Plans to reduce admin numbers by 90% have probably been misunderstood

A year ago, few beyond the realms of computer security, politics and journalism had even heard of the US National Security Agency (NSA) let alone could explain what it did. Then the Edward Snowden affair happened and suddenly one of the world’s most secretive organizations overnight turned into one which has had its every action and statement pored over with huge fascination.

Even so, when NSA director General Keith Alexander turned up at the International Conference on Cybersecurity in New York on 8 August to speak at a roundtable discussion, he probably didn’t think he was going to say much that hadn’t already been said in recent weeks.

Then he mentioned plans to reduce the number of NSA IT system administrators by a dramatic-sounding 90 percent, and people’s ears pricked up. Edward Snowden was a system administrator, of course, one of around 1,000 employed by the Agency itself, or indirectly through consultancy firms. Was this a way of saying that sysadmins at the NSA had too much power and getting rid of them would reduce the risk of another embarrassing breach?

There is nothing new in IT departments wanting to reduce costs and management overhead by cutting headcount but there seems to have been an assumption that reducing the number of sysadmins is the same as chopping headcount. This is a misunderstanding; but one that reveals some fascinating misconceptions about the job done by sysadmins and the nature of security management.

There was a time when admins were basically men and women flitting from screen to screen and chair to chair but those days are fast disappearing. Since a wave of security threats turned IT provision on its head, admins have come to be seen as roles not heads.

From a security perspective the number of sysadmins is barely half the story; it’s the power they have and how it’s managed (or not managed) that is the real measurement. Put another way, for the NSA or any other organization to fire 90 percent of its sysadmins as if this on its own improves security would be an empty strategy. It’s the privileges and oversight of sysadmins that defines an organization’s security posture, not their number. Even one unmanaged sysadmin with unaccountable and unmanaged access is too many, something underlined by Snowden’s sudden defection.

It’s a concept that is second nature to anyone working with privilege management because in this model everyone is a user regardless of the words on their business card. Some users need access at a specific moment to specific resources but this is granted with careful oversight and the support of audited reports. If that resource is sensitive then access is kept to a minimum required for the task.

It’s an idea touched on in previous blogs, Whose job is it to watch the admins? And also in How a single rogue admin humbled Switzerland’s intelligence agency. There are numerous precedents for the Snowden affair.

This idea is of privilege management is now mainstream enough to be considered industry best practice in many quarters, which brings us back to General Alexander’s plans. The nature of the NSA means we will never be able to study them in detail but it is much more likely that he was referring to a rationalization of roles than a simple reduction in numbers. He also mentioned using pairs of admins to approve certain actions. Regardless, from an executive standpoint General Alexander is absolutely right to take the issue seriously and you’d assume every CEO will now give it similar attention.