Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA
Regular or normal access is defined in my recent Journal article
as application and network access for logins and individual functionalities. How does one normally gain access to such data? There is a fair amount of focus on controls for these types of access. But, it is easy for managers and IT auditors to focus on access controls from the perspective of normal access points, and ignore other access risks.
Another risky point of access is what techies refer to as the back door. The back door would include any access from an administrative function or raw data approach.
For example, database administrators (DBAs) know enough about databases to cause havoc in them. That person also knows how to gain access to the databases. Thus, some control over DBAs and databases is an absolute must in the overall plan to secure and protect data. There have been some advances in software solutions to mitigate what DBAs can do. For instance, DBA security software is normally able to limit the DBA to access only those databases for which he/she is responsible and prevent access to other databases (if the organization is large enough to need more than one DBA).
The same is true for admin rights given to operating systems and networks. These people can access the data files and, therefore, also represent some significant risk to data security. Often the risk occurs by happenstance as IT management creates access rights for multiple IT personnel in order for them to perform certain duties. But, in allowing all IT personnel to have admin rights to the operating system or network, there is an inadvertent increase in the risk of data security, as any one of those employees has enough access to adversely affect the underlying data files.
Root kits are a tool that hackers/crackers use to gain backdoor access to data and then they carry out malicious activities as a result of that access. This type of backdoor access also needs to be considered and addressed.
The truth is, there are a number of potential backdoor access points that need to be assessed and controlled. The nature and number will vary from one organization to another, but the point is to carry out the necessary due diligence and comprehensive approach to assess and address the risks of backdoor access.
There is also the aspect of “keys to the kingdom.” This situation exists when a person has admin rights over a widespread number of servers, folders or data files as well as aspects of access controls (e.g., is also the person who assigns access control, or is able to read the access control table). Careful attention should be given to ensure proper identification of any person who has this level of access, and then, the risk associated with it should be properly mitigated.
The bottom line is that sound access control must include all major points of access risk and that appropriate controls to mitigate that risk must be implemented.