Sys-Admins Reading the Bosses Mail?

PetManimal writes "Computerworld has an article about IT staff who have access to corner-office email. Systems administrators, database administrators, storage administrators and higher level IT super users are the types who may access sensitive executive information; one source quoted in the article says that in a company with 1,500 employees, there might typically be five to 10 administrators who have this access. As for how many abuse these priviledges, it's hard to tell, but rogue admins out for workplace revenge or personal gain can wreak havoc: '... Experts agree that the severity of these occurrences generally makes them more harmful than external attacks. One of the biggest obstacles to eliminating unauthorized access is determining how many people have it. Access lists are particularly difficult to formulate in both mature companies, where the number and power of administrators have expanded over periods of years, and small companies, where rapid growth leads to undocumented tangles of administrators who are able to maintain their access because nobody has time to assess their status.'"

there is no procedural or techical solution

[maynard]

Whoever has access to sensitive company information is a threat to the company. It doesn't matter if they are a sysadmin or an executive. Limiting access may help, but at a certain point someone must know these details within a firm. And sysadmins cannot do their jobs without full access to the systems they support.

The solution is regularly teaching business ethics to students. Perhaps even make it mandatory to earn a degree. Certainly mandatory for a graduate degree.

Clueless in the corner office

[overshoot]

The same executives wouldn't keep sensitive paper documents in an unlocked drawer, though.

I realize it's a business problem when the CxO doesn't have a clue about encryption, but who's going to demand he get some education?

FWIW, the legal profession actually has directives from the Bar Associations on when it's even permitted to use e-mail, and if so when encryption is required. Sometimes it's nice to actually have authority over you.

Re:Clearance Control

[Coffee Warlord]

There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.

Frankly, I say it's a nightmare for a small company when a big boss reads shit like this, freaks out, and all of a sudden you have to spend the next week trying to implement some goofy policy that will either be totally ignored, or tossed aside when it becomes a hassle. For larger companies, yes, internal security is no laughing matter. For small companies, when there's one, maybe 2 admins running the show, it's a wasted expense. They don't need intricate security policies. They need nothing more than, "Okay, I can access everything, everyone else can access their own shit. Done."

Re:Clearance Control

[paranode]

Clearances are expensive and time-consuming, many companies cannot afford to do it unless it is a stipulation of their contract (eg defense contractors). And you can also bet that it will cut your available workforce significantly.

TRUST.

[DRAGONWEEZEL]

How very true. I have to say that if you don't trust your employees, they can't do their job. If they can't do their job, how are their supervisors going to do supervisory work? etc etc.

From a CEO's perspective you trust that your subordinates do their job, so that their subordinates are able to do their job all the way down to janitorial staff. Granted your level of trust declines proportionally to the level of visibility, but if the janitorial staff fails to take out the garbage for a week...

Re:Clearance Control

[Lehk228]

User controlled DRM is not a problem at all, in fact it is a very powerfulsecurity tool. the problem is when you have to turn over the keys to your kingdom to microsoft, apple, the RIAA, etc.

Fucking Computerworld fear-mongering!

[Robber Baron]

No shit Sherlock! Did you figure that out all by yourself?!? Of course I can read their e-mail! I'm a sysadmin and I set up the frigging mail system in the first place! Duh!
What they fail to grasp is I don't have time to be going through their shit!
Conversely PHBs don't have time to learn how to admin mail systems, which is what they'd have to do in order to keep me out.

Here's a novel concept: Why don't you simply try hiring people who are trustworthy?

Re:This is normal and necessary

[snarlydwarf]

I have complete access to read (and even modify! w00t! that could be fun!) email for some 15,000 people.

Unlogged.

Do I?

Hell, no.

It would be nice to pretend it is all about ethics, but let's be realistic: it is really about "why would I -care- what they are jabbering about?" These are people who complain about getting "unbearable amounts of spam" when they get a total of a half dozen emails a day...

Sorry: nethack, dinking around on forums and mailing lists, listening to music... all of them are much more important than the sort of nonsense people send in mail. I really don't care what people mail each other, how many porn sites they visit or whatever it is they actually do online as long as they leave me alone.

It isnt ethics: it is pure and simple apathy about them.

Re:It is all part of the job

[eodmightier]

Our HR person has access to my SSN and all sorts of private information. OH NOES!!

Our accounting person has handled personal bank information for my direct deposit information. OH NOES!!

Lets make everyone who does anything get licensed by the state. That is what we need. More state licensing.

Re:there is no procedural or techical solution

[peragrin]

Funny I have just that setup at home. I have an encrypted disk image(Yes I run OSX that's why this works and is easy for any idiot to implement)

as I was saying, I have an ecrypted disk image, which stores my sensitive files. Tax file documents, and other such documents. Also on that image are the data files, and configuration files for an application. The data files are encrypted by the application, so that I can have my passwords secured(twice).

