Link to home
Create AccountLog in
Avatar of oxburger
oxburger

asked on

Sysadmin Data Access

Greetings everyone,

I work for a small business as their system administrator.  Until recently, the GM was not aware that the sysadmin has access to all data within the network.

At previous places I've worked with, sysadmins also had (or could grant themselves) unlimited access to data within the organization.

I would like to put my GM's mind at ease, but the only reasons for unrestricted data access that I can come up with are 1) as a recovery agent 2) troubleshooting purposes 3) that's the way it is.

Does anyone have any additional reasons what I should tell my GM about why sysadmins have unrestricted data access?

I appreciate your time.

Andrew

ASKER CERTIFIED SOLUTION
Avatar of biscuit3
biscuit3
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of oxburger
oxburger

ASKER

I respectfully disagree.  Just because a sysadmin doesn't excplicitly have access data, they typically can grant themselves access.  In my mind therefore, they have access to all data whether excplict or implicit.





So - what you are saying is that if you were IT Manager for an organisation, you would have no problem with your employees (Sysadmins) having access to confidential personnel, salary and other information about yourself with no form of audit or accountability?  To my mind that information should only be known to the people you directly report to and the people they report to -and of course the individuals within a finance team who are responsible for paying you.....

There's a world of difference between having permissions to grant yourself access and having an audit trail and just having blanket permissions to do with as you see fit to the data on the network.....

Ignorance is in many cases bliss.  Personally I have no desire to have that degree of information on a network.  By denying myself permissions and imposing an auditing policy I have also taken steps to remove the human temptation to find out, when that temptation arises...
What I am saying is, sysadmins (or DBAs, Exchange Admins, etc.) already have access or can grant themselves access to sensitive data.  If a sysadmin wanted to be malicious then auditing, denying himself/herself access, intrusion detection, etc. is useless because those can be edited or deleted by said sysadmins.

If we wanted the data, we can get it.  That is the bottom line.

Final note:  Our HR people called their consulting firm, and were told that it is typical for upper IT staff to have (or can grant themselves) access to sensitive company data.