Who Can We Trust with Our Enterprises?

Ara Trembly
Insurance Experts' Forum, November 9, 2009

“Open the pod bay doors, HAL.” 

“I’m sorry. I’m afraid I can’t do that, Dave.”

I don’t know about you, but to me these are among the most chilling words ever spoken in filmdom. They come from the epic film 2001: A Space Odyssey, and they represent a revolt of sorts by HAL, a highly advanced computer that is believed to be “incapable of error” (HAL’s own words). The mere thought of our own technology turning on us in such a malevolent fashion is more than disturbing, especially if we depend on that technology for our very lives, as the space explorers did in the film. As one of the lead characters says of HAL: “There isn't a single aspect of ship operations that isn't under his control. If he were proven to be malfunctioning, I wouldn't see how we'd have any choice but disconnection.” Alas, HAL’s reaction to that suggestion is to murder most of the crew in order to protect himself. 

So why am I bringing this up? Well it seems that at least one consultant organization, Enterprise Management Associates (EMA), is suggesting in a recent paper that leaving our enterprises in the hands of human administrators is not secure. To quote the paper: “A Windows administrator … wields the power to configure virtually every aspect of system functionality. When the resource in question has a bearing on the business itself, this calls for a high degree of confidence in those given administrative privilege. Typically, this confidence is justified in diligent, technically capable professionals who exhibit high integrity in their work. Regardless, however, the fact that the enterprise places so much capability in the hands of a few highly skilled individuals must be examined in light of what that means to the business.” 

EMA adds that administrator accounts are typically shared, yet may afford little visibility into the specific actions of any one privileged user. High-privilege access, the consultant reports, “has been implicated in episodes such as the subversion of large numbers of business systems and manipulated trading information at major financial services and health care enterprises.” 

According to EMA, high level access is “often based on little more than trust alone.” The consultant says there is a need for “processes that afford control over who can access what resources under which conditions, with visibility into activity that demonstrates the integrity of dedicated professionals while protecting the enterprise.” So far, so good. But one wonders who—or what—will oversee the integrity of those processes? 

Here’s where things get a bit fuzzy. EMA talks of a technology that “offers workflow for integrating more ef­fective control over high-privilege access.” There is mention of “finely grained policy control over root-level access for UNIX and Linux platforms” and integration of these privilege process controls “across multiple environments in today’s heterogeneous enterprise.” That’s fine, but the question of who ultimately oversees this finely tuned access and control system has not been answered. 

I don’t mean to be splitting hairs here. I think EMA is right on the mark about the need to ensure that, for example, our insurance enterprise administrators are not themselves the sources of data leaks or problems that lead to unauthorized intrusions. In the end, however, someone needs to sit in the enterprise judgment seat, and that means a human being. And that human being needs to have the power and authority to override even the carefully crafted policies that are built into an insurer’s systems. 

Should we make every effort to double check the capability and trustworthiness of such a person or persons? Absolutely! That said, however, we must trust our people—not our systems—to faithfully administer our enterprises. The reason is obvious. Our systems, which are crafted by people called programmers, are not perfect. Therefore, a human—someone who can exercise judgment outside the bounds set by the system’s programmers—needs to keep watch, and make adjustments or exceptions, where necessary. 

To take this ultimate power out of the hands of our people and trust it to any system—no matter how well crafted—is to invite the tyranny of an improperly programmed application to have sway over the critical aspects of our business. We were rightfully warned about the potential problems with that approach in 2001

Mistakes will continue to happen no matter how careful we are. Let’s make sure, however, that they are human mistakes. 

Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

With Google Favoring Mobile, Will The Industry Take it Seriously?

Google’s search engine will now will favor mobile friendly content over traditional website content; within the insurance industry, the greatest initial impact is likely to be felt by insurance distributors.

Why Some Technologists Get Cold Feet on Mobile

There are those who believe that favoring one channel or mode over another will lead to even more silos and dysfunction than we already have in many organizations.

Insurance IT Spending and Budgeting Benchmarks

New research from Novarica highlights areas of concern and offers insights on insurers spending and budgeting decisions.

Enterprise Mobilemania Continues Unabated

More than half of companies are spending more on developing mobile applications -- but are they more efficient?

Why Insurers Need More Than a Policy Admin System

For some insurers, not being able to handle the volume of quotes that are being submitted to them means leaving significant money on the table.

The Pitfalls of Using Assembly Line Methods to Create Software

Most of the time, when the business needs IT, it is for custom software development, just like creating a concept car.