When i double click on the app it tries to load it's configuration but the files aren't on the volume as it's not mounted. OS X tries to auto mount the encrypted disk image only to stop to require a password. The image decrypts and mounts allowing the App to finish loading. Another password in the app and I can access my password. Total access time 20 seconds. Knowing my passwords are protected by two different passwords with two different types of encryption. Priceless.

How to keep secrets secret

[Anonymous Coward]

Here's what I just helped a small corp do: Setup proper data encryption with key-recovery.

The layout is simple, the CEO/CIO/CFO and any other data that's subject to Sar-Box is encrypted using a key where the PW is only known to the individual who's responsible for that data. The only difference involves the CEO/President key that is the master, with all others being derived from it as s/he is supposed to have total access.

The key-recovery solution requires 5 key shares, 3 of which are must be from the Board along with 2 independent holders. What this means is that they need 3 board members and the two outside agents to recover any data that's encrypted should the CEO/President be incapacitated, otherwise, the CEO/President can reencrypt the data with the key of the replacement Senior Exec without involving the board directly as that's within the CEO's authority as designated by the Board.

Does this work? Well it was a bitch to setup and get everyone up to speed but it certainly seems to be working as designed and implemented.

Malicious... or just plain crazy?

[fractalus]

At one small company I once worked at, my Windows box popped up a strange notice one day that someone else was using my IP. Since my IP was fixed (so that I could access various IP-restricted network devices) this immediately raised some red flags. We began looking for the culprit; something must've tipped off the hacker because we found ourselves locked out of our mail server. Since access to the mail server was only permitted from inside our network, we shut off our net access, hoping to block the hacker while we got back into our server.

We tracked the hacker down. It turned out it was another admin, who had gone some kind of crazy. He had three NICs in his desktop box all configured to impersonate different machines, he had re-routed the boss's email through his mailbox (and some clients' mail too), and had all kinds of other things going on. And he had sat there the whole time we were trying to ID the hacker, pretending nothing was going on, all the while trying to stay ahead of us. Strangest thing I ever saw.

Yes, he was fired. He really didn't seem to know why he'd done it (none of it made rational sense) and he'd really put his family in a bind. I think he was sick, but I'm not a psychiatrist.

two man rule

[thanasakis]

There are methodologies that can ensure that certain types of actions cannot be done without two admins working together. Can this be done for the action of reading someone elses email? If it was possible, they would have to conspire to read the bosses email. Anyone has any good links?

Re:Clearance Control

[Maximum Prophet]

Welcome to small business. Most usually have one or two key players that, if they die, the business dies with them. Usually, this is the founder, but not always. Sometimes, the president/founder/Grand Poobah doesn't realize who this key player is, and he fires that key player only to see his business fail, because he was too egotistical and arogant to notice that the company revolved around someone else.

Many small businesses have several key player that would severly hurt the company if they left. I was working at a small database company many moons ago, and was offers a consulting gig in a far off state at twice my current salary and I jumped at the chance. I had no clue that there was a million dollar contract riding on the project I was working on. Once the customer heard I was leaving, the contract evaporated. If they had only let me know that what I was doing really mattered, I might have stayed. (at a higher rate)

Bullshit

[Overzeetop]

In small business, there is (noramlly) no need for high security beacuse you can't Really Fuck Things Up (TM) like you can in big business where there are billions at stake.

In big business, the data should be secure. Period. You lose your password, you lose your information - it's that simple. Oh, sure, you can^Wmust have a contingency plan (the three board members and an outside law firm) if somebody gets hit by a bus, but it really should be a hard process to implement retrieval. Would that embarrass the forgetee? Hell yes; that's the point.

If you're in charge of IT you should _want_ there to be no way for you (or any single individual other than the owner) to retrieve that data. And you should have that policy in writing, with buy in from the top.

The key here is that losing data is not an excuse for lax scurity. All data in business can be reproduced, at the cost of time and effort (=$$). It's a simple cost of doing secure business, and an incentive for executives to be midful of their responsibilties. Don't worry, they get paid enough to figure out how to commit a password to memory. If your executives don't believe that such security is necessary, then they either really don't need security (cough*bullshit*cough) or they shouldn't be making these kinds of decisions (cough*McDonaldsManager*cough).

Re:Clearance Control

[Dun Malg]

A friend in the Government once told me that after the Pollard spy scandal the Government rethought the way it handled clearances. So now there is a discreet pool of clearances. There's no reason why a company, new, mature, huge, or small shouldn't be able to institute a similar policy in terms of access.

As a holder of a TS clearance and former military intelligence goon, I can tell you that there are PLENTY of reasons why a private company shouldn't implement a similar policy. The primary problem is that it introduces a huge amount of bureaucratic "friction" to anything you do. By my estimate, I spent about 20% of my time as an analyst dealing with the various forms of "hoop jumping" required to get anything done with heavily classified and compartmentalized information. For example, I might want to ask a guy specializing in "compartment A" stuff about something, but if the material I'm working with contains "compartment B" intel, I have to try to either a) try to recompile the material to omit "B" intel while still making sense (tedious, takes time, might not even be possible); or b) get him signed off with "B" clearance (takes even longer, might not even be possible). Since the government is already produces nothing tangible and operates as a net drain on the economy anyway, this massive waste is just more of the same. In a corporate environment, though, a government-style security policy would be a monstrous drain on productivity and, in turn, profitability.

