[LINK] No more human sysadmins??
Robert Brockway
robert at timetraveller.org
Fri Aug 9 17:41:40 AEST 2013
On Fri, 9 Aug 2013, Bernard Robertson-Dunn wrote:
> Sysadmins can only get at data that is viewable with "common" programs
> e.g. data in files with .txt .docx .wri type extensions.
>
> If the data are held in an application and can only be accessed via that
> application, then sysdamins can't get at the data - they need
> application level access.
The sysadmin responsible for managing the application will have privileged
access. The sysadmin responsible for the operating system can likely
access the application data outside of the security model imposed by the
application. This may mean direct database access or accessing files on
the filesystem. This access is often not audited and even if it is the
sysadmin is often quite capable of hiding their tracks well. Sysadmins
with access to the backup system can grab the data from there.
There are approaches that can be taken to limit this sort of behaviour but
they generally take a level of effort and discipline I've rarely seen in
organisations.
> It is quite possible and relatively easy to arrange access such that
> sysadmins can't see or copy data and people who can see and change data
> can't do things to the system.
I don't agree that it is easy to all. Siloing can be used to restrict
access but it tends to be an expensive and cumbersome approach - so much
so that most organisation don't use it at all, even many that should.
Cheers,
Rob
--
Email: robert at timetraveller.org Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.pracops.com
Director, Software in the Public Interest (http://spi-inc.org/)
Information is a gas
More information about the Link
mailing list