cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Day 2 - Access

What does access really mean? How do you define "access"? What "access" do you need?

These are questions that I hear every day from folks looking to gain access to my SolarWinds servers. They know I have the information they need to do their job.  I do want to assist as much as possible, but I have to consider the possible ramifications of my actions. Below are a few things I contemplate before I give them access:

Authenticate

  • Who are they?
  • What is their job function?
  • Why do they need the access?
  • What happens if they do not receive the access they are requesting?
  • What is my mission within the company?

These are all questions I consider, but how do I authenticate them and their access to my system in ways I can track and monitor? I am not concerned about any malicious intent, but a fat finger here or there and I am getting calls late at night. My purpose here is to analyze the risk of providing the access to the individuals' credentials.

Comprehensive

  • I need to be able the validate their request for access to my system through levels of organizational structure and policy. Again, more questions? Yes.
  • Where are they located?
  • What information do they need from which set of devices?
  • What services shall I expect them to receive?
  • What services do they expect to receive?

Credentials

In my industry, it is all about the proper credentials to gain access. If you do not have the right levels of credentials, you are not getting access to anything, not even the workspace. Again more questions.

  • Do you have an administrator-level account?
  • Which admin accounts do you have?
  • What do you currently have administrative access to?
  • I will look to see which Active Directory Groups their administrative account has access to validate their request.

Exercising

Although it may seem like I have run a marathon at this point with the amount of consideration I've given over access, I am only exercising the proper due diligence to conform to organizational policies and procedures. We grant the minimal level of access to prevent security breaches and perform oversight of activity to prevent loss and corruption. Also, preventing those 2 a.m. phone calls.

Secure

  • How does anyone do their job?
  • How does work get done?
  • Sounds like you are the only one doing the job?
  • Hoarder?

Systems/Services

Well, I am happy to tell you that people get all the access they need to perform their functions very well. They even write back and ask to get more functionality out of SolarWinds, in which case I turn to you fellow THWACKers from time to time for assistance. Expanded participation from my users and engineers helps my team to develop SolarWinds for them and their specific needs. We are able to provide expanded services, system health, and availability for the entire IT infrastructure. The ability to forecast and provide preventive maintenance to the systems allows for the network engineers, system developers, and end-users worldwide to enjoy more uptime and less downtime.

53 Comments
Level 17

In 1992, a piece of gossip surfaced in InfoWorld magazine that the FoxPro database development team was prepared to have the word "Access" tattooed on their butt if the Microsoft database contender got more than 50 percent of the market share (read about it here).

Whether the rumor was true or not, hindsight tells us it would have been a bad bet to make. Fox software was acquired by Microsoft in March of 1993. While the FoxPro product continued for several more years (transforming into Visual FoxPro along the way), buoyed by a vibrant, active, and vocal base of developers and users, Microsoft never the less announced EOL in March of 2007.

Access, on the other hand, continues to this day.

While we can debate the relative merits of Access against it's competitors (because we're IT people and debating the relative merits of software is like an irresistable blood sport for us), that's not my point.

Access was (and, in some corners, still is) derided by IT pros because of the way it is used in the workplace. Users create their own little corners of data, disconnected from the larger picture. Unregulated (so the argument goes), a company's data becomes unmanageable. Because, as my co-Head Geek sqlrockstar says, a company's data is its most valuable asset, this is an untenable situation.

And yet.

And yet Access continues because it does exactly what its name evokes. It gives regular users - people who may not understand fourth normal form or ever heard of Ted Codd - a means of gathering, viewing, and structuring their data. And as IT professionals we have to appreciate that this level of visibility and control is something that regular users rarely get, ESPECIALLY when it comes to data. Absent tools like Access, users are dependent upon warlock-like beings wielding inscrutable tools like "the oracle" and "sequel" and "psy-base", and they can only view their data through tightly controlled interfaces.

In such a world, the most sophisticated tool a user has to manipulate their data is the only tool that receives more derision in the eyes of IT pros than MS Access: the spreadsheet.

This emphasizes a point that IT Pros would do well to remember, always: Access (the capability, not the software) is powerful. The software tools that usually receive the most attention provide three things:

  • powerful capabilities
  • well-designed controls
  • flexible use cases

...in short, access. Unfettered, unapologetic access.

It's something to keep in mind as our thoughts turn toward the coming year. Of course security must always be top of mind. Of course we need to ensure that we adhere to standards. But within those structures, how can we provide our colleagues with the greatest access possible?

