Sys-Admins Reading the Bosses Mail? 398
PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"
Clearance Control (Score:5, Insightful)
Passing on encryption (Score:2, Insightful)
Definition of a hacker (Score:3, Insightful)
It is all part of the job (Score:5, Insightful)
Admins have access to everything. Or at least they should have access to virtually everything. Because who would you call if it was broken? certainly not the corner office.
Trust is necessary. You have to trust your admins. And if you have an admin that leaves under suspicious or grievious circumstances, you protect your corporations ass with a dismissal agreement.
Dog bites man. I (Score:5, Insightful)
The rest of the article is all over the place. There's some mention of rogue admins reading executive e-mail rolled into boilerplate security talk about how X% of security risks are insider threats, and then it finishes up with a vaguely related sales pitch for RSA products, owned by... yep, EMC. The guys providing ComputerWorld with ad revenue on that sidebar.
Hopefully those scared VPs will hire consultants and purchase EMC products to "secure" their infrastructure from "rogue admins" who are probably reading their e-mail RIGHT NOW.
Re:there is no procedural or techical solution (Score:5, Insightful)
There are, after all, fairly straightforward ways to secure data against the admins (assuming they don't actually install spyware, which is a separate subject.) There are also ways to arrange secure key recovery so that the records can be recovered if Something Happens to the exec, but no one person can do it (say, three board members and an outside law firm.)
Re:Clearance Control (Score:5, Insightful)
Re:there is no procedural or techical solution (Score:5, Insightful)
In my consulting work I have worked with systems containing sensitive information. Outside the workplace and outside the context of my particular role the information was of no interest to me.
Re:PGP mainstream? (Score:3, Insightful)
Re:there is no procedural or techical solution (Score:5, Insightful)
The DMV does it (every once in a while some bozo is fired from the state DMV for looking up minor celebrities information), I am sure many other less involved database systems can too.
a pragmatic solution (Score:2, Insightful)
big deal (Score:2, Insightful)
If you don't trust your Sysadmin(s)... (Score:3, Insightful)
...Then the battle is already lost. You may as well close up shop and go home.
Which is not to say there aren't unscrupulous people out there who will abuse positions of trust, but this is a HR issue, not a technical/security one (and is most certainly not one limited to the IT department).
I have access.. (Score:2, Insightful)
This is normal and necessary (Score:5, Insightful)
As an anecdote, one of my customers (I am an IT consultant) lost the password to the video surveillance system. They immediately came to me, and were shocked and annoyed when I said 'Sorry, I wasn't involved in the installation of that system and was never informed of the passwords.' In the end, we found that a user had written down the password at one point and were able to get back in that way!
The point really should be that companies better find upper IT staff that they can TRUST! If they can't trust their IT staff, they have big problems.
How about informants for organized crime? (Score:1, Insightful)
would do anything to have one or two admins in any network so they can glean
information for their benefits? hmm?
Re:Dog bites man. I (Score:3, Insightful)
Computrerworld is nota very highly regarded magazine. It's a freebie they shove down your throat. only middled managers actually put ant value into that rag's words. All this article does is fester distrust of the IT department from managers that have not a clue.
your IT admins can bury your company and wield far more power than the executive staff combined does. Yet compared to all other departments IT get's the lowest pay.
One admin with all they keys can easily take down anyone in the company in scandal, legal, whatever. When I worked corperate I had the keys to send emails as any of the executives, Presidents and VP's. I could have placed "evidence" on any of their laptops and done them in.
IT people typically have the "hero" attitude and do not do such things even in the face of being screwed. WE like to help and do good things for the network and PC's so the risk is low... but I know o some ticking time bombs that will go off eventually if those companies management does no tpull their heads out of their rear.
Re:there is no procedural or techical solution (Score:2, Insightful)
The solution is regularly teaching business ethics to students. Perhaps even make it mandatory to earn a degree. Certainly mandatory for a graduate degree.
The suggestion that a mandatory degree and ethics classes will solve the problem is laughable. Many examples of why this is so exist: Citigroup, Enron, Worldcom... to name a few. Do they teach business ethics in MBA or CPA programs? Of course they do. Did it help? No.
