Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: SYSADM and Security
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Wed, 3 Jan 2007 17:47:42 -0600

Mark Staples wrote:

I've been wondering what other institutions are doing about system
accounts (i.e. sysadm with PeopleSoft) that have full administrative
access and can be used by any DBA, which then impacts effective
monitoring and accountability.

I'm being told that there is no way around the regular use of these
type of accounts and I need to accept the risk and trust our DBAs.
While I "believe" what I'm being told, I'd like to find out what other
institutions are doing to address the use of system accounts.

This problem is not unique.  Separation of privileges; rotation of
duties; and periodic, random auditing are arguably the best mitigators,
in addition to whatever purely technological fix you implement.  While
you may not trust everyone, you're going to have to trust *someone* at
some point, and the first two items have the effect of forcing collusion
between people.  The latter item, particularly when performed by a
disinterested third party, can also be a very effective check against a
number of problems.

Yes, there's a cost.  Whether it's worth it depends on what you're
protecting.


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault