Computer surveillance may adversely affect UNIX and Linux operations if not performed as part of a managed process including the appropriate amount of automation.

Commercial, enterprise-scale computing is widely provided by systems operating under UNIX or Linux. However, these operating systems have their roots in collaborative research computing where security is not particularly important. In commercial installations computer surveillance may be necessary to ensure that sensitive data is not exposed to risk. Unfortunately, this can be quite disruptive of everyday UNIX and Linux operations and is no longer a robust enough solution to satisfy the requirements of recent legislation.

The problem with Linux and UNIX – two similar multi-user operating systems whose roots are in team-oriented, collaborative computing for research and, later, educational, environments – is that the system administrator was always expected to be "one of the team". Security was not a big issue and administration was amongst colleagues. Now that Linux and UNIX have been adopted for large-scale commercial work, the fact that one or more administrators have complete freedom to view or change any part of the system inevitably means that some form of computer surveillance has to be set up, but in a way that does not seriously affect everyday UNIX and Linux operations.

Until recently, corporate IT officers have been free to implement their internal computer surveillance, probably as a simple add-on to their normal Linux operations procedures. However, following recent legislation, they, as well as external auditors, now face harsh penalties whose consequences are such that regulation of IT processes will be stricter and that fairly low-level techniques will become much more precisely defined.

Computer surveillance and its impact on UNIX and Linux operations in a post-SOX environment

Recent US and European legislation (Sarbanes-Oxley in the USA and similar European Directives) has made compliance a big issue for publicly listed companies – and some private companies who conduct business with the listed sector.

The essence of the legislation is to protect the integrity of the financial information provided to the public. This is difficult to prove when privileged IT users, typically system administrators, have unlimited access rights to critical IT systems. We can see at once that system administration practice has a direct influence on system security. The only way forward is to devise and employ mechanisms for controlling the rights of administrators and monitoring their actions continuously. Only by these means can the IT organisation provide irrefutable evidence that all data, including the sensitive financial data, is secure and that IT people are doing all that is asked of them.

A software product of particular value in this area is COSduty-SSA whose use can limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance.

In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.

Some details of the functionality of COSduty-SSA

COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:

• encapsulating the majority of privileged routines in menu/forms driven procedures
• enforcing administrators to request privileged sessions on particular systems for particular periods of time
• allocating only that subset of commands required to carry out a requested function
• auditing all activity and reporting on those audit trails

In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualising the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information. Alternatively, re-enter the COSduty-SSA web site and help yourself.