How should privileged users keep each other in check?

Question

In order to protect systems from insider attacks, companies can apply policies restricting their access. In the case of an employee's termination, the IT department can disable their account before they receive the news to prevent potential damage by a disgruntled employee. In a large organisation, how should essential services be safeguarded against their administrators? Granted, hopefully someone in such a position would be responsible enough not to abuse it - but I'd think the system should be designed with protections in case.

In essence: if the IT department can control the access of regular employees, who controls the access of the IT department? And what damage mitigation methods are there if someone at the highest levels of privilege decides to cause havock?

Answer 1

This comes back to the "separation of duties" and "least privilege". In a ideal situation, admins in the IT department would not have access all across the board. One admin might have complete access to one system and another admin would have access to another system. This attempts to limit the exposure if someone in the IT department did try to do something malicious.

In reality, this is easy to put in policy but very hard to enforce and regulate. At some point, you have to trust someone to perform the most important tasks on a system,server, etc. The idea is to make it difficult for a single individual to wipe out a critical system.

There are also many controls one can implement. One of the most important controls would be auditing. Making it known that any action taken on a system is being recorded and tracked back to a specific individual might turn away a internal attacker. At the end of the day, you have to trust someone and in my personal experience, admins are aware of more weak points than less privileged users.