informa
/
Vulnerabilities/Threats
News

IT's Double Standard

When it comes to trust and security, IT pros don't always practice what they preach

1:15 PM -- IT people love to complain about their end users. They tell funny stories about boneheaded employees who leave their passwords stuck to their computers. They grit their teeth when users click on email attachments from strangers. End users, they say, are too damn trusting, not to mention forgetful.

Up until now, I've always felt that this righteous indignation was justified. I mean, IT people are smart about security, and they don't trust anybody, right? But this week, I wrote a story that burst my bubble. (See IT's Roving Eyes.)

It started out innocently enough. I wanted to know how often IT people "peek" at sensitive documents, just because they can. I figured maybe it was like having the key to someone's diary: You know you're not supposed to look, but it's there, and you just can't help yourself.

What I found out was that many IT people not only snoop as a guilty pleasure, but they feel it's their right to do so. Now, I'm not talking about reading files as part of a security audit or as an end-user monitoring technique. I'm talking about looking at personal emails, and sensitive payroll and personnel information that nobody outside of human resources is authorized to see.

Let's put aside the whole question of ethics -- and it's a big one -- and just look at this practice from a business perspective. Across the security industry, companies are being browbeaten and reviled for exposing personal data to strangers. A few companies have literally been put out of business by the SEC for exposing insider information to unauthorized users.

Yet anybody in the IT department who has the right access codes can access any data, at any time? Because the IT department is trusted. Sheesh, and they say users are too trusting.

And it's not just IT access policies that create risk. Even security technologies themselves leave gaping holes for "trusted" IT people to crawl through. For example, most tools for monitoring end-user behavior offer a whitelist feature that enables IT people to exempt themselves from online surveillance. In fact, most IT security tools assume that the people who are operating the tools are to be trusted. And even if you did want to install a tool to investigate IT's behavior, how would you install it without the knowledge and help of IT?

Now, I'm not saying that most IT people can't be trusted. The fact is, this iffy situation has existed for decades, and there have been very few documented cases of IT staffers committing crimes. (See Ex-UBS Sys Admin Found Guilty.) But in this day and age, when security auditors swarm, and companies are forced to report the theft of every laptop, shouldn't there be more stringent methods of restricting access in a large IT department so that staffers can see only the systems and documents they are authorized to see?

IT people may be exceptionally skilled and knowledgeable, but they're still people. In each bunch, you're going to find a few bad ones. If we're going to close all of the potential vulnerabilities in enterprise systems, we should take a hard look at the access controls used by the "trusted" people who operate them. Otherwise, we're behaving just as naively as the users we're always complaining about.

Note: Your responses are invited! But please don't send email --post your feedback to the Dark Reading message board.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5