Friday, July 25, 2008

So ... Am I? Maybe I Am!

Now, a lot of people who work for small businesses called me an idiot for this.

And you know what? Maybe they are right :-)

When I was a sole sysadmin for a small ISP, I didn't share my passwords with management either. They never asked ... but that is not the point. I would not have passed "a bus test", which is "will a business still run if a sysadmin is hit by a bus" [or, "goes rogue", by whatever definition of "rogue"]

Keeping all this in mind, will you accept if you bank closes doors until they can figure out what the password is on their database? Didn't think so ...

So, my point was that, in my opinion, it is an unacceptable risk for all but the smallest organizations to have one person who have the power to control access to critical systems AND to place no controls (neither monitoring, auditing nor preventative) on his activity.

AND that is why, back in my ISP days, one day a boss came to me with an old ragged notebook and said "write down the passwords here." I did. The notebook went back into his pocket (and then, presumably, in some more "secure storage," like the back of his closet at home or something :-))

Dr Anton Chuvakin