The ethics and morals of operations – how much access is *too* much?

A discussion in 2016 on Twitter & in /r/sysadmin made me pose this question: “How much access do you consider is too much? Is there such a thing as too much access? How much access is actually needed to do our jobs?” Not only that, but a few situations recently have given rise to the fact that a number of admins think that just because they have the ability to do something, it means they can.

This is totally not the case.

I was (for a fair while there!) on the board of SAGE-AU, which has now formed into ITPA. The same Code of Ethics applies to this new organisation and while I’m not currently a member, I still try and uphold these ethics because of the level of access, power and responsibility I (as a system administrator) hold over systems that are so crucial to my organisation.

I’m very much of the opinion that you access only what you need to access to do your job. No more. This should be pretty straight-forward, but apparently it’s not. It comes down to professionalism. You have special access rights to be able to do your job – not to satisfy your curiosity. If a user requests you to do something on their computer, access their computer. If they are having issues with some files, access the files (provided they’ve said you can). Don’t look at things you’re not supposed, don’t go prying into things that you have no work-related reasons to be looking into.

There’s also the implied responsibility that while you may have access to do things you’re not supposed to, you don’t do it. This includes giving yourself more access than you should (such as unfiltered internet access), modifying things you shouldn’t (such as log files to hide when you’ve done something you weren’t supposed to) or accessing files simply because you can (such as copying video files or images from users directories). The examples I’ve given above – I’ve seen in action in other admins. What makes it worse, these were senior admins who should know better. As a younger admin, seeing this behaviour, it was almost condoned. Seen as normal. I now know that this behaviour isn’t. It’s not something we, as system administrator (or any IT professional with high levels of access) should be doing. Ever.

When admins abuse their power this way, they’re not only jumping over the line of acceptable behaviour, but they’re showing to younger admins who may be looking up to them for professional guidance that this is acceptable. There’s also the issue that abuses like this can be audited – if you have any type of security logging in place, it’s simple for someone else to see what’s been done. But is anyone actually paying attention? It’s a “Quis custodiet ipsos custodes?” moment – Who guards the guards?

There are definitely methods out there to limit this kind of access. There’s a reason that least privilege is what’s pushed hard for these days – you only have access to what you absolutely need access to, in order to your job. However that gets murky when you have a sysadmin who has access to absolutely *everything*.

The other side of this is what happens when people get caught doing this. In some cases, it’s a sackable offence. For others, it can even be criminal – but that comes down to what’s been done, who’s done it and (most importantly) why.

So, a few questions to pose that I would like as many people as possible to answer – feel free to reply in comments, hit me up on Twitter, flick me an email, anything. Just be aware that any answers you send through may be collated into a “This is what sysadmins think” post (but with your responses given full attribution to you unless you request to be anonymous):

  • Where do you, personally as a sysadmin, draw the line?
  • Who guards the guards where you are? Is there anything in place?
  • What methods do you use, or know of, to limit unauthorised access from admins?
  • What happens when admins abuse their power? Do you have any horror stories you can share?

It makes for an interesting discussion, especially between SMB/one-man-band admins and large organisation admins. I’m really interested to see the outcome and will hopefully get some good information to either expand this post or make a new one!

Leave a Reply