CourtesyIT​, I find this to be very accurate.   My Challenge isn't however with SolarWinds access however as much as SAP access company wide.   Access is audited frequently but our internal SAP support staff, then again by our VAR, and again by SAP itself, then it has to pass the corporate internal challenge audit.  We often find users do have more access than they need and yet still some how not enough access to perform at the highest efficiency.  We are a small company, so there are many that wear many hats.   This causes access issues for the auditors since they don't want certain people in say accounting opening a period, so it falls on IT to accomplish it.  This also has its issues because by giving accounting the access to open the periods by to an analyst, we can help make the company as a whole more efficient.   However now it slows us down but the auditors are happy.  

I believe access has to be different in smaller organizations to truly allow automation and efficiency.   Otherwise you handcuff the organization and processes.  Having been in large, medium and small companies from a IT support staff point of view, I can advocate for access to be evaluated properly by organizational need.  However I do not want to sacrifice security for efficiency, but fins the right balance.  Your blocks of questions are fantastic and I hope you don't mind me building a new check list based on your model.   Its very helpful, but doesn't quiet fit us.  

Level 14

You decide who has access to your life.  Allow the positive and reject the negative.

We're not worthy!  That was a GREAT definition and analysis of "Access!" 

I can't add a thing--you got it all in one shot.  Perfection.

Level 7

Cyber bullies can hide behind a mask of anonymity online, and do not need direct physical access to their victims to do unimaginable harm

Level 7

A capacity, and taste, for reading gives access to whatever has already been discovered by others.

Level 9

Why is It so difficult for the poor to have access to good health and good education?

Level 11

Access is a big deal, it shows you where one belongs in a particular place; it is the evidence of belonging.

Level 12

I need access to all that requires my attention. How can I resolve an issue without permission to access those resources?

I can tell I have been around IT and its security for way too long because the first two words make me think of AAA! Authentication, Authorization, and Audit. The first word identity is used to authenticate you to a system, application, organization, or person. This second word access is what those entities authorize you to get at. If identify you as an acquaintance so you are authorized to only the superficial aspects of who I am. If I see that you represent my known health care organization I might grant you access to a limited set of more sensitive information even though you are a stranger.

If only our machines could use this level of identification to grant access to data with this kind of fidelity. Of course even some humans have flaws in the authentication systems such as prosopagnosia or Williams Syndrome which can cause incorrect access to personal information.

I think we can not hope for a perfect form of identification that gets us the access we need from all our systems. Yet it doesn't mean we should just give up, we have to keep making improvements in our systems and applications if we are to continue to automate how humans interact withe the world around us.

quote-imagine-a-world-in-which-every-single-person-on-the-planet-is-given-free-access-to-the-jimmy-wales-30-50-74.jpg

Level 14

Access is a critical part of maintain a balance in life and in technology. Choosing wisely who has access is more art than science, but incredibly important in each area.

CourtesyIT​ well said and done!

MVP
MVP

Great post CourtesyIT​!


I am similar to tomiannelli​ - my initial thought with access was AAA. As a consultant I have remote access to a number of companies and varying levels of access within the network once I'm in. Depending on the client network, you may also have to jump through a number of hoops to get to the system you need - I think my record is 5 nested sessions (Windows 7 VM because this client didn't support Windows 10 and needed an old version of Java (!!!), opening up a Citrix desktop, RDP to a jump host, RDP from that host to another jump host, and then I could access the SolarWinds web console - if I wanted the SolarWinds server itself, that was another RDP).

Level 12

As important as it is, access should only be given when the need arises.

Level 12

You can define Access in multiple ways:

Access the database

Access to one life and well being

Access to files and folders (data)

But the most important one is Access to your heart and loving you

Level 10

An excellent piece. As a ex-scientist* from a tightly-regulated background, I've seen a few places that I thought had better or poorer security - in terms of SOP's (operating procedures), which are designed to minimise the human error component of problems arising. As someone newly into corporate-IT, I'm astounded that there's so little regulation and rhyme to some parts of the job. I'm also overjoyed, at times, because there's nothing quite like locking down all entropy to kill a person inside.

So, access and accessibility are for me a conundrum that while I see the need for limitation, I always want a little more access than I have.

Also, hoarder?

* I'll always be a scientist. New career goal: data scientist?

MVP
MVP

I'm a little slow.  Took me a bit to realize your titles spelled out Access.  Very good work.

I think the most important questions (arguably of course) that you listed are why do they need the access and what would happen if they don't have it.  From an end user's perspective, they may need it because they feel it is necessary.  But the question is, is it really necessary?  Why do they need it today, but didn't need it yesterday.

Level 10

Most people love to be in charge, however in order to keep things secure, ACCESS should be on a need basis.

Level 10

Access can be denied, or access can be allowed.  This is doesn't just applies to buildings, or systems.  It also applies to people and who they allow in their lives. 

