Accessing University Data with Elevated Privileges

ISO Position Paper

Position Title:   Accessing University Data with Elevated Privileges

Position Audience: Princeton University Community

Contact:   Information Security Office: InfoSec@princeton.edu

Position Release Date:  Jan 21, 2022


Problem Statement

Everyday computer usage while logged in with personal credentials exposes those credentials to increased risk. Clicking on links in phishing email, opening malicious attachments, or inadvertently browsing to malicious websites could potentially compromise that computer and expose those credentials. If those personal credentials have elevated privileges to systems or applications containing sensitive University information, that data is subsequently put at increased risk.

ISO Position

It is the position of the ISO that personal credentials should not be used when accessing sensitive data or systems where elevated privileges are needed. A separate set of credentials, enabled for multifactor authentication, should be used when accessing University systems or applications with elevated privileges. This credential, known as a #vi account, should be enabled with elevated privileges instead of an individual’s personal credentials. This #vi account should only be used for activities which require elevated privilege (e.g., system/application administration). This approach helps limit the potential inadvertent exposure of sensitive University information.

 

Data classification: Public