Educause Security Discussion mailing list archives

Re: Multiple of Single User Accounts

From: Michael Fertig <m.fertig () LSC EDU>
Date: Wed, 21 Oct 2009 16:33:16 -0500

We keep separate accounts for employees that are students and students
that are also employees.

We do not permit student accounts to logon to employee workstations or
to access employee servers and applications.

We also limit the workstations that student employees may access to
those associated with their specific employee duties.

It also helps to have separate accounts from the standpoint of policy
issues; suppose a student employee was dismissed as an employee yet
still attended classes, for example.

It becomes much easier to un-wind the permissions and access when the
identity is separate.

We are not under any illusions that this is in any way, shape, or form
"more secure" than any other approach, but it is helpful from an
administrative standpoint.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Borrie
Sent: Wednesday, October 21, 2009 4:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Multiple of Single User Accounts

 

We keep separate accounts for staff, students and external users. One of
the prime reasons is the difficulty in mapping identities when the
source information is quite different. Keeping the account different has
allowed us to maintain separation of roles (duties) in a much more
devolved way.

Another issue that is rarely mentioned in this debate is the need to
protect some credentials more than others. A situation has recently come
to light here where a privileged user here exposed their credentials to
key infrastructure while accessing student systems. The exposure was
obscure (and certainly unintentional) but exists none the less. Keeping
accounts separate helps mitigate that accidental exposure of
credentials.

Mark

Daniel Bennett wrote: 

What do you do when you have students who are also employees or vice
versa?  Do you create two unique network and e-mail accounts for them or
do they use a single account?

 

Daniel Bennett

IT Security Analyst

Pennsylvania College of Technology

One College Ave

Williamsport PA, 17701

570.329.4989

 





-- 
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080

Current thread:

Re: Multiple of Single User Accounts, (continued)
- Re: Multiple of Single User Accounts Daniel Bennett (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Roger Safian (Oct 21)
- Re: Multiple of Single User Accounts Barrera, Connie (Oct 21)
- Re: Multiple of Single User Accounts Morrow Long (Oct 21)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 21)
- Re: Multiple of Single User Accounts Mark Borrie (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Michael Fertig (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 22)
- Re: Multiple of Single User Accounts Basgen, Brian (Oct 22)
- Re: Multiple of Single User Accounts Jesse Thompson (Oct 22)