Educause Security Discussion mailing list archives
Re: Multiple of Single User Accounts
From: Michael Fertig <m.fertig () LSC EDU>
Date: Wed, 21 Oct 2009 16:33:16 -0500
We keep separate accounts for employees that are students and students that are also employees. We do not permit student accounts to logon to employee workstations or to access employee servers and applications. We also limit the workstations that student employees may access to those associated with their specific employee duties. It also helps to have separate accounts from the standpoint of policy issues; suppose a student employee was dismissed as an employee yet still attended classes, for example. It becomes much easier to un-wind the permissions and access when the identity is separate. We are not under any illusions that this is in any way, shape, or form "more secure" than any other approach, but it is helpful from an administrative standpoint. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Borrie Sent: Wednesday, October 21, 2009 4:11 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Multiple of Single User Accounts We keep separate accounts for staff, students and external users. One of the prime reasons is the difficulty in mapping identities when the source information is quite different. Keeping the account different has allowed us to maintain separation of roles (duties) in a much more devolved way. Another issue that is rarely mentioned in this debate is the need to protect some credentials more than others. A situation has recently come to light here where a privileged user here exposed their credentials to key infrastructure while accessing student systems. The exposure was obscure (and certainly unintentional) but exists none the less. Keeping accounts separate helps mitigate that accidental exposure of credentials. Mark Daniel Bennett wrote: What do you do when you have students who are also employees or vice versa? Do you create two unique network and e-mail accounts for them or do they use a single account? Daniel Bennett IT Security Analyst Pennsylvania College of Technology One College Ave Williamsport PA, 17701 570.329.4989 -- Mark Borrie Information Security Manager, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-5080
Current thread:
- Re: Multiple of Single User Accounts, (continued)
- Re: Multiple of Single User Accounts Daniel Bennett (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Roger Safian (Oct 21)
- Re: Multiple of Single User Accounts Barrera, Connie (Oct 21)
- Re: Multiple of Single User Accounts Morrow Long (Oct 21)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 21)
- Re: Multiple of Single User Accounts Mark Borrie (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Michael Fertig (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 22)
- Re: Multiple of Single User Accounts Basgen, Brian (Oct 22)
- Re: Multiple of Single User Accounts Jesse Thompson (Oct 22)