Great to hear you're finally getting some relief. You didn't provide any information on your organization's setup in your question, so I have to say the answer to your first question is "it depends." The rule of thumb for user account controls is to do it as close to the user as possible: That means you need to be able to verify that the requestor was really the person who made the request, in order to prevent creating accounts when...
they're not warranted. If you're located in the same general geographic area or can easily contact the requestor to validate that he or she, or his or her manager, made the request, then central administration is fine. If, however, there are language issues, you don't have an easy way to verify user requests, or have a highly distributed, or political, or siloed business model, then distributed administration makes more sense.
As far as who watches the watcher, this question has been debated for years. As mentioned in another question, separation of duty (SoD) best practices dictate that an account administrator should not be able to set up accounts or privileges for him or herself for all the reasons you mentioned above. So in order to monitor these activities, it's important to have an audit function within the organization. Whether this is owned by the legal group, the compliance group or even network engineering -- who can sniff out unauthorized traffic -- the decision is an organization-specific one. If an audit group isn't feasible due to cost, lack of experience, size of organization, politics, etc., then the only alternative is to have HR conduct periodic background checks of the people who have this function. They would look at criminal and financial information to ensure the likelihood of authorized users doing unauthorized activities is not influenced by outside pressures. Great administrators have gone bad due to pressures posed by gambling, divorce, mortgage debt, etc. I'd also look at personality. You want happy people that like their job, who get along well with others and are genuinely honest doing this work. Brooding administrators are always a bad sign.
Finally, the U.S. Government's CERT group has many good guidelines on mitigating the insider threat. You should go to their site and learn all warning signs of potentially dangerous administrators and activities to look out for. Good luck with your new administrator, and hopefully now you can take that vacation I'm sure you've been putting off.
For more information:
Dig Deeper on Enterprise User Provisioning Tools
Related Q&A from Randall Gamby, Contributor
Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.continue reading
Expert Randall Gamby discusses risk-based authentication, and whether that type of user identification system is right for the enterprise.continue reading
Expert Randall Gamby discusses various types of single sign-on, specifically the approaches of Ping Identity's SSO and Symplified SSO.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.