real time web analytics

Security Controls, Explained: Admin Access

Tugboat Labs
2020-07-084 min read
InfoSec Best Practices
Admin access comes with great power, great responsibility, and a lot of headaches (source: Tugboat Logic blog)

Control of the Week #6: Administrative Access

This week’s control is on risk assessments. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why administrative access is important and how to conduct them in five steps.

Why this control is important

"AC3.9 - Administrative/Privilege Access: Access to a generic administrator or privileged accounts on the databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme."

To keep up with previous analogies, this control deals with the people who have the master keys to your organization’s data, systems, and other assets. Auditors especially focus on administrator accounts and question the appropriateness of such accounts.


Admin accounts have the potential to do the most damage if they're in the hands of those who shouldn't have access, or are unqualified to use those accounts. Admins typically have the power to grant access to other individuals, which means the risk to your data increases greatly if accounts aren't carefully monitored.

How to implement this control for your audits

At risk of stating the obvious, admin account access should be granted to users based on their position in the organization. More specifically, you should only give access to those with roles that require it (typically limited to IT teams and specific administrators). And, make sure monitoring is in place to determine who's allowed to access the data, who used the accounts, who logged in, and that each authorized user has a unique account (shared accounts open up additional risk faster than a can of Goya beans!).

In short, these accounts should be monitored periodically to verify:
Who has access to these accounts
What type of access they have
What activities are performed through such access
TL;DR: Privileged accounts should only be given to authorized people, which includes:
Domain admin accounts
Emergency accounts
Database accounts
Server root accounts
Service accounts
Application accounts

Last, but certainly not least, think about:

Password management tools – a great way to use technology as a means to control access (check out our recommendations)
Conducting an access review – auditors like to see you do this periodically
Avoiding automatic or hard-coded access to things such as APIs