Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

The NSA is Worried About its Sysadmins. But isn’t Everyone?

October 20, 2017

  • Blog
  • Archive

Plans to reduce admin numbers by 90% have probably been misunderstood

A year ago, few beyond the realms of computer security, politics and journalism had even heard of the US National Security Agency (NSA) let alone could explain what it did. Then the Edward Snowden affair happened and suddenly one of the world’s most secretive organizations overnight turned into one which has had its every action and statement pored over with huge fascination.

Even so, when NSA director General Keith Alexander turned up at the International Conference on Cybersecurity in New York on 8 August to speak at a roundtable discussion, he probably didn’t think he was going to say much that hadn’t already been said in recent weeks.

Then he mentioned plans to reduce the number of NSA IT system administrators by a dramatic-sounding 90 percent, and people’s ears pricked up. Edward Snowden was a system administrator, of course, one of around 1,000 employed by the Agency itself, or indirectly through consultancy firms. Was this a way of saying that sysadmins at the NSA had too much power and getting rid of them would reduce the risk of another embarrassing breach?

There is nothing new in IT departments wanting to reduce costs and management overhead by cutting headcount but there seems to have been an assumption that reducing the number of sysadmins is the same as chopping headcount. This is a misunderstanding; but one that reveals some fascinating misconceptions about the job done by sysadmins and the nature of security management.

There was a time when admins were basically men and women flitting from screen to screen and chair to chair but those days are fast disappearing. Since a wave of security threats turned IT provision on its head, admins have come to be seen as roles not heads.

From a security perspective the number of sysadmins is barely half the story; it’s the power they have and how it’s managed (or not managed) that is the real measurement. Put another way, for the NSA or any other organization to fire 90 percent of its sysadmins as if this on its own improves security would be an empty strategy. It’s the privileges and oversight of sysadmins that defines an organization’s security posture, not their number. Even one unmanaged sysadmin with unaccountable and unmanaged access is too many, something underlined by Snowden’s sudden defection.

It’s a concept that is second nature to anyone working with privilege management because in this model everyone is a user regardless of the words on their business card. Some users need access at a specific moment to specific resources but this is granted with careful oversight and the support of audited reports. If that resource is sensitive then access is kept to a minimum required for the task.

It’s an idea touched on in previous blogs, Whose job is it to watch the admins? And also in How a single rogue admin humbled Switzerland’s intelligence agency. There are numerous precedents for the Snowden affair.

This idea is of privilege management is now mainstream enough to be considered industry best practice in many quarters, which brings us back to General Alexander’s plans. The nature of the NSA means we will never be able to study them in detail but it is much more likely that he was referring to a rationalization of roles than a simple reduction in numbers. He also mentioned using pairs of admins to approve certain actions. Regardless, from an executive standpoint General Alexander is absolutely right to take the issue seriously and you’d assume every CEO will now give it similar attention.

John Dunn

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.