System administrators will often need wide ranging access to systems and devices to do their jobs, but systems are not the same as data. Many individuals working in IT departments will in fact be in relatively junior roles. Indeed, they may often be contractors from third parties. Access to confidential data should be just as limited for them as it is for “normal” users.
However, this is often not the case. Many acting under privilege have access to far more data than they need to do their job. The vast majority of organisations admit this happens at least occasionally, for around 20% it is a regular practice.
Not surprisingly, the case is worse where there has been no proactive attempt to limit the data that those acting under privilege have access to. However, even those that do take such measures admit that system administrators do have access to more data than they need to do their jobs. This is not that surprising, as most tools that enable such controls are neither powerful enough nor sufficiently easy to use.
In one area, such controls are absolutely paramount. With the move to cloud computing and the shared IT infrastructure that this involves, cloud service providers must guarantee that their system administrator will be able to access only the systems they need to and not confidential customer data.
The full research behind this and a free copy of Quocirca’s report – 'Conquering the sys-admin challenge' – is available online.