It's fundamentally nearly impossible to audit (or even control) what sysadmins do. You can try, but at the end of the day the most secure really is based on trust and it works remarkably well. NSA must have thousands of sysadmins (at least over the years) and we've got one that leaked things in a significant way.
The system they use is not really broken, it's just embarrassing to them when it's proven imperfect. The best fix would be to simply avoid doing things that are likely to piss off ethical people like Snowden.
This is nonsense. The whole point of the audit tools that we (Red Hat) ship is to audit the sysadmins. This includes: auditing off machine to secure sites under control of others; having the machine hard power-off if the audit log cannot be written/sent; extremely fine-grained auditing of every command used, file read/written, etc.
What does Red Hat do to prevent someone from copying backup tapes? Or authorized users from copying data to other servers that aren't audited? Or from databases and repositories via their own protocols?
It's rather unimpressive to claim that you can tell a customer that "your sysadmin had authorized access to all data, so any of it could have been copied".
It's the responsibility of a business's owners/executives/officers to physically secure their building and technology. Red Hat and other groups (like Schlage, ADT, and police departments) make tools/services you can use to do this, but it's your responsibility to make sure all of your agents are doing what you want them to do.
It's rather embarrassing have your IT supplier tell you "This other person who you trusted with access to all your data may have copied some or all of it -- you should trust your employees more granularly."
If it's your system, then only you have access to grant access to others. If you hire a sysadmin to build you a system, you make sure you trust that person, and make sure that person is the only one with access to grant access. If that person lies to you and starts handing out that access, you replace her/him. And if you can't find anyone trustworthy, then you're forced to do this job for yourself.
Copying the backup tapes to what? Auditing is implemented along with physical measures like ensuring USB ports are glued up and people are searched going into and out of the secure data center (which is air-gapped from the internet). You can't even carry a mobile phone -- there are detectors for the signals they give off.
(USB ports / CDs being what failed in the Bradley Manning case)
Physical security is a joke everywhere. I've worked in 50+ datacenters and I'd bet anyone anywhere that I could sneak a 64GB micro SD card out of any datacenter in the world. No one is doing cavity searches, not even NSA. Getting a "decommissioned" or "test" server out full of data would be trivial in 99.99% of organizations.
Theoretically it's trivial to audit sysadmins. In practice it's virtually impossible. Let me know when Red Hat wants to bet money on it.
I'm pretty sure I recall hearing the NSA never lets anything leave their facilities intact when decomissioning or otherwise disposing.
I've heard a story of brand new very expensive servers (big Sun machines I think) sitting in a loading dock, still on pallettes, having the project cancelled and having them destroyed unused rather than risk data leaving the building.
I'm sure they have great policies. I'm also sure they're regularly not followed or easily bypassed by certain people. Who exactly destroys the servers, for example?
This is simply incorrect. It's quite possible to audit what system admins do by logging changes to a system and auditing the logs. I've personally ran an audit of logs in a worldwide cloud email service (you have heard of them) to find out which of my fellow admins made changes to a senior admin's access.
And you can definitely control what access system admins have to your system. Not every person who joins workstations to a domain needs to have full domain permissions.
This kind of sloppy authorization and system state control is inexcusable.
You only think this because you haven't had your system tested in a real way. Hire a really good security firm and I assure you they will easily circumvent your auditing with no more access than your most trusted sysadmin.
I genuinely wonder what other sysadmins working at/with the NSA think about Snowden.
His actions have probably made their jobs more difficult, but they also work with these same systems, have a sense of their scope, and know the extent to which internal controls are (apparently) more procedural than technical. I wonder how many secretly feel vindicated for some concern they have felt or expressed in the past.
From my experience at a very large bank. No one can do anything significant (such as connect to a database) without leaving a audit trail at said bank. It is very much possible to audit and it is being done routinely in places, at banking systems, for instance.
A camera would not be even close to good enough. It's trivial to type commands in a window that is not visible on your screen, for example. Keyboard logging? Not even close to good enough since you could easily break commands up or write a script that does what you want in an obfuscated way.
The system they use is not really broken, it's just embarrassing to them when it's proven imperfect. The best fix would be to simply avoid doing things that are likely to piss off ethical people like Snowden.