NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The NSA is Worried About its Sysadmins. But isn’t Everyone?

October 20, 2017

  • Blog
  • Archive

Plans to reduce admin numbers by 90% have probably been misunderstood

A year ago, few beyond the realms of computer security, politics and journalism had even heard of the US National Security Agency (NSA) let alone could explain what it did. Then the Edward Snowden affair happened and suddenly one of the world’s most secretive organizations overnight turned into one which has had its every action and statement pored over with huge fascination.

Even so, when NSA director General Keith Alexander turned up at the International Conference on Cybersecurity in New York on 8 August to speak at a roundtable discussion, he probably didn’t think he was going to say much that hadn’t already been said in recent weeks.

Then he mentioned plans to reduce the number of NSA IT system administrators by a dramatic-sounding 90 percent, and people’s ears pricked up. Edward Snowden was a system administrator, of course, one of around 1,000 employed by the Agency itself, or indirectly through consultancy firms. Was this a way of saying that sysadmins at the NSA had too much power and getting rid of them would reduce the risk of another embarrassing breach?

There is nothing new in IT departments wanting to reduce costs and management overhead by cutting headcount but there seems to have been an assumption that reducing the number of sysadmins is the same as chopping headcount. This is a misunderstanding; but one that reveals some fascinating misconceptions about the job done by sysadmins and the nature of security management.

There was a time when admins were basically men and women flitting from screen to screen and chair to chair but those days are fast disappearing. Since a wave of security threats turned IT provision on its head, admins have come to be seen as roles not heads.

From a security perspective the number of sysadmins is barely half the story; it’s the power they have and how it’s managed (or not managed) that is the real measurement. Put another way, for the NSA or any other organization to fire 90 percent of its sysadmins as if this on its own improves security would be an empty strategy. It’s the privileges and oversight of sysadmins that defines an organization’s security posture, not their number. Even one unmanaged sysadmin with unaccountable and unmanaged access is too many, something underlined by Snowden’s sudden defection.

It’s a concept that is second nature to anyone working with privilege management because in this model everyone is a user regardless of the words on their business card. Some users need access at a specific moment to specific resources but this is granted with careful oversight and the support of audited reports. If that resource is sensitive then access is kept to a minimum required for the task.

It’s an idea touched on in previous blogs, Whose job is it to watch the admins? And also in How a single rogue admin humbled Switzerland’s intelligence agency. There are numerous precedents for the Snowden affair.

This idea is of privilege management is now mainstream enough to be considered industry best practice in many quarters, which brings us back to General Alexander’s plans. The nature of the NSA means we will never be able to study them in detail but it is much more likely that he was referring to a rationalization of roles than a simple reduction in numbers. He also mentioned using pairs of admins to approve certain actions. Regardless, from an executive standpoint General Alexander is absolutely right to take the issue seriously and you’d assume every CEO will now give it similar attention.

John Dunn,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.