Who’s Auditing The Auditor?
This is all good and wonderful but, hold on, there are a couple of glaring issues. First of all, who controls the controller? The writer talks at length about logging the activity of the super user; but remember, the super user has access to all these logs. You got it, he can delete logs, he can suspend logging, he can even put his hands in the access control system and change the log management. Therefore, if a “super user” wants to cause havoc, there’s really very little you can do to stop him.
Access control is of extreme importance to prevent mistakes and stop unauthorized access; but, aside from those two measures, does barely anything to stop high level crooks who are hell-bent on causing havoc.
When you reach that stage, if your organization permits it, you’ll need ‘double keys’ ~ access to certain things can only happen when 2 people are logged on. For example with 2 different passwords, known by 2 different users, both of whom clearly understand that if one learns the other’s password, his (or her) job is over, there is no mercy.
The other grave issue is that while this is great for large organizations, small organizations don’t (or can’t afford to) have this luxury. Very often, the one same person wears multiple hats, i.e., there’s only one administrator cum super-user and he/she is the IT god. So, expecting to exercise any (let alone optimal) control on this person is, in my opinion, purely wishful thinking.
In almost everything else, though, I concur with the writer, and certainly, I agree with the idea of roles. True, it’s not new but it’s the only one that makes sense. You’re not allowed to access salary data because your name is Joe but because your job title is HR Director!
Still, the point remains, in smaller companies, how do you deal with higher-ups pulling rank and accessing more than they need and/or should have privy to? In addition, for the logging review; a good log management system costs upwards of $20,000 for a small company.
Typically, small companies are already stretched when they need to spend more than $2000 on a firewall, and now, here we are, asking them to dish out $20,000 (or more) for a log management system?
For as much as I’m convinced this is even more useful than a firewall, the sad fact remains that the market needs to come down quite a bit before these devices will become more ubiquitous. Until that happens, I really don’t see any small/medium company spending that amount of money unless some strong regulation compels them to do so.