What does access really mean? How do you define "access"? What "access" do you need?
These are questions that I hear every day from folks looking to gain access to my SolarWinds servers. They know I have the information they need to do their job. I do want to assist as much as possible, but I have to consider the possible ramifications of my actions. Below are a few things I contemplate before I give them access:
- Who are they?
- What is their job function?
- Why do they need the access?
- What happens if they do not receive the access they are requesting?
- What is my mission within the company?
These are all questions I consider, but how do I authenticate them and their access to my system in ways I can track and monitor? I am not concerned about any malicious intent, but a fat finger here or there and I am getting calls late at night. My purpose here is to analyze the risk of providing the access to the individuals' credentials.
- I need to be able the validate their request for access to my system through levels of organizational structure and policy. Again, more questions? Yes.
- Where are they located?
- What information do they need from which set of devices?
- What services shall I expect them to receive?
- What services do they expect to receive?
In my industry, it is all about the proper credentials to gain access. If you do not have the right levels of credentials, you are not getting access to anything, not even the workspace. Again more questions.
- Do you have an administrator-level account?
- Which admin accounts do you have?
- What do you currently have administrative access to?
- I will look to see which Active Directory Groups their administrative account has access to validate their request.
Although it may seem like I have run a marathon at this point with the amount of consideration I've given over access, I am only exercising the proper due diligence to conform to organizational policies and procedures. We grant the minimal level of access to prevent security breaches and perform oversight of activity to prevent loss and corruption. Also, preventing those 2 a.m. phone calls.
- How does anyone do their job?
- How does work get done?
- Sounds like you are the only one doing the job?
Well, I am happy to tell you that people get all the access they need to perform their functions very well. They even write back and ask to get more functionality out of SolarWinds, in which case I turn to you fellow THWACKers from time to time for assistance. Expanded participation from my users and engineers helps my team to develop SolarWinds for them and their specific needs. We are able to provide expanded services, system health, and availability for the entire IT infrastructure. The ability to forecast and provide preventive maintenance to the systems allows for the network engineers, system developers, and end-users worldwide to enjoy more uptime and less downtime.