Level 9

Access should be granted on an as needed basis.  AAA should be applied in the work place and on home networks.  I agree with kforr74, that access also applies to people in our personal lives and once trust is broken, for me, access is denied.

MVP
MVP

Access is like admission. Just because you have access doesn't ensure that you will use or use properly the resources - it also doesn't mean that you will abuse or misuse the resources. We hear so much about access in the IT field - "Well I really need access to the XYZ share as I might need that information some day" "I need a code to the server room in case . . ." Are these valid requests? The standard IT answer is "it depends." So it is with all things. Does everyone in the country have access to any number of resources? Yes, can they afford it? Do they use it properly? Do they listen to the providers? Do they know about it? Do they want it?

Access means opportunity - it's not a guarantee of results.

Level 15

holy smokes!!! I totally missed that one as well

also, came here to say this: i've had untold number of discussions with clients over the years... "OK, but tell me why XX needs this access? They don't have it now, what part of their world is now bereft because of this "lacking" item?"

and I get it, I really do. One of the hardest transitions for me back into a corporate culture was being surrounded again by "least-privileged access". as an engineer, it can be so frustrating to have to ask permission to do something that you see as a pillar of your job performance. or, to have to store n+1 passwords (in a secure manner of course) just so you can have RDP access to your polling engines.

but, and I personally struggle to remind myself of this at times, consider what could happen if these precautions were skipped. i'd rather keep my tons-o-creds than end up providing a quote for my security team.

(i've not done this, but i remember SO MANY of these at a job I worked years ago with the federal government...)

2017-12-04_8-00-24.jpg

Level 10

Today, it seems to be that you need to let everyone have access to your life. But why? Why can't we choose who we want to deal with? Meaningful interactions come from limited access not from blindly let everyone in the world reach you.

That's a great point.  All people want to be able to access you, WHENEVER they want, IF they want to at all.

Certainly advertisers & spammers want access to you.

Sometimes folks on social media want access to you--and you may wish to sever ties with them.  I've had acquaintances become upset when they discover they no longer have access to my FB "friendship", and don't seem to realize that when they behave inappropriately, it can show up on my FB wall, or in other places where people may judge me by my "friends".

Access becomes a two-way street:  What I want to access may not always be what I want others to access.  I always want to be able to access my e-mail, my cell phone number, my home phone number, my home address; I want very few advertisers / businesses to be able to access these things.

December 02 – Access

pastedImage_1.png

I’m surprised to find myself rejecting all these definitions in favor of “Having Permission”.  This is because I’m a Network Guy, and I think in terms of a person or device “having access”, or “having permission / rights / firewall rules allowing / appropriate routing / all-the-right-stuff to “have access” to a resource.

What’s your troubleshooting flow to diagnose cases where someone complains they don’t “have access” to a resource?  Is their issue:

Active Directory permission?

Firewall rules?

VPN policies?

Human Resources policies?

Layer 1-2-3 issues?

What’s the “best” way to quickly discover what’s preventing their Access?  What Solarwinds tools let you answer these questions most quickly and efficiently?

Level 10

Access is ones ability to gain entry into a place. For some that place was Studio 54, where it was difficult to gain access. For others access is gain entrance to a place that gives us an ability to do something, like gaining entrance to a group that allows me to change permissions in a virtual world.

Level 9

With great access comes great responsibility.

Level 21

Everybody wants access to everything, it's really tough when you are the one that has to tell them they can't have it.

Level 12

This is something we are having internal fights with in our IT department. The IT department grew out of the data processing department in the early 90's here and it started with just 3 people and 6 servers and no network. It has since grown to 20 people with more then 200 physical/virtual servers with a fully supported wired and wireless infrastructure.

Growing pains the entire way basically resulted in far to many people in the IT department basically to this day still having full admin rights to pretty much anything and everything. We are starting to look into how to reign it all in, as this has started to become a bigger and bigger red flag on our audits the last few years. We have 10 people who's normal (only) network account is domain admin level. This presents a potential access nightmare.

We have been lucky so far in that it has never been abused or taken advantage of, but its really only a matter of time as a few of our IT people are nearing retirement age and the department is starting to go through some more transitions and changes.

Level 11

Image result for authentication

So many ways to prevent access but giving only the access someone needs can get very difficult.

Level 12

Do you allow access to your heart to those closest to you, or do you keep it heavily guarded?

I think this applies in another way. Always evaluate who you give access to your life, and remember it can change.

From a solarwinds standpoint, the directlink account can have a lot of value in terms of providing people minimum levels of access, assuming it's equally understood. I'm also reminded of the little thing that nickzourdos​ and I selected to attach to our Thwackcamp badge that says "GIVE ME YOUR PASSWORD".

