So who has access to your e-mail?

20.10.2006
At a time when external hacks are grabbing headlines, frequently unreported internal security breaches involving low-level administrators accessing high-level executive e-mail and other systems are driving efforts to limit access to only the most highly trusted personnel.

Although the internal access problem is well known, strategies for resolving it are being formulated by a surprisingly small number of companies, which are largely seeking out encryption technology from a handful of IT vendors. And while those products are helpful, they do not reveal how many systems administrators, database administrators, storage administrators and upper-echelon "super users" are accessing sensitive executive information.

Asked how many employees typically have access to sensitive data, such as executive e-mail or personal customer information, veteran data storage professional Warren Avery facetiously replies, "How many system administrators do you have in the company?

"I'm a firm believer that all these companies are spending their money to keep the foxes out of the henhouse, but a lot of times, the foxes are already there," says Avery, president of Promethean Data Solutions Inc., a Phoenix-based firm that compiles articles for its IT Weekly Newsletter.

Despite the insider security threat, Jon Oltsik, an analyst at Enterprise Strategy Group Inc. in Milford, Mass., says only "a very small percentage" of companies rely on anything in addition to internal access control lists when it comes to limiting entry to not only high-level e-mail, but network-attached storage (NAS) and Fibre Channel networks. He further maintains that in a company of 1,500 employees, there might typically be five to 10 administrators with executive-level access to information.

Passing on encryption