Educause Security Discussion mailing list archives
Re: SYSADM and Security
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Wed, 3 Jan 2007 17:47:42 -0600
Mark Staples wrote:
I've been wondering what other institutions are doing about system accounts (i.e. sysadm with PeopleSoft) that have full administrative access and can be used by any DBA, which then impacts effective monitoring and accountability. I'm being told that there is no way around the regular use of these type of accounts and I need to accept the risk and trust our DBAs. While I "believe" what I'm being told, I'd like to find out what other institutions are doing to address the use of system accounts.
This problem is not unique. Separation of privileges; rotation of duties; and periodic, random auditing are arguably the best mitigators, in addition to whatever purely technological fix you implement. While you may not trust everyone, you're going to have to trust *someone* at some point, and the first two items have the effect of forcing collusion between people. The latter item, particularly when performed by a disinterested third party, can also be a very effective check against a number of problems. Yes, there's a cost. Whether it's worth it depends on what you're protecting. -- Alan Amesbury OIT Security and Assurance University of Minnesota
Current thread:
- SYSADM and Security Mark Staples (Jan 03)
- <Possible follow-ups>
- Re: SYSADM and Security Allan Williams (Jan 03)
- Re: SYSADM and Security Alan Amesbury (Jan 03)
- Re: SYSADM and Security Theresa M Rowe (Jan 03)
- Re: SYSADM and Security Russell Fulton (Jan 03)
- Re: SYSADM and Security Russell Fulton (Jan 06)