Level 11

Identity for IT wraps straight into today's topic. As hard as it can be to establish identity, once done we have to assign the proper accesses. This requires well-designed permission-assigning tools and not being lazy in using and maintaining them.

I once came in right after a network was designed and bullt. It used individual logins on each PC, with no fileserver or domain controller. Of course, I started configuring individual accounts for each person on their own machine, plus changing the administrator password to something that only I and one or two others would have. The response: put the same account name and password on all PCs so anyone can log in anywhere. Would I be able to install a domain controller and do this properly? No, that was not in the SOW for building out the network. Do you care about being able to track who is doing what, or actually assigning permissions?

Another one I've seen screwed up: credentials assigned via categories on a network -- similar to using AD groups to assign permissions in SolarWinds. We came to find that other(s) decided to use the same categories to assign permissions in other apps. Needless to say, we ran into people who needed category A for a permission in one app, but that same category did not allow them the needed permissions in a second app. Of course, none of the people with whom I worked at the time had been around to know the history, so we found this out the hard way. Had someone kept one network category to one permission, the problem could have been avoided.

Level 9

At my previous job access seemed to be a daily fight. I can't remember a single day where there wasn't a user testing to see if they could weasel their way into having access to something that they shouldn't have, and didn't need (they all thought they did). The biggest fight was always over WiFi access for personal devices. Our setup was simple, one SSID for company owned devices that only two people knew they password to and a second for guests/personal devices. Enough of the managers complained to the big boss over this that he came to me and told me to change the way we do things. Give all users the password. I argued with him over it and we came to an agreement that we would do an isolated test before allowing everyone access. I would broadcast a new SSID that was a clone of the existing and only hand out the password to a small group. Not even a day had gone by before I start noticing strange activity and unknown devices connecting to this new SSID at all hours. And wouldn't you know it, a select few almost immediately gave the password to just about everyone they knew! I really enjoyed the I told you so after I showed the big boss.

<CHANTING!>  GRC! GRC! GRC!

This "Access" can serve as a template for so many different types of requests for access... technology, physical, logical, emotional, blah! blah!

Request for access usually boils down to a few basic questions. And access itself is usually a result of some type of necessity. Keeping assets, information, people, $$$, safe requires certain types of controls and prevention. And in this age of DevOps and Agile these controls are being perceived as roadblocks to success.Pragmatists (and Security experts) must remain ever vigilant during these times. Security is Paramount!

All I see is blank  nickzourdos

Looks good here, you must have a blocker or something?

Access in life is very similar to Access in the Technology world.  In the remake of the Karate Kid, Jackie Chan teaches Jaden Smith Kung fu through hanging up his jacket.  He ends with Kung Fu is in Everything.

The concepts of Access are in everything as well.

I validate those who want access to my children, for example.  If my children are invited to a sleep over, I validate that I like the kid, do I trust the parents, and is it a safe environment,

I control my wallet (front pocket).

I lock my door.

I build a moat and draw bridge (DMZ) around my house. 

Okay, I do not have a moat and drawbridge.

Level 16

I'm fortunate since I work in an environment that provides a SAML service that allows me to authenticate users; I can even request that they present two factor authentication (so we did not been to build that individually into our applications)

It bothers me when applications build their own authentication mechanism rather than offering a pluggable component that can be easily replaced: as an application administrator I hate having to spend time auditing application-managed accounts rather than relying on a properly managed central source of authentication.

Sure if somewhere doesn't have their own SAML provider offer something that gets them started, but I'm going to note that large organizations have almost always got this figured out (because of the whole audit issue), and smaller organizations could leverage any of Google, AWS, or Azure to provide the same service for their users.

Level 10

Calvin:  I like to verb words.  Hobbes:  What?  Calvin:  I take nouns and adjectives and use them as verbs.  Remember when "access" was a thing?  Now it's something you do.  It got verbed.  Verbing weirds language.  Hobbes:  Maybe we can eventually make language a complete impediment to understanding.

Level 11

I took over a fob system where 400 volunteers pretty much had an all access pass to every door. That was fun sorting that out! I found it was good to start very small with access - giving them the minimum level access required to perform their role - and increase as it was truly needed.

Level 14

Access is yet another bad bit of software from Microsoft.

Level 9

th.jpg

Level 14

Image result for funny access request

Level 9

Image result for ms accessyes? no?

That's what I think of when I hear Access. 😄

Level 9

In Conditional Access, Users are giving just adequate amount or rights needed to access resources.

Level 8

Access is an opportunity but it might not give you full rights to what you require/need. In life and in, IT you can get "access denied".