Is it OK to monitor privileged users?
Is it OK to monitor privileged users?

It's the billion-dollar question ‘du jour.' Was Edward Snowden a villain or a hero?  He believed the U.S. government was abusing its powers by excessively monitoring its citizens. Some consider him a voice of freedom. Others think he's a traitor. And that's how polarizing this issue is.

A few weeks ago, I was at JFK airport minding my own business and buying worthless gifts to take home to my kids. A flashing statue of liberty and over-sized t-shirt later, I tried to buy some perfume and found that my card had been stopped.  I then received a text from my bank asking me to call the anti-fraud number. They wanted to check that it was me spending money on my card in JFK, took me through some security questions, and re-activated my card within minutes. My initial reaction was annoyance – how dare they stop my card for no reason? But then I realized that I hadn't been to the U.S. for a while, and they were playing safe. I also realize now that I was being monitored – my bank knows where I am every time I use my card. Is that snooping?

The point is that monitoring is a grey area. At what point is it in your interest to be monitored, and at what point does it become invasive? This is the political hot potato that Snowden dived into – while CCTV on street corners might be acceptable, listening in on phone conversations from cars on street corners may not be.

Of course, “monitoring” comes in lots of different shapes and sizes. In the world of cybersecurity, it's pretty much a legal requirement for large businesses like banks to monitor those users who have access to their IT systems. We at Balabit provide technology into this space, but we focus in on what we call “Privileged Users”; folks who have legitimate but almost unlimited access to IT systems, some of which might store sensitive customer information. The reason we do this, and the reason people buy our solutions, is that privileged accounts are widely acknowledged as the biggest source of risk of data breaches. Put simply, if an insider who has access to customer data decides to “go rogue” and, let's say, sell that data to criminals, it's very difficult to stop. Equally, if an outside attacker highjacks a privileged account, they can quite easily gain access themselves.

When you consider the implications of a major data breach to a large organization, the idea of monitoring these users seems like a no-brainer. Do you need CCTV at a nuclear power plant? Of course, because the implications of a disaster are unthinkable. A security breach at a bank may be less dramatic than a damaged reactor, but it could be just as damaging. 

But if you ask a privileged user if they like being monitored, you'll likely get mixed responses because as I said earlier, the issue of security vs. privacy divides opinion. Some would say they have nothing to hide, so why not? Others would say they resent the intrusion. In Germany, privacy legislation requires technology providers like ourselves to be able to anonymize the data that's being collected.

The bottom line, though, is that on balance, security is outweighing privacy. Organizations want to protect personal data, but they also want privileged users to be monitored, and regulations like the GDPR are making that a legal requirement.

So yes, we do care about privacy, but mostly we care about the privacy of individuals who are at the mercy of large organizations and governments to protect their personal data and their identities. Within those large organizations, privileged users have rights too, but the fact is they have the keys to the kingdom – access to customer information – and therefore, they have to be watched.

Balabit recently conducted a survey among system administrators about monitoring their activities.

Results show that:

  • 49% of system administrators were already in a situation where it would have been beneficial if there had been a detailed video of their work.
  • 62% said they did not mind to be monitored, it only depends on the solution, and
  • 24% -  for instance those who use shared accounts - even prefer to have a recording about their activities to prove what they did and especially, what they did not do.
  • 15% said they would resent the intrusion.