Trusting your administrators and outside consultants is a key part of the security process. But should you? I recently came across a story where an employee of a managed service provider (MSP) sold access to the client base. Years ago, a Microsoft security strategist, Steve Riley, asked attendees at the company’s security conference if they trusted their administrators. Astoundingly, most people in the room indicated that they did not trust their administrators.
As Riley stated at the time, “If we can’t trust the very people we hire to build and manage the mission-critical networks on which our business successes depend, we might as well unplug it all and revert to the days of stone knives and bearskins.”
Here are my suggestions for building trust in your internal and external admins.
1. Have an end-to-end process to manage and monitor
Trusting administrators will always carry risk, but having a process for interviewing, investigating, hiring, monitoring and terminating any employee or consultant who has the role of administrator will minimize that risk.