And then of course... (Score:5, Insightful)
There are ways to run a business that limit the amount of information that has to be classified so that it can be relayed verbally or by sneakernet. Like not defrauding your workers or business associates is a good start, followed by not raking in huge undeserved stock options and bonuses, not downsizing and outsourcing just because it is the latest fad, and in general being competent to the point that the only people who care what's in your email are the rarer criminal element and not every damn single employee.
Ahh, driftnet on the switch monitor port. Never has there been such an artistically odd juxtaposition of shoes, porn, corporate logos, and vacation photos.
Re:It is all part of the job (Score:3, Insightful)
Sorry, but here are quite a number of methods by which the admin could track down an errant email or such without knowing its contents.
Its like passwords, your argument has been used before by people who defend systems in which the password is retrievable. The only way for me to know a user's password in my systems is if I set it myself or they tell me. There is not a method to recover them. The same can be done for the text and such of the mail.
One thing that would solve this... (Score:4, Insightful)
Re:Clearance Control (Score:5, Insightful)
You can't back security into an organisation. Either the individuals are prepared to put up with the extra work it needs, or they aren't. Without some effort from everyone, your level of security drops to that of the weakest link (usually the boss)
Re:Clearance Control (Score:3, Insightful)
Re:It is all part of the job (Score:2, Insightful)
I guess it is a problem with assumption. Corners assume communication is privileged, and private. Well, it isn't. It's like using a megaphone to talk through the wall to the office next door. Yeah, no one outside your office might hear you, but you don't know how many people are in the next office listening.
Corners can't assume that email is private. It doesn't work that way.
I am a Sysadmin (Score:2, Insightful)
We are not regular employees. We aren't the boss. We occupy a grey area, because we control everything.
My system has millions of dollars flowing through it. You trust me with that, but have a problem with reading an email?
I am a Sysadmin. Trust me or not. Me reading your email is the least of your problems should you choose not to trust me.
Re:It is all part of the job (Score:4, Insightful)
Except that assigning a new password and "destroying" the old one is a perfectly acceptable solution. So there is no need for anyone to be able to recover the old one. Destroying a document is not an acceptable solution -- if my boss needs me to recover a document, I need to be able to do it, whether it is by interacting with the application, searching through cache data, or scouring the individual hard disk sectors.
Ultimately it does come down to trust (or greater monitoring), but you can't remove the fundamental ability of IT to be able to access all corporate data in some manner if you expect them to provide comprehensive support to the organization.
Re:It is all part of the job (Score:5, Insightful)
That depends on who you work for/with. My boss likes to ask for things like:
"Can you print me a copy of that e-mail I sent about our new sales strategy a few months ago? I think I deleted it."
"Do you remember who you sent it to?
"No."
"Do you remember the date you sent it?"
"Oh, a while ago."
"What was it about?"
"Sales."
So anyway, when you work for people who routinely ask you questions that are about as specific as: "Hey, can you find me the thing I wrote about something just the other day?" it's helpful to be able to do fulltext searches and keep blunt throwable objects out of arm's reach.
Re:It is all part of the job (Score:4, Insightful)
Yeah, people don't get what's going. In the first place, e-mail isn't a secure form of communication. It's usually transmitted unencrypted, and often your authentication to your e-mail server isn't encrypted. Whoever is running your e-mail server, whether it's your ISP or Google, can read your e-mail if they really want, and mostly you're relying on them to be disinterested in the matters you're sending back and forth. People should understand this.
However, the second component here is that, if you can't trust your IT staff, you are in big trouble. The reason is this: even if you put security measures in place to restrict IT access to e-mail messages, your IT staff is going to have to put that in place. If you can't trust the person who institutes your security, you won't know for sure whether they left themselves a back-door in. Basically, you're trying to lock people out of a system that they've set up themselves, and they know the system better than you do (or you probably wouldn't have hired them).
So the best solution-- the only solution-- is to hire IT people you can trust. When you hand over control of your network to someone, imagine it being like handing over keys to a storage room with all your information in it, with only their integrity to keep them from browsing through it.