Re:Clearance Control

[1stpreacher]

I equate many of these positions to the janitor (and sometimes I've felt like a janitor) while he may not get paid much, and may not get much respect ... He's one of the few guys that has keys to the WHOLE building... You just have to trust some people. Or don't hire them...

Re:Funny but...

[Kelbear]

http://en.wikipedia.org/wiki/Efficiency_wage_hypot hesis [wikipedia.org]

Reading the parent's post made me recall this footnote from my economics classes. It's a theory that when you pay your employees well(i.e, better than the average competitor), you'll find advantages in that employee's performance. If you're in a good job and know you're being treated like you're a good employee, the theory is that this serves to discourage you from being a bad employee since you're risking the loss of a good thing.

There's other reasons involved in this theory too though. If your compensation is that of a good employee, you're expected to be worthy of it, and your conscience may urge you to live up to such expectations.

Of course, there's diminishing returns from doing this, but the point is...

If an employee is important enough to possibly damage a company with negligence or malice, maybe that employee should be treated a little better to encourage them to put more effort in to avoid such things from happening. Economically, the additional compensation should reflect the chance of the damage times the cost of the damage if it were to occur, but it's not something easily measured.

EU member states called on to encrypt e-mail

[SgtChaireBourne]

e-Mail per se has the same level of security as a postcard. Any company rellying on the mail being kept secret are just complete idiots.
As you point out, the only solution is to keep the data safe. In case of e-Mail, any critically confident information should be PGP/GPG crypted,

That makes it safe not only on the server, but in transit as well which may be more of a benefit.

Interestingly, this very topic came up recently and you might find the following interesting:

" 29. Urges the Commission and Member States to devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software;

30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;

31. Calls on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the "least reliable" category;

32. Calls on the European institutions and the public administrations of the Member States systematically to encrypt e-mails, so that ultimately encryption becomes the norm; ..."

European Parliament resolution on the existence of a global system for the interception of private and commercial communications (ECHELON interception system) (2001/2098(INI)) [eu.int]

(my emphasis above)
That's an EC resolution - a finished decision. We've known about the problem for years and years, we've had the solution at hand since PGP/GPG, and even the politicians have caught on: EU member states are called on to use encryption for e-mail, not only use software which can be independently code audited. Now, why aren't we following it yet?

Re:Clearance Control

[timeOday]

You have to turst people somewhat, but you can encrypt your stuff.

But to be adopted, any such solution would have to protect the bosses' email from peons while still allowing convenient access to the peons' email by the bosses. Companies don't want email to be private, what they want is to control who can read whose mail. And of course the government is above all of them, making requirements that even the bosses' emails are archived and subject to subponea later on. In fact, President Bush stated [washingtonpost.com] in an interview just yesterday that he never uses email, because it leaves a permanent record:

"In a CNBC interview with Maria Bartiromo, Bush was asked a question on many of our minds: 'I'm curious, have you ever Googled anybody? Do you use Google?'

"According to CNBC's unofficial transcript, he replied: 'Occasionally... 'I tend not to email or -- not only tend not to email, I don't email, because of the different record requests that can happen to a president. I don't want to receive emails because, you know, there's no telling what somebody's email may -- it would show up as, you know, a part of some kind of a story, and I wouldn't be able to say, `Well, I didn't read the email.' `But I sent it to your address, how can you say you didn't?' So, in other words, I'm very cautious about emailing.'"

Re:Clearance Control

[gwayne]

Haha...that reminds me of a print shop I used to run. I was a part-time employee and college student, but I did all the quoting, typesetting, pre-press and some of the press work. The owner sold out to some guy who decided he needed a full-time office manager, and since I was only part-time, he hired some bimbo who didn't know dick about printing to run the place. I put up with her trying to tell me how to do my job for a few weeks. Then one day I needed $10 out of petty cash for supplies to finish a printing job. She refused to let me have it, so I quit right there on the spot. The next day the pressman quit. Less than a month later the business closed.

BWAHAHAHAHAHAHAH! F*CKERZ!

Re:Clearance Control

[thethibs]

Janitors have the keys to the whole building, but none of the file cabinets.

And, yes, the analogy is a good one. Read the rest of this thread; do the Dilbertian attitudes presented make you feel warm and fuzzy about the loyalty and trustworthiness of the avarage sysadmin? Sysadmins should have enough access to maintain the systems, but not enough to modify their own personnel files or read their boss' mail (at least not without leaving a trail).

Achieving this is not rocket science with a modern system. Hell, it's never been rocket science; Banyan Vines had the required features fifteen years ago. Compartmentalization is baseline security.