Watching the Watchers…Redux
Keeping an eye on those in power has always been a staple of relatively open governments and well-organized IT shops. Let’s focus on the latter, given that a discussion of the former could easily lead to rants. Visit EFF for more info on THAT area.
Keeping an eye on IT people with greater privilege levels has always been a challenge. Obviously, this could extend to NON-IT staff as well (Enron, anyone?), but in the information security division, we’re often dealing with abuse of privileges related to something or someone in IT. I really see four distinct levels of privilege monitoring that need to be considered:
- The System Level: This is the realm of SysAdmins, who actually manage systems and make changes to them. Often, these teams will have Administrator or Root privileges to groups of platforms.
- The Application Level: This level pertains to the DBAs and Developers of the world, who may have some degree of control over systems by extension of their control over the critical apps *running* on the system.
- The Network-Infrastructure Level: This level relates to the network “plumbing”, or pieces and parts that hold the environment together. Network admins fall into this category.
- The Backbone or Service Provider Level: Plumbing on a “macro” scale.
Most of us tend to focus in our organizations on the first three levels. We’re all using the traditional mechanisms to accomplish this, too – tools like “su” and “sudo” for *nix systems, UAC and “RunAs” for recent Windows varieties, and logs, logs, logs. Applications and network device OSs have their own mechanisms, too, most similar in nature to tools like “su” and “sudo”.
What about the backbone level, though? What can we do to exert “control” over what passes through? We’ve certainly got end-to-end encryption, but that may not be practical for everything. Simply monitoring Web browsing habits can reveal a lot about us, and much of this traffic is totally open. Recently, this very issue came up in Europe, as reported by BBC News. With all the talk about Cloud Computing, and sending more data and transactions outside our traditional IT infrastructures, we should all be concerned with what access people have to our private and sensitive data, habits, etc. Another issue: how do I know for certain that my private data is deleted after I request that it be removed from some Web site/service? All good questions. There are good and bad aspects of “watching” – for example, I don’t particularly care for my government spying on me (especially in the name of “anti-terrorism”. Sheesh.) But keeping an eye on those who are in positions of trust and authority? All for it.