As an aside: you should also be careful about the communications you have through your office e-mail. Even well-intentioned trustworthy support personnel might stumble across it while fixing problems or troubleshooting. Take it from a guy who's accidentally stumbled across e-mail from an executive's mistress before. I was just browsing trough our spam filter to look for false positives, and there it was. I wasn't looking for it, wish I hadn't seen it, and didn't want to know, but there it was. So as a rule, if you have personal information you wouldn't feel comfortable telling your IT people (like that you're having an affair and doing coke on weekends), don't talk about it in your work e-mail account.
Re:Clearance Control (Score:5, Insightful)
And this is what is really wrong with IT now. In 100-200 years maybe when the industry starts to get alittle mature things will change, but currently the one or two computer guys have access to everything school of thought is really what's wrong with the entire industry. I'll consider this industry to be growing up when any small business could hire/fire/transfer admins with complete confidence that the new guy has complete access and the old guy has zero access without carrying home backups or enough info to successfully compete with the company. We just aren't there, yet. I know that I'm trust worthy, but I wouldn't trust any other IT person. I wouldn't trust Bill Gates or Linus to be left with ulitmate unchecked power over all my machines. Why would I want a setup where just 1 guy may or may not have complete control/access to the small network? Of course you need to define "small business." If you are talking about 10 networked computers and one temp. computer contracter guy that comes in to set things up or do windows up dates every 3 months or so, then your reasoning makes sense, but is still off. That computer guy no matter how trusted shouldn't have complete control over the network. What happens when that trusted computer guy is killed by a drunk driver, and then you have to hire a new guy?
Re:there is no procedural or techical solution (Score:3, Insightful)
Funny but... (Score:3, Insightful)
But, well paid employees in a job that doesn't suck aren't typically motivated to do immoral stuff. I get paid well, I'm respected, my hours are decent, etc. I have no reason to be disgruntled and do bad stuff. On the other hand, I can say I'm a fairly ethical person (saying otherwise would be false modesty). The idea is to have good employees, and keep them happy.
Now, if I was some guy paid below what I deserve, in a high stress job that sucks, risking to be outsourced and all, with management making every second of your life miserable and such, poor workplace politics and the old backstabbing between co-workers, then yeah, I wouldn't be surprised when something bad happens... It's old news, disgruntled ppl will sometimes do that kind of stuff.
Re:Clearance Control (Score:3, Insightful)
Here, there's also an "if sysadmins get run over" domain admin account detailed in an envelope in the company safe (with appropriate precautions to make tampering evident).
Use of that password and account will light up every sysadmins pager / mobile and is logged as critical in all monitoring kit. So there's the means to ensure business continuity, but a massive lart ready for anyone who abuses their access to that envelope.
You still need to read the network docs and know wtf you're doing, but the solution works for us.
Re:big deal (Score:3, Insightful)
You just haven't found anything worth caring about yet. Wait till you find out that all of the people who are at the same level in the org chart as you are make $20K more a year than you, and they all come to you all the time to get things done because none of them know what they're doing. Or that the person reporting to you makes $30K more. Or that the company subsidizes the CEO's political fundraisers (worse if it's for a political party you strongly oppose).
Keep looking, you'll find something.
Re:Clearance Control (Score:2, Insightful)
Re:Clearance Control (Score:5, Insightful)
On your desktop machine? Who keeps your desktop machine?
On your USB? a) Are you violating a policy for using a USB device? and b) When then USB is plugged-in, it's part of the machine (see above)
If it's passphrase encrypted, are you 100% sure that there isn't a software keylogger on your machine?
Trust me, you can't hide anything from competent sysadmins.
The only way to make sure you control your machine is to install it, secure it, and manage it yourself, but then you've become the sysadmin.
And it may very well be that the company won't allow anyone but an experienced and trusted sysadmin to plug such a machine into the corporate network (for good reason I might add).
So you might as well get used to the idea that sysadmins have access to everything on the network.
[puts on sysadmin hat]
Ad that is how it should be anyway if you want the network to even start down the path of better security.
postcard (Score:5, Insightful)
ie it could be read during transmission buy the post-office worker (sys-admin)....
just a gentle reminder.
Re:It is all part of the job (Score:3, Insightful)
But in that scenario, IT can still get access to the encrypted data if they really want to. They can install a key logger and a tool that records your screen contents at intervals. Face it, you have to trust everyone who's able to install software on your computer.
