Admin Audit Trails: Why Visibility Shouldn’t Stop with End Users

Chandar Venkataraman

One of the ironies of IT managed software is that it allows IT to track detailed activities that an end user performs, but generally fails to automatically document actions performed by IT administrators themselves. If an IT admin makes an inadvertent policy configuration, accesses sensitive data, or changes access permissions, there is typically no default audit trail offering a quick-fix way to diagnose and undo the damage.

That was a lesson learned a few years ago when a network administrator for the City of San Francisco reset all administrative passwords to the switches and routers for the wide area network that handles computer traffic for about 60% of the city’s departments. The city spent almost $1M to regain control of the network even after the admin handed the passwords over to then-Mayor Gavin Newsom.

That case – while rare – isn’t unique. According to the CERT Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, 86% of the insiders who commit IT sabotage hold technical positions, and 90% have administrator or privileged access at their organization.

To address these issues and provide increased visibility into an organization’s data, we’ve added a new admin audit trail feature to inSync. With the just-released Version 5.2 upgrade, inSync now records all administrator activity related to endpoint backup protection or any other inSync function, whether an admin has restored user data, changed a file sharing permission policy, or remotely erased data on a stolen laptop.

The activity stream cannot be edited, so admins can’t cover their tracks if they have made a configuration mistake, deliberately disabled inSync’s encryption capability or otherwise disrupted the product’s endpoint data protection and management capabilities.

The upshot: complete transparency, traceability and accountability into all back-end inSync IT activities that aid forensics, compliance and e-discovery initiatives. Even if you never have a rogue administrator who intentionally sets out to wreak havoc by tinkering with inSync settings, the ability to simply follow the technical bread crumbs to find and fix an innocent IT error will save hours of work and potential end user downtime.

Admins may hold the keys to the kingdom, but that doesn’t mean they should be immune from oversight. Solutions like inSync’s new admin audit trail ensure they are accountable and may even be a deterrent to IT mischief.