This brings my discussion to a common policy item: account/credential sharing. Just about every acceptable use policy or standard has a line item that says something like "user accounts must not be shared". The reason for this is primarily to ensure accountability. We want to know WHO was using the account or credential. This makes perfect sense from just about any standpoint.
The first problem is that given most of the technologies that we have in place, we can't really enforce this. Suppose you come to me and say "we want to sanction this person for sharing their account". What evidence can we collect to support the allegation?
- account login logs - this item tells us which account was used, when and IP address of the connecting machine.
- video logs, room access logs, etc. - these items tell us if the person was physically present at the machine.
- personal testimony - These are statements made by eyewitnesses, the accused individual or other individuals related to the case.
The second problem is that most IT sysadmin staffs violate this policy when it comes to Administrator or root access. Most IT shops have primary and backup sysadmins. They both know the Administrator or root passwords. Best practice dictates that you don't log into directly as "root", rather, you log in under your own userid and then "su" to root. This provides an extra layer of accountability. Remote "root" access is strongly discouraged because we don't know if the primary or secondary admin logged in as "root". We would expect to see a similar strategy employed in the Windows world although I suspect not.
So, as I've mentioned in previous posts, let's try and figure exactly why someone would share their account. Some possible reasons include:
- The IT environment doesn't provide a mechanism for a particular business process (see an earlier blog entry). For example, an email system may not have the ability to share an email folder between a dept head and their assistants. The dept head is out of the office and gives the assistants the email password so they can read any important email sent. Another example might be the network doesn't have a mechanism to provide guest access to the net. A visitor needs access to the net and the person logs in under their userid.
- The person just wants to let a buddy or family member get online.
Yes, there are sectors (military, defense contractor, sensitive business, financial) where you can just terminate an employee for account sharing but care needs to be taken to ensure a "wrongful termination" suit can't be filed against you. Military and defense contractors have the easier time with this issue.
What's an enforceable item that will be effective and hopefully accomplish the original goal? A policy/standard statement that says "you are responsible for whatever originates from your account, system." is enforceable. In my previous ATM example, I'm responsible for the disposition of my ATM account.
Policy wonks want to have that "no account sharing" clause in a standard. You should have one to emphasize the spirit of proper account usage. You need to include an enforceable item in your policy that will be the "stick" used in a disciplinary hearing. User reponsibility for their account usage is the way to enforce the "principle" of not sharing accounts.
If our IT procedures can't support a business process, then we may create a situation where users have to share accounts in order to get their job done. Ultimately, this makes us more vulnerable.