Tuesday, December 10, 2013

Unix/Linux Access Controls: A tale of four audiences



 UNIX and Linux Administrator

  • I am worried about not being able to log-in to do my job if Active Directory is not available
  • I am concerned that the integration with AD will be very intrusive to my Unix and Linux systems
  • I am concerned that the privilege management model won't allow me to do things as root when I require it.
  • I am concerned that I won't be able to leverage scripting and automation
  • I'm spending a lot of time to produce information for security attestation
  • I'm concerned that each time I need to do something I will need to go to the Windows guys for permission.
  • Do I need to go changing file ownerships (chown) once this is implemented?
Active Directory Administrator

  • I'm concerned that this solution will require to extend the AD schema
  • I'm concerned that I will need to run services in Domain Controllers
  • I'm concerned that the agent will eat my DCs CPU and Memory with multiple persistent LDAP connections 
  • I'm concerned that now I will have more work since I have to help the Unix group.
Security Analyst


  • I need to make sure only the right people can access the Unix and Linux Systems (least access principle)
  • I also need to make sure that shared accounts (like root) are only used when required
  • I need to make sure accountability is increased
  • I need to make sure people can only have the privileges that they need (least privilege principle)
  • I need to satisfy audit reports and close open audit comments
  • We need to align with Regulations (SOx, HIPAA, PCI, etc)
  • I am not sure that we can really pin-point who did what at a certain point (bad change control, data-breach, etc)

                                     IT Manager or IT Architect

  • I am concerned that we're spending a lot of money in point solutions
  • I'm concerned that the project will not yield results on time
  • I'm concerned that processes like password resets, provisioning, de-provisioning, and attestation are very complex.
  • I'm concerned that any new solution is going to require a ridiculous amount of infrastructure.
  • I'm concerned that even though we have top of the line solutions, it seems it takes a long time to get stuff done.







No comments:

Post a Comment