How to reduce risk
First, do an audit of each application and find out the number of total elevated user (and service) accounts within the application. If the number seems extraordinarily high, do some research to confirm. Following the least-privilege principle, find out (or let the application team find out) how many elevated users are absolutely needed within the application. Get rid of those you don't need and improve control over the rest. I've done a few of these audits; it's usually easy to find the problem children, and you can eliminate a lot of them.
If the application requires a whole bunch of admins -- and yes, such crappy applications exist -- it's time to start contacting the developers or vendors. Any decent application should require only a few administrators. Everyone else should be a reader or maybe a content-specific editor.
My favorite applications are the RBAC (role-based access control) ones where almost no one is an admin, and even the admins are limited in what they can do. In a great RBAC program, what each user can do is determined by his or her role -- usually just a few functions or tasks. They can do only that task (say, update a record in a table) while within the application and performing a particular function.
Let me explain: In most of today's traditional applications, application admins have complete control of the application. They can do anything: change any setting, install or uninstall bits, add and remove users, and copy the entire database off the network to removable media. An application admin is like an app god.
But in an RBAC application, no one is god. No one can copy the entire database or delete it or whatever. The person who adds and removes users and grants elevated privileges is not the same person manipulating the data within the application. In another instance, an RBAC admin may be able to access and change data, but only while within an application module. Once the application is closed, the RBAC admin has zero rights to the underlying database or application.
The bad guys are after system access and databases. That's why I'm as worried about how a company controls and audits application administrators as I used to be about OS and network administrators. D'oh! It's never too late for old security guys to learn new risk tricks.
This story, "Too many admins spoil your security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.