<Originally published - August 16, 2006
Networks are commonly protected by specialized software such as firewalls, antivirus, and network access control products to prevent unauthorized access and activity. Yet other IT infrastructure components, including applications, databases, web servers, directories, and operating systems rely mostly on the security mechanisms that come as part of the product’s built-in feature set. Security policies evolve around leveraging passwords and privileges to protect data. But is this really enough, considering that many users, such as database administrators (DBAs) and system administrators, have elevated privileges—meaning that there’s no guarantee that a company’s change policies are actually being followed?
Just because your IT organization has deployed security products or IT components with best-in-class security features, it doesn’t mean they are being used properly. They may not be used in the way they have been intended, or as often as required, to fully protect your valuable IT assets. As a result, your organization may be at great risk, lulled into a false sense of security that everything has been taken care of. And then you wake up one morning to an emergency phone call, alerting you that your records have been illegally accessed.
In today’s compliance-driven world, where failure to protect sensitive financial and customer information means damaged careers, along with lawsuits, fines, and reduced public confidence in your enterprise, IT security needs to be more granular than ever before. Increasingly, it will be important to detect all user actions in the IT infrastructure and to validate changes against approved change requests within Remedy, Peregrine, or other change management systems. Otherwise, users will be able to circumvent your security policies, procedures, and best practices, regardless of how robust your IT infrastructure components’ security features are. For this reason, IT staff should consider an IT policy enforcement solution to complement the built-in feature sets of IT components.
How IT Policy Enforcement Solutions Help You Regain Control
An IT policy enforcement solution detects, validates, and reports unauthorized change and out-of-compliance actions on the IT infrastructure. It also lets you know if your security policies, procedures, and best practices are actually being followed. Using an IT policy enforcement solution will help IT security staff comply with key controls in the organization, such as access control, change validation, emergency change monitoring, IT security process compliance, and segregation of duties.
Passwords and privileges excel at defining who can get access to your systems and data. But privileged users, such as system administrators and root users, require full access rights to get their job done. This is why you need to understand the activity of users in addition to just restricting access. You need to know if someone in IT is looking at your sensitive customer information or financial data. And you also need to identify all changes to accounts and permissions. Is a user colluding with another employee to violate segregation of duties controls, or with an external thief attempting to gain remote access? Or is a user making changes to production systems outside of allowed maintenance times? Having the ability to answer these types of questions is why your organization needs an IT policy enforcement solution.
An IT policy enforcement system monitors access to all restricted data. To reduce fraud or malicious activity, the system can also check that the level of access granted to a user is appropriate to the business purpose, and that the level of access does not compromise segregation of duties. It will also make sure that administrators follow information security concepts, such as least-possible-privilege and need-to-know.
Discovering change management control deficiencies and resolving them are important because unauthorized, unplanned, and untested changes are the leading cause of costly downtime. While your IT organization has probably developed standardized methods and procedures to use for efficient and prompt handling of changes to minimize the impact of any related incidents upon service, it doesn’t know if these procedures are actually being followed.
IT policy enforcement solutions automatically identify unauthorized changes in the IT infrastructure by comparing detected activities to approved change requests in a change management system. The IT policy enforcement solution will help you answer various questions:
- Does an approved change request exist for the change?
- Did the change occur on the appropriate device or devices?
- Was the change made during the approved time window?
- Did the appropriate individual make the change?
If the answer to any of these questions is “no,” the change is not compliant with the IT organization’s change control policies, and the IT policy enforcement solution will immediately send an alert to the appropriate staff.
For most enterprises, emergency changes forgo the normal change approval process. When an incident occurs, it must be resolved as soon as possible if it’s disrupting business operations. During repair, firekey users (emergency access users) have free rein over the IT component they have logged into. But are they only taking actions to resolve the incident, or are they taking advantage of emergency access for other purposes as well? You need to know, because IT compliance requirements now mandate greater documentation of the actual changes associated with an emergency change. IT policy enforcement solutions track and report firekey account logins and logouts, and monitor firekey change activity.
IT Security Process Compliance
Antivirus and backup and recovery tools are key components of most corporate security policies. These solutions have been deployed, but are they actually running and being used according to your corporate security policies? IT policy enforcement solutions tell you whether or not your operational processes adhere to corporate procedures so that the security technologies you have deployed do the job they were intended to do.
Your IT components may come equipped with an outstanding set of IT security features, but they won’t do you any good if they are not being used according to security policies. Another valuable benefit of an IT policy enforcement product is its ability to detect which IT components are not adhering to the configuration policies managed by a configuration management database. In this way, you know where your organization has the greatest security risk exposure, and can take actions to prioritize security process improvements.
Segregation of Duties
Segregation of duties isn’t only for business users. For example, giving a developer the ability to migrate changes to a production environment is generally a really bad idea. The more resources the IT staff member has access to (such as production programs, the programming documentation, system utilities, and the operating system itself), the greater the risk to the organization. In actual practice, segregating duties across these resources is very difficult.
Where feasible, IT policy enforcement solutions support segregation of duties. In other instances, IT policy enforcement solutions provide audit trails that serve the purpose of an acceptable compensating control. Auditors have access to detailed forensics of activity including the who, what, when, and where of all user actions.
Catch IT Policy Violations and Confirm Compliance
Hopefully, after reading this article, you now see that relying solely on built-in security features of IT components poses significant risks for your company. Passwords and privileges will only get you so far. You also need to understand the behavior of users of IT components, as well as of users who are responsible for making sure that the security procedures for the IT component are followed.
Still not convinced? For argument’s sake, let’s suppose that your existing IT security measures are doing the job they are intended to do. You’re still going to have to demonstrate security compliance with industry and government regulations, and best practices to your internal and external auditors. With millions of events on hundreds of servers in dozens of locations across your enterprise, the task of validating and enforcing your security controls is too large, too error-prone, and too costly to tackle without automation. An all-too-common approach to addressing compliance work is to dedicate additional people to the problem—lots and lots of people. While this brute-force method may get you through regulatory audits, it distracts you from your core IT responsibilities, while doing little to advance your business.
An IT policy enforcement solution not only brings an extra degree of security control to your IT infrastructure, it also helps you confirm security policy compliance. An automated way to detect, validate, and report unauthorized changes and out-of-compliance actions on the IT infrastructure may help you avoid severe compliance headaches down the track.
||IT Policy Enforcement
- Monitors privileged user activity
- Identifies changes to accounts and permissions
- Enforces allowed maintenance times
- Validates actual changes in the IT environment against planned change requests, identifying those changes that happen without approvals
- Tracks firekey account logins
- Monitors firekey change activity
|IT security process compliance
- Ensures backup and recovery procedures are followed
- Makes certain antivirus processes adhere to corporate policies
- Identifies deviations from desired configuration baselines
|Segregation of duties
- Controls developer access to production systems
About the Author
Teresa Wingfield has held senior-level marketing positions at Active Reasoning, TIBCO Software, Niku Corporation (acquired by Computer Associates), and Netfish Technologies (acquired by IONA Technologies). Wingfield has also been an industry analyst at Current Analysis and Giga Information Group (acquired by Forrester Research). She holds graduate degrees in business from MIT’s Sloan School of Management, and in software engineering from Harvard.