Re: SYSADM and Security

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Mark Staples wrote:

> I've been wondering what other institutions are doing about system
> accounts (i.e. sysadm with PeopleSoft) that have full administrative
> access and can be used by any DBA, which then impacts effective
> monitoring and accountability.
>
> I'm being told that there is no way around the regular use of these
> type of accounts and I need to accept the risk and trust our DBAs.
> While I "believe" what I'm being told, I'd like to find out what other
> institutions are doing to address the use of system accounts.

This problem is not unique.  Separation of privileges; rotation of
duties; and periodic, random auditing are arguably the best mitigators,
in addition to whatever purely technological fix you implement.  While
you may not trust everyone, you're going to have to trust *someone* at
some point, and the first two items have the effect of forcing collusion
between people.  The latter item, particularly when performed by a
disinterested third party, can also be a very effective check against a
number of problems.

Yes, there's a cost.  Whether it's worth it depends on what you're
protecting.


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota