I love being a security architect, because I’m always right.  For well over 10 years, I have been trying to convince IT managers to secure their adminstrators better.  It makes no sense to go to enormous lengths to secure end users if the people who can do the real damage, the network and system administrators, are left to their own devices.  But often they are: I often see shared generic passwords, poor quality passwords (or even passwords left on the factory default setting!), passwords never changed (even when administrators leave).  But many IT managers seem to have a blind spot for their administrators and can’t understand why they can’t be trusted.

I am very grateful, therefore, to Edward Snowden, the NSA contractor and sysadmin who collected and published a huge number of highly sensitive and embarrassing documents.  I hope that IT managers in the future will be more receptive to my concerns.

One reason why little has been done about system administrators in the past is that it is actually very difficult to enforce good practices, or indeed any practices, on them.  They’re privileged, that makes them difficult to control.  But there is now an identifiable class of security tools, that can be used to control them.

About a year ago, I set up a Privileged Identity Management (PIM) service for a large client based on the Cyber Ark product set.  Cyber Ark is one of the well established products in this space, but it’s not the only one.  Cyber Ark works by taking control of the administrator passwords.  It changes them periodically, and after use, so administrators cannot treat them as their own property and cannot write them down or give them away.  Instead, administrators log in to a portal to get passwords.  I now believe that a PIM service should be a critical part of all organisations’ security infrastructures.

One thing I learned about PIM systems – they make a significant difference to how admiistrators do their work.  They’re supposed to, of course.  But you will need to work closely with your sysadmin teams to ensure a smooth transition.