asked on
Sysadmin Data Access
Greetings everyone,
I work for a small business as their system administrator. Until recently, the GM was not aware that the sysadmin has access to all data within the network.
At previous places I've worked with, sysadmins also had (or could grant themselves) unlimited access to data within the organization.
I would like to put my GM's mind at ease, but the only reasons for unrestricted data access that I can come up with are 1) as a recovery agent 2) troubleshooting purposes 3) that's the way it is.
Does anyone have any additional reasons what I should tell my GM about why sysadmins have unrestricted data access?
I appreciate your time.
Andrew
I work for a small business as their system administrator. Until recently, the GM was not aware that the sysadmin has access to all data within the network.
At previous places I've worked with, sysadmins also had (or could grant themselves) unlimited access to data within the organization.
I would like to put my GM's mind at ease, but the only reasons for unrestricted data access that I can come up with are 1) as a recovery agent 2) troubleshooting purposes 3) that's the way it is.
Does anyone have any additional reasons what I should tell my GM about why sysadmins have unrestricted data access?
I appreciate your time.
Andrew
Security
Last Comment
oxburger
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I respectfully disagree. Just because a sysadmin doesn't excplicitly have access data, they typically can grant themselves access. In my mind therefore, they have access to all data whether excplict or implicit.
So - what you are saying is that if you were IT Manager for an organisation, you would have no problem with your employees (Sysadmins) having access to confidential personnel, salary and other information about yourself with no form of audit or accountability? To my mind that information should only be known to the people you directly report to and the people they report to -and of course the individuals within a finance team who are responsible for paying you.....
There's a world of difference between having permissions to grant yourself access and having an audit trail and just having blanket permissions to do with as you see fit to the data on the network.....
Ignorance is in many cases bliss. Personally I have no desire to have that degree of information on a network. By denying myself permissions and imposing an auditing policy I have also taken steps to remove the human temptation to find out, when that temptation arises...
There's a world of difference between having permissions to grant yourself access and having an audit trail and just having blanket permissions to do with as you see fit to the data on the network.....
Ignorance is in many cases bliss. Personally I have no desire to have that degree of information on a network. By denying myself permissions and imposing an auditing policy I have also taken steps to remove the human temptation to find out, when that temptation arises...
ASKER
What I am saying is, sysadmins (or DBAs, Exchange Admins, etc.) already have access or can grant themselves access to sensitive data. If a sysadmin wanted to be malicious then auditing, denying himself/herself access, intrusion detection, etc. is useless because those can be edited or deleted by said sysadmins.
If we wanted the data, we can get it. That is the bottom line.
Final note: Our HR people called their consulting firm, and were told that it is typical for upper IT staff to have (or can grant themselves) access to sensitive company data.
If we wanted the data, we can get it. That is the bottom line.
Final note: Our HR people called their consulting firm, and were told that it is typical for upper IT staff to have (or can grant themselves) access to sensitive company data.