Keeping Tabs on IT Staff
A DISGRUNTLED former San Francisco IT administrator sat in jail earlier this year for refusing to provide police with the administrative password to a new multimillion-dollar city computer system—which contained inmate booking files, law enforcement e-mails, and payroll information. He was effectively holding the system hostage.
When it comes to an organization’s network and data, IT administrators hold absolute control over access—they can do anything to the data, while they can hinder or grant access by others. In a time when auditors are requiring detailed reports of who accesses data, how can organizations monitor such executives?
One company, Xceedium, believes it has an answer. Its GateKeeper entitlement management product, released earlier this year, provides exceptionally granular access control, whether from within an organization or remotely. Access to a firm’s systems is restricted to a single, tightly monitored Web-based portal.
The system also logs every move that each IT staff person makes on the system, and it can generate detailed reports to comply with a range of regulations. “You can really create a whole ‘day in the life,’” says Cheryl Traverse, CEO of the Jersey City, New Jersey-based company.
Xceedium’s session recording technology can reproduce exactly how the screen looked when access was denied, as I saw firsthand in a demonstration.
Unlike most other access management programs, GateKeeper uses patented technology, called Leapfrog, to monitor system activity at the socket, or port layer. Frequently, when IT staff try to dodge protocols, they use unusual ports, explains Traverse.
The product grants access via a directory, which lists the specific commands employees can execute. It can be configured by Xceedium or the company using the service, and it is compatible with common organizational access systems, such as Active Directory.
Gatekeeper lets companies create a hierarchical control structure in the data center, says Traverse. Ultimately, at least one high-level IT executive needs to be in charge of its configuration, but this person’s activities are also monitored and auditable, as the product logs any configuration changes he or she makes.
The company has approximately 60 customers to date. Those businesses use the product mainly to monitor outside vendors and outsourced IT staff who need remote access to a company’s servers, says Traverse.
The product has proven especially valuable when used for remote access, says Andi Mann, research director at the Boulder, Colorado-based consulting firm Enterprise Management Associates. Many virtual private networks (VPNs) grant employees access to applications such as email and Microsoft Office, he says, with some variability based on employee seniority. And when VPNs grant administrative access, it is almost always to the entire operating system.
“You can go anywhere you want,” says Mann. But GateKeeper offers detailed access control to an organization’s servers and databases.
In the case of one major brokerage firm, outsourced staff would sometimes access company systems with their own VPNs. On other occasions, such staff would need to be physically present at the firm’s data center. Sometimes members of the brokerage’s IT staff would use their own access rights to let a temporary worker into the system. This was time-consuming for internal staff, the manager says. Since installing Xceedium about a year ago, he says he’s far more confident in his firm’s security and compliance.
He says GateKeeper was simple to install and configure. Installation involves downloading GateKeeper to a firm’s primary data center. Listing the commands each employee could execute took just “a few keystrokes,” the manager says.
Configuring a command list for a midsized firm typically takes about an hour, says Traverse.
GateKeeper’s installation cost varies based on a data center’s size, but typically is about $5,000. Annual servicing fees are about 18 percent of installation cost.