So while encryption may be able to reduce the number of IT staff who can read your e-mail--maybe the server admins can't read it now, only malicious desktop admins--you won't ever reduce the number to 0.
It's a real pain in the ass, it requires lots of training, increases the risk of data loss, and it still doesn't actually prevent IT from being able to read your data. That's why nobody does it.
Re:It is all part of the job (Score:3, Insightful)
Ultimately you do have to trust the IT department not to go to the vault together and decrypt everything over the weekend. They have to be able to decrypt things without the user, that's just a fundamental requirement for data preservation. You can put all the auditing and supervision on the process you like, but you can never escape the requirement unless you're willing to lose all data when an employee is killed in a car accident.
Re:Clearance Control (Score:5, Insightful)
The question isn't whether to trust, but under what conditions? Accountants and bookeepers often have checks, balances, licenses and bonding. CxOs have major positions of repsonsibilty with the salaries to match, and now they have Sarbanes-Oxley too. Physical security folks are often bonded, polygraphed, drug tested, etc.
So which of these are most applicable to IT? Do we have checks, balances, licensing, bonding, major positions of responsibility with the salaries to match? Do we have polygraphs or drug tests? Do we have laws like SOX that put us in the hot seat if things go wrong?
I'm not sugesting we should do any particular one of these things, but as IT continues to mature, and IT is seen, as it should be, as a single point of failure that could cause damage up to, and including, the complete collapse of the company, we're going to need to proffesionalize our practices to the point much greater than the blind faith that often exists today.
TW
(note: I know IT has a major role in SOX compliance, but we're not held responsible unless the company in question builds that into the system. Many companies aren't, at least not to the extent they should. If SOX causes more shops to know exactly who has access to email, and exactly how to go about making sure they're responsible and holding them accountable then, well, problem solved. I personally don't think SOX alone is enough.)
Re:Bullshit (Score:3, Insightful)
In your example (which boils down to two man working, essentially) you have increased the cost of support - is it worth paying? That depends - what are you relying on to enforce it (procedural or technical measures, a combination of these)? What are you protecting?
There is also the rather tricky problem of defining who the owner is. If you have a data area with multiple people accessing it how do you put in sensible processes to manage this, and to recover the data when Fred fubars the spreadsheet. How do you audit use of the data (and do you even bother)?
There are ways to cope with all of this, but a blanket "you lose your password, you lose your information (unless you put into action this very expensive process)" isn't a panacea.
Finally - you say "all data in business can be reproduced, at the cost of time and effort". The first part, generally, isn't true. The "cost time and effort" also is misleading - sure, there will be problems where pouring money at them will get you better answers, but the business can't afford it (and it wouldn't be the first business that went down because they had an inappropriate security policy). It's a paradox, I suppose - important data is the only sort you can't afford to recover, because if it wasn't important you wouldn't need to.
Re:Trained Professionals (Score:3, Insightful)
I don't suppose you use voice-over-IP phones? I bet it would be trivial to set up auto-transcript on our CEO's phone IP...
Duh, Breaking news at 11! (Score:2, Insightful)
You don't bitch about plumber having access your basement
I can bitch about HR too - they have the most private information about employees (I saw HR files
Re:Clearance Control (Score:3, Insightful)
You simply cannot run a network effectively if you do not have full access to it. Somebody at some level has to be entrusted with this. The check/balance on this has to come from some kind of background check that would leave a resonable amount of certainty in the trustworthiness of the potential sysadmin.
As Peter Parker's Uncle told him: "With great power comes great responsibility". A sysadmin should be trusted with that power in order to be as effective as possible but should also have to live up to the responsibility as well.
Flavor of the week. (Score:3, Insightful)
Think about it. A group of highly paid MBAs sit in a room and come up with an IT solution you are supposed to implement.
It really doesn't matter whether or not their solution is workable. You MUST embrace it.
If you do not embrace it, you will always be remembered as the "difficult one".
And really, the stupider the idea is, the faster it will go away and be forgotten. It is kind of like evolution, good ideas live and bad ideas die.
In the end, the managers will not remember the solution, or the problem. All they will remember is whether or not you were a "team player" or the "difficult one". Just always agree and do your best to implement. When it dies, let it die quietly. No funeral. No wake. Just let it go.
