Principle of Least Privilege and SysAdmin

I am often fascinated or should I say disgruntled by the lack of emphasis on the principle of least privilege (POLP). Don’t get me wrong, who wouldn’t want to be a SYSADMIN? Ask me that question, and I’ll be startled immediately. The answer will always be, YES! And that’s a “YES” with a smile.

Let’s be serious, would you give your child and your child’s friends access to your bank account? I certainly wouldn’t. And it’s not because I don’t want my child to have access to some cash – I don’t want her to have unrestricted access to my account.

Instead of adhering to the principle of least privilege, database administrators, developers, and business users alike, frequently neglected the sysadmin server-level role.

I understand that even in this day and age we are still humans, we are not perfect, and we are prone to make the simplest of mistakes. However, it is time to hold ourselves accountable for those mistakes and adopt changes, such as POLP, to help rid us of those behaviors.

What is the principle of least privilege (POLP)?

The principle of least privilege (POLP) states that users, accounts, and computing processes should have minimal access to only those resources required to perform routine, legitimate activities.

I know, I know. Everyone knows this, blah blah blah. But really, how many of us practice POLP?

We have all being there; we inherit a system where everyone is a sysadmin. It may be tempting to revoke the sysadmin permission, however, first proceed with caution and do your due diligence first. Ask your peers and your manager why those accounts are sysadmins, document their responses, and propose alternative roles that will suffice the application or users’ “routine, legitimate activities.”

 

1 comment

  1. James Reply
    April 1, 2018 at 7:09 pm

    I definitely shared your experiences. This is nothing new, but sysadmins and DBAs today are frequently neglecting POLP. Managers need to do more audit of the systems and not wait for an auditing firm to tell them the obvious.

Leave A Comment

Please be polite. We appreciate that. Your email address will not be published and required fields are marked