How to manage admin vs. "regular" accounts

cmsrenaski · ‎04-05-2017

Hi,

Our company has been moving to a security model in which sys admins have a separate admin login from which they perform only admin-level tasks while their regular SSO sign on is used for everything else. I'm being asked if we should implement this model for ServiceNow and am being asked what the risks are if we don't vs. the risks if we do. Since I'm a sys admin as well as an ITIL user, I'm assuming I'm already using two licenses, so that shouldn't be an issue - I'll keep my regular sign on as ITIL and create a new sys admin account for my admin activities. However, if feels like this could cause confusion/complexity. I'm still pretty new at this though, so I'm looking to the community here to give me concrete reasons/examples of how this would be a great or terrible idea.

Thanks in advance for your help!

Uncle Rob · ‎04-05-2017

Its to support compliance around separation of duties. It *is* a little more friction for admin users like you and I, but much much much better from a GRC standpoint. Among other things, it ensures that you can't use your admin privilege to alter data for your own benefit. By separating the admin account from the regular account its easier to track the activities performed by the admin capability.

View solution in original post

Uncle Rob · ‎04-05-2017

Its to support compliance around separation of duties. It *is* a little more friction for admin users like you and I, but much much much better from a GRC standpoint. Among other things, it ensures that you can't use your admin privilege to alter data for your own benefit. By separating the admin account from the regular account its easier to track the activities performed by the admin capability.

cmsrenaski · ‎04-05-2017

Thanks, Robert. Can you elaborate on your comment, "It *is* a little more friction for admin users like you and I, " I think we're probably going to move this way, but I've been asked to provide a risk assessment on if we do vs. if we don't. I have this vague feeling that it might cause problems and/or confusion and/or undue complexity but I can't put my finger on what issues it might cause us. It might just be less convenient to have to sign out and back in repeatedly throughout the day. Perhaps that is all there is to my vague, futile resistance...

Thanks, again!

Chuck Tomasi · ‎04-05-2017

Hi Christie,

Any time you introduce segregation of duties, there is going to be more "friction". People get used to seamlessly moving around the system with impunity and full rights. If you suddenly tell them they have to logout and login with another account to get (or give up) elevated access they'll complain. It's harder and that's a fact. Additional security usually means more work - just look at two factor authentication.

The key to helping drive adoption is to help them understand the benefits and risks. If you've got a story of an "oops" - great. If not, I can share one (or more) from my 30+ years.

Chuck Tomasi · ‎04-05-2017

Best practice is to have to accounts: admin work done with an admin account and everyday work done with an account with lesser privileges (e.g. ITIL). The biggest risk to doing all your work in an admin account is accidentally changing data that you shouldn't normally have access to with your day to day account.