Educause Security Discussion
mailing list archives
Re: SYSADM and Security
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Wed, 3 Jan 2007 17:47:42 -0600
Mark Staples wrote:
I've been wondering what other institutions are doing about system
accounts (i.e. sysadm with PeopleSoft) that have full administrative
access and can be used by any DBA, which then impacts effective
monitoring and accountability.
I'm being told that there is no way around the regular use of these
type of accounts and I need to accept the risk and trust our DBAs.
While I "believe" what I'm being told, I'd like to find out what other
institutions are doing to address the use of system accounts.
This problem is not unique. Separation of privileges; rotation of
duties; and periodic, random auditing are arguably the best mitigators,
in addition to whatever purely technological fix you implement. While
you may not trust everyone, you're going to have to trust *someone* at
some point, and the first two items have the effect of forcing collusion
between people. The latter item, particularly when performed by a
disinterested third party, can also be a very effective check against a
number of problems.
Yes, there's a cost. Whether it's worth it depends on what you're
OIT Security and Assurance
University of Minnesota