but after all that's the root of the problem at hand.
More than any other reason, this is why your IT team should be well paid and why duties should be segregated.
And also "trustworthiness" really has to be high on your priority list of job-qualifications for IT people. I always tell people, if you can't trust your IT people, you're in trouble.
You might ask why. "Why can't you put security in place that prevents your IT people from accessing the information you don't want them to see?" Well, I'll answer that with another question: who will put that security in place? Inevitably, there will have to be people who put security in place, and whoever that is could leave back-doors for themselves. There will be people who maintain the systems and security, people with powerful logins and passwords, and those people can override your security.
And ultimately, there are accidents. At one company, we can a common spam database for the whole company (years ago). Every piece of spam went into the same place. While looking for false positives in order to see whether the filter needed adjusting, you'd see every e-mail that had a swear word in it. If someone wrote about "f*%king", it was in the spam filter. Every mention of "penis" went in the spam filter. A lot of it was spam, but there was plenty of employee e-mail going around, talking about things they probably didn't want anyone to see.
Also, there were plenty of times where someone invited me to look at their desktop or e-mail in order to help them with something. Like, "hey, can you help me find this e-mail I'm looking for?" I say "yeah," and the e-mail up on the screen is an e-mail about having an affair and an Excel file containing everyone's salaries. It happens!
My point is, even if your IT personnel are honest, they'll probably see sensitive information somehow, even if by accident. Trustworthiness is an important trait. My advice: If you're hiring IT people, it might be good to hire the person you'd feel most comfortable telling all your dirty secrets. If you're just another employee, keep any information on your work computer or pass information through your work systems unless you'd be comfortable with your IT people seeing it. If you must send information from work that you don't want your IT people to see, use a Gmail account, and don't leave your browser open while you're away from your computer.
I do not deploy Linux. Ever.
Curiously, Microsoft AD has no such ability. Password policies are set domain wide and there are no exceptions for anyone even with a GPO, a well known limitation of AD.
Let me correct your statement. You have "never seen an AD deployment where a GPO's were making exceptions..."