Account Sharing - What's the Real Purpose?

IMHO, items listed in a IT security, data security or IT acceptable use policy must be enforceable. The "stick" might be another organizational policy, local, state, or federal laws. If a policy item isn't enforceable, then the policy is worthless.

This brings my discussion to a common policy item: account/credential sharing. Just about every acceptable use policy or standard has a line item that says something like "user accounts must not be shared". The reason for this is primarily to ensure accountability. We want to know WHO was using the account or credential. This makes perfect sense from just about any standpoint.

The first problem is that given most of the technologies that we have in place, we can't really enforce this. Suppose you come to me and say "we want to sanction this person for sharing their account". What evidence can we collect to support the allegation?

1. account login logs - this item tells us which account was used, when and IP address of the connecting machine.
   
2. video logs, room access logs, etc. - these items tell us if the person was physically present at the machine.
3. personal testimony - These are statements made by eyewitnesses, the accused individual or other individuals related to the case.

The problem with item #1 is that it only tells us what account was used not who used it. The problem with item #2 is that it can only identify who had physical access but not remote access to the target machine. Item #3 depends on someone actually observing the login by another person. Even two factor authentication methods can't give us the "who" part of the puzzle. If I lent you my ATM card (this is a theoretical discussion :-)) and gave you my PIN, the bank just knows that the account was accessed. Their control to gain additional info on the "who" is the video camera at the ATM.

The second problem is that most IT sysadmin staffs violate this policy when it comes to Administrator or root access. Most IT shops have primary and backup sysadmins. They both know the Administrator or root passwords. Best practice dictates that you don't log into directly as "root", rather, you log in under your own userid and then "su" to root. This provides an extra layer of accountability. Remote "root" access is strongly discouraged because we don't know if the primary or secondary admin logged in as "root". We would expect to see a similar strategy employed in the Windows world although I suspect not.

So, as I've mentioned in previous posts, let's try and figure exactly why someone would share their account. Some possible reasons include:

1. The IT environment doesn't provide a mechanism for a particular business process (see an earlier blog entry). For example, an email system may not have the ability to share an email folder between a dept head and their assistants. The dept head is out of the office and gives the assistants the email password so they can read any important email sent. Another example might be the network doesn't have a mechanism to provide guest access to the net. A visitor needs access to the net and the person logs in under their userid.
2. The person just wants to let a buddy or family member get online.

Reason #2 seems to be the easiest to claim it's a violation. Reason #1 is a little harder to quantify. I've said before that the business process trumps security. Failure to support a business process will cause people to bypass a control in order to get the job done.

Yes, there are sectors (military, defense contractor, sensitive business, financial) where you can just terminate an employee for account sharing but care needs to be taken to ensure a "wrongful termination" suit can't be filed against you. Military and defense contractors have the easier time with this issue.

What's an enforceable item that will be effective and hopefully accomplish the original goal? A policy/standard statement that says "you are responsible for whatever originates from your account, system." is enforceable. In my previous ATM example, I'm responsible for the disposition of my ATM account.

Policy wonks want to have that "no account sharing" clause in a standard. You should have one to emphasize the spirit of proper account usage. You need to include an enforceable item in your policy that will be the "stick" used in a disciplinary hearing. User reponsibility for their account usage is the way to enforce the "principle" of not sharing accounts.

If our IT procedures can't support a business process, then we may create a situation where users have to share accounts in order to get their job done. Ultimately, this makes us more vulnerable.