In his keynote speech at the RSA conference, Scott Charney, Corporate Vice President for Microsoft’s Trustworthy Computing Group, spoke about the need for not giving too much power to system administrators. He suggested the solution was to implement JitJea: Just In Time, Just Enough Administration. That means giving your sysadmins just the access that they need to do their job and no more, and when they do require extraordinary access, only giving it to them for the period required to do the task in question, and having an audit trail in place.
Though the acronym is new, the ideas aren’t. I learned them in the early 1980s from a brilliant guy I’ll call Steve.
Back then I was a very junior systems programmer working for a bank in Chicago. The bank’s systems ran on IBM mainframes, and once you were logged into the computer there was not much internal security. Steve had improved the security a little, replacing the default reversible encryption of passwords with a one-way encryption algorithm. I was assigned to go a step further and assist Steve in installing a third party data security package called ACF2.
In those days bank checks that you wrote were physically processed through check sorting machines, and eventually returned with your bank statement. Every evening secure vans would sweep though downstate Illinois collecting checks from thousands of local banks, and bring them to Chicago for processing. Overnight they were sorted through massive check sorting machines (also made by IBM), the transactions posted to accounts, and then passed on through the clearing system to collect the funds. There was a lot of batch processing running overnight to post and report on those transactions, and sometimes one of the programs would crash.
At that point operations would call the duty programmer, who would call a taxi and hurry downtown to fix the problem. For that you might need a high level of access. I remember one night when a corrupt byte on a magnetic tape meant I had to use a text editor to edit an account number in the wire transfer file – that’s the twenty or so transactions a day that were responsible for most of the money moved by the bank. ACF2 meant that the duty programmer would no longer have the access to do that. Steve had to come up with a solution.
The solution he came up with was a highly powerful and highly monitored set of user credentials that operations could issue to the duty programmer in event of emergency. These were kept in a sealed envelope. The account had unlimited access, to fix any problem, but the following morning the information security officer (we had just appointed our first one) would cancel the account and review the audit trail of every file it had accessed.
So Steve had come up with something very like JitJea back in 1980. Some of the most difficult problems of the computer industry were being solved in the mainframe world about the time the first PC was being designed. For thirty five years now, the smartest people in the computer industry have known that system administrators or programmers sometimes need an extreme level of access, but that that is a special case which should be limited in time and carefully monitored. Yet in most enterprises, system administrators have access to data and systems far beyond those usually required to do their job. As Scott Charney pointed out, “Edward Snowden was just a sysadmin on a Sharepoint system.”. The danger is not just from rogue administrators of course. There is also the possibility that an external attacker may compromise an administrator account, giving them unlimited access to corporate data.
As the number and cost of data breaches continues to escalate, so perhaps it’s reasonable to ask why we have waited so long to implement “Just In Time”. It’s time already!