Re:Clearance Control (Score:2, Insightful)
It's fascinating how this particular piece of right-wing propaganda has become gospel through sheer repetition. When you add up the cumulative value of roads, schools, firehouses, ports and other government-sponsored projects it is most defintely NOT a net drain on the economy. Quite the contrary - it drives the economy.
Re:Clearance Control (Score:3, Insightful)
If the company is huge, it's hard to audit all the systems to ensure no backdoors - especially that local admins have years of experience with said systems, often with custom modifications auditors will have no idea about. If the company is small, it's very expensive to employ a reliable external contractor who will implement security properly (and won't side with the admin instead of the boss, "overlooking" some backdoor). It may be easier in a new company where a system is created from scratch and a different crew is in charge of creating it, than the crew that will maintain it, but still there's nothing that stops an admin from installing an exploit instead of a patch on the mailserver and only regular, unexpected (and very expensive) audits can detect it.
About the best way I know how such situation can be handled is to have dedicated, loyal employees and care for them.
I didn't read my boss' mail. He was a nice guy and it would be rude, and I wouldn't do rude things to a nice guy.
Options and bonuses for boss are sometimes good (Score:4, Insightful)
While I agree that there have been terrible abuses here, I also recognize that sometimes these options and bonuses are appropriate but that is not always readily apparent. First there is the agent problem. The boss is sometimes merely an agent of the owner(s), how do you make sure he acts in a manner that improves the owners situation rather than his own? Options are one way. This also works up and down the ranks, for bosses and workers. The other area where a big seemingly undeserved bonus is appropriate is for the founder(s) who lost interest/investment income by spending his/her saving to start a business, lost salary income as he/she worked for no salary or a partial salary in the early days of the business, who risked their financially security and reputation to pursing a dream, etc. If they get a couple of big bonuses to repay and compensate for the preceding once the company becomes established, IMHO that is fair. I've seen small companies get bought out, and I've seen employees complain that they got a far smaller bonus than the founder they worked side by side with. What these employees failed to realize is that they took little risk, and that their boss made personal sacrifices so that their payroll checks were there on schedule.
Is the above a typical scenario? I have no idea, but I have seen it a couple of times. I believe it happens often enough to warrant mentioning among the stream of expected "bosses are evil and all profit should go to those doing the work" follow ups. Like many topics, things are far more complicated than they seem.
Re:Clearance Control (Score:1, Insightful)
Re:Clueless in the corner office (Score:3, Insightful)
Los Angeles Bar Association: "Lawyers are not required to encrypt e-mail containing confidential client communications because e-mail poses no greater risk of interception and disclosure than regular mail, phones or faxes."
http://www.netlawtools.com/security/emailsecurity
The American National Bar Association takes a similar stance, but the above link does warn that if an unencrypted email is intercepted, the lawyer may be held legally liable.
While it certainly should be necessary for important legal, medical, and other confidential information to be encrypted, it doesn't appear that the Bar association is quite as far ahead of the game as one would hope.
Re:Bullshit (Score:3, Insightful)
That's a perfect strategy for security if you completely disregard human behavior. If you set the stakes so high for forgetting your password, you end up with people either using ridiculously simple passwords (so they remember) or writing their passwords on post-it notes underneath their keyboard. Congratulations, now your system is less secure.
Who me? Never. (Score:1, Insightful)
Re:Clearance Control (Score:3, Insightful)
We do this in a lot of places too, and I think there are perfectly good reasons for it, including security. (eg. If my account ever gets hacked, someone probably still needs to know a much more secure password if they want to give the account more access.) Another is just plain robustness. It's harder for me to accidentally break things when I don't have access to them.
At least as importantly, though, I think it helps the users actually trust us more easily. Most of our users realise that we don't automatically have access to their documents, for instance. They also know from experience that we'll tend to ask them if we ever need to give ourselves access. Another example is with watching (and controlling) their desktops, usually for tech support. We could quite easily configure things to be able to connect at any time, but instead we make sure that whenever we do it, they first get a prompt which asks them if they'll give permission. Obviously it doesn't mean we can't do things without them knowing, but having policies about that sort of thing which people understand really makes it easier to work with the other people in the organisation.