The assessment and management of system vulnerability indicate privileged user authentication to be a process which contributes much to overall security
In this document we review the way in which the assessment and subsequent management of system vulnerability followed by the specification of user authentication mechanisms (particularly for the privileged user) are processes which result from the necessity to comply with recent legislation on corporate governance.
Until the recent past, corporate IT officers have been allowed wide freedom in the way they implement their internal assessment procedures. However, following recent legislation, both external auditors and corporate officers now face harsher penalties whose consequences are such that system vulnerability assessment and management are high on the list of priorities and these lead almost directly to the need for user authentication, in particular of the privileged user who has traditionally possessed almost total freedom to roam – without restriction or auditing – across systems some of which may contain the most sensitive of corporate data.
Understanding vulnerability assessment and management and the need for privileged user authentication as a consequence of recent corporate governance legislation
The fairly esoteric processes of vulnerability assessment and vulnerability management and the almost inescapable need to subsequently implement privileged user authentication procedures are not the obvious consequences of recent legislation on corporate governance.
It is now well known that recent US and European legislation (Sarbanes-Oxley in the USA and similar European Directives) has made compliance a big issue for publicly listed companies – and some private companies who conduct business with the listed sector. The essence of the legislation is to protect the integrity of the financial information provided to the public.
This is, however, difficult to prove when privileged IT users, typically system administrators, have unlimited access rights to critical IT systems. Internal auditing teams are having to become more assiduous and their recommendations more detailed. They may well be obliged to specify mechanisms for log auditing and even penetrate the world of operating systems to dictate auditing tools for UNIX, Linux and Windows.
A software product of particular value in this area is COSduty-SSA whose use can limit the unrestricted freedoms of systems administrators and audit their activity so as to prove IT services are making their full contribution to data integrity and compliance.
In addition, because of its low implementation costs and other technical advantages, COSduty-SSA can show a positive RoI, even when compliance issues are disregarded.
Some details of the functionality of COSduty-SSA
COSduty-SSA can ensure the use of privileged accounts is reduced to the absolute minimum by:
- encapsulating the majority of privileged routines in menu/forms driven procedures
- enforcing administrators to request privileged sessions on particular systems for particular periods of time
- allocating only that subset of commands required to carry out a requested function
- auditing all activity and reporting on those audit trails
In summary, COSduty-SSA is an unusual product, but one whose scope is quickly becoming more widely acknowledged as the intricacies of the measures which are required to protect corporate officers from the possible consequences of corporate governance legislation are better understood. If this area is new to you and visualizing the role of products such as COSduty-SSA remains difficult, please feel free to contact OSM for relevant information at all levels. Alternatively, re-enter the COSduty-SSA web site and help yourself.
OSM is the leading independent specialist supplier of E-DSM solutions for organizations who rely on a UNIX, Linux and Windows infrastructure. Our reputation is one of delivering solutions to problems of all complexities by means of our highly competent Professional Services team.