But from a practical standpoint, it's not possible to limit IT's access due to the nature of the job. However, you can certainly audit access, and there's no shortage of tools to do that. One genre of security tools that helps with the auditing and securing of internal threats is data leak/loss prevention systems. DLP systems come in a variety of flavors and protect against a variety of threats, and products in this space focus on everything from securing and auditing file access to monitoring communications and content leaks to encryption of USB devices and hard drives, all the way up through the definition and real-time monitoring of policy-based information access.
Unfortunately, it's no longer possible to simply lock down resources via user credentials and fall asleep hoping that your own employees won't attack you when you're not watching. The fact is that we need to set permissions accordingly and then monitor how those permissions are being used across a wide range of technologies. With DLP systems, much of the threats that you will find will be well-intentioned, like the marketing professional who decides to copy a customer database to a laptop for use on a flight. While that's certainly a legitimate business need, there also are security implications to consider when such sensitive data leaves the organization's walls.
But don't expect DLP systems to solve all of your problems on day one, because much like a home is built by first excavating a foundation, organizations must first identify what resources and information is vital, and then move on to identifying what personnel should have access to what resources. Simultaneously, acceptable use policies should be developed that dictate what information can be accessed remotely and what information can be stored on removable media. Once security and use policies are fully developed, DLP systems can then be used to enforce and report on those policies. According to Gartner, the leaders in the DLP space right now are Vontu, WebSense, Reconnex, and Vericept.
Do you use an enterprise DLP system in your environment? Share your experience here. I'm especially interested to hear about how you've used your DLP system to catch an intruder or thief red-handed.