What does access really mean? How do you define "access"? What "access" do you need?

These are questions that I hear every day from folks looking to gain access to my SolarWinds servers. They know I have the information they need to do their job.  I do want to assist as much as possible, but I have to consider the possible ramifications of my actions. Below are a few things I contemplate before I give them access:

Authenticate

  • Who are they?
  • What is their job function?
  • Why do they need the access?
  • What happens if they do not receive the access they are requesting?
  • What is my mission within the company?

These are all questions I consider, but how do I authenticate them and their access to my system in ways I can track and monitor? I am not concerned about any malicious intent, but a fat finger here or there and I am getting calls late at night. My purpose here is to analyze the risk of providing the access to the individuals' credentials.

Comprehensive

  • I need to be able the validate their request for access to my system through levels of organizational structure and policy. Again, more questions? Yes.
  • Where are they located?
  • What information do they need from which set of devices?
  • What services shall I expect them to receive?
  • What services do they expect to receive?

Credentials

In my industry, it is all about the proper credentials to gain access. If you do not have the right levels of credentials, you are not getting access to anything, not even the workspace. Again more questions.

  • Do you have an administrator-level account?
  • Which admin accounts do you have?
  • What do you currently have administrative access to?
  • I will look to see which Active Directory Groups their administrative account has access to validate their request.

Exercising

Although it may seem like I have run a marathon at this point with the amount of consideration I've given over access, I am only exercising the proper due diligence to conform to organizational policies and procedures. We grant the minimal level of access to prevent security breaches and perform oversight of activity to prevent loss and corruption. Also, preventing those 2 a.m. phone calls.

Secure

  • How does anyone do their job?
  • How does work get done?
  • Sounds like you are the only one doing the job?
  • Hoarder?

Systems/Services

Well, I am happy to tell you that people get all the access they need to perform their functions very well. They even write back and ask to get more functionality out of SolarWinds, in which case I turn to you fellow THWACKers from time to time for assistance. Expanded participation from my users and engineers helps my team to develop SolarWinds for them and their specific needs. We are able to provide expanded services, system health, and availability for the entire IT infrastructure. The ability to forecast and provide preventive maintenance to the systems allows for the network engineers, system developers, and end-users worldwide to enjoy more uptime and less downtime.

Parents
  • CourtesyIT​, I find this to be very accurate.   My Challenge isn't however with SolarWinds access however as much as SAP access company wide.   Access is audited frequently but our internal SAP support staff, then again by our VAR, and again by SAP itself, then it has to pass the corporate internal challenge audit.  We often find users do have more access than they need and yet still some how not enough access to perform at the highest efficiency.  We are a small company, so there are many that wear many hats.   This causes access issues for the auditors since they don't want certain people in say accounting opening a period, so it falls on IT to accomplish it.  This also has its issues because by giving accounting the access to open the periods by to an analyst, we can help make the company as a whole more efficient.   However now it slows us down but the auditors are happy.  

    I believe access has to be different in smaller organizations to truly allow automation and efficiency.   Otherwise you handcuff the organization and processes.  Having been in large, medium and small companies from a IT support staff point of view, I can advocate for access to be evaluated properly by organizational need.  However I do not want to sacrifice security for efficiency, but fins the right balance.  Your blocks of questions are fantastic and I hope you don't mind me building a new check list based on your model.   Its very helpful, but doesn't quiet fit us.  

Comment
  • CourtesyIT​, I find this to be very accurate.   My Challenge isn't however with SolarWinds access however as much as SAP access company wide.   Access is audited frequently but our internal SAP support staff, then again by our VAR, and again by SAP itself, then it has to pass the corporate internal challenge audit.  We often find users do have more access than they need and yet still some how not enough access to perform at the highest efficiency.  We are a small company, so there are many that wear many hats.   This causes access issues for the auditors since they don't want certain people in say accounting opening a period, so it falls on IT to accomplish it.  This also has its issues because by giving accounting the access to open the periods by to an analyst, we can help make the company as a whole more efficient.   However now it slows us down but the auditors are happy.  

    I believe access has to be different in smaller organizations to truly allow automation and efficiency.   Otherwise you handcuff the organization and processes.  Having been in large, medium and small companies from a IT support staff point of view, I can advocate for access to be evaluated properly by organizational need.  However I do not want to sacrifice security for efficiency, but fins the right balance.  Your blocks of questions are fantastic and I hope you don't mind me building a new check list based on your model.   Its very helpful, but doesn't quiet fit us.  

Children
No Data