Network admins with too much control a common problem

'Keys to the kingdom' are often the center of IT strife

The issue isn't just control over passwords, but also over documentation relating to configurations and changes. Often in situations such as this, "requests for access, passwords and documentation are frequently taken as hostile acts by those that have been holding the keys to the kingdom," he added. "In my experience I have encountered this type of situation on more then one occasion," he said. In one incident, a mainframe systems programmer had to be fired for changing access rights because he disapproved of others' activities on the system, Michael said. In another case, the individual resigned when he "realized that the pressure to follow processes and procedures was not going to go away despite the protesting," Michael said.

These practices persist due to lack of resources and prioritization, said Richard Gorman, CEO of Vormetric, a vendor of database security and encryption products. "For many organizations, security is not a mission-critical priority until it has been breached," Gorman said. As a result, it is not unusual to find many companies handing over control of entire networks and systems to one individual. "There is no valid technical reason to do this," and it is something that can always be avoided. Nonetheless, it is "surprisingly common."

Especially in smaller and medium-sized companies, control is vested in a single individual in order to more cost-efficiently troubleshoot problems and take care of daily administrative tasks such as resetting passwords, said Raj Rajamani, product manager at Solidcore Systems, a vendor of change management products.

"If you have one person serve as an administrator, then have another person audit the administrator, and have yet another person audit the auditor, you get into a costly and time-consuming cycle of inefficiency," he said. Tools are available to do this sort of auditing, but often the process can be more of an impediment than a benefit, he said.

"Single points of failure are always bad," said John Pescatore, an analyst with Gartner. "There should never be one person who is the only person who knows the configuration or the password." Companies need to make sure there are at least two if not three people who share the knowledge of network configurations and server configurations. "As a minimum, require it to be documented and stored somewhere if personnel limitations say you can't have personnel with overlap," Pescatore said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Gartner

Show Comments