Time to tighten up on sys-admins?

Ten tips for safer IT management

Bob Tarzey, Analyst and Director

Quocirca Comment Feb 2012

Systems administrators are human and make mistakes...
IT systems don't run themselves at least not all the time. At some point the intervention of system administrators sys-admins is required. The very nature of a sys-admin's job requires that that he or she is granted a higher, privileged level of access to IT infrastructure than that granted to normal users. When the actions taken by sys-admins are other than those expected of them, there can be farreaching consequences. In the worst case, a sysadmin may abuse their privilege for malicious reasons, for example to steal data or set backdoor access to IT systems for themselves or others. Sys-admins are also good targets for identity theft through techniques such as spear phishing, a privilege ID being more useful to hackers than a normal one. However, the most common problem is simply that sys-admins are human. They make mistakes. Privileged user management tools help address a number of issues that a recent Quocirca report showed were rife among UK businesses. So here are Quocirca's top 10 tips for better and safer systems administration. Tip 1: Know your privileged users Certain regulations and standards make strong statements about the use of privilege. One of the controls in the IT service management (ITSM) standard ISO 27001 states that "the allocation and use of privileges shall be restricted and controlled". The Payment Card Industries Data Security Standard (PCI-DSS) recommends "auditing all privileged user activity". In other words, the use of group admin accounts is a strict no-no. Such accounts should be blocked and all privileged user access should be via identities that are clearly associated with individuals. Tip 2: Make sure legacy privileged accounts are closed This measure includes the default accounts provided with systems and application software, which with the right tools can be searched for and closed, and the accounts of sys-admins who have now left your organisation. The best way to deal with the second point is to provide only short-term access for specific tasks in the first place. Tip 3: Minimise sys-admins errors Quocirca's research suggests that the average error rate of sys-admins runs at about 6%. Errors can waste time - for example, applying patches to the wrong device - be a security risk in cases such as changing the rules of the wrong firewall, or cause disaster - say, wiping the wrong disk volume. Sys-admin tools that guide users to the right device in the first place and double-check their actions can help avoid errors, as can the automation of certain mundane tasks. Tip 4: Limit sys-admins' access to devices Another way to avoid errors is to grant sysadmins privilege access to devices that need maintenance for limited periods of time. Rather than providing wide-ranging and ongoing access, grant it only to a single device or small subset of devices and only for the period of time deemed reasonable to get the job done. Tip 5: Encrypt sys-admin login details Many sys-admin tasks involved maintaining remote devices, which requires the sys-admin login details and the instructions for the given task to be transmitted, sometimes embedded in scripts. It has been common for this to be done

Time to tighten up on sys-admins? Ten http://www.quocirca.com tips for safer IT management

2012 Quocirca Ltd

in clear text, especially when using services like Telnet. This approach provides easy pickings for hackers, so all such transmissions should be encrypted. Tip 6: Back up all IT devices The failure of IT devices is inevitable. What is important is that they can be recovered and up and running again as soon as possible. Most organisations are diligent about the backup of servers. They are less rigorous about the backup of network and security devices, the failure of which can be just as damaging to IT access. Such devices should be backed up regularly and at least every time their configuration is changed. The backups should be stored securely, to prevent them being stolen and used to clone the original device. Automating such backups is the best approach. Tip 7: Limit sys-admin access to data To carry out their jobs, sys-admins need access to systems data, not business data. All too often, their wide-ranging privileges have given them access to both. This approach is unnecessary. To protect the data and sys-admins from the accusation of abusing their position of trust, the scope of their access should be limited. It can be done with the right tools. Cloud service providers have to observe this distinction, managing their own infrastructure while respecting the confidentiality of their client's data.

Tip 8: Safe disposal of old devices All IT devices carry potentially useful data to hackers. Firewalls, load-balancers, content filters all contain various network-access settings and user details along with system log files. All devices have an end of life, so before disposal it should be ensured that all such data is safely deleted or the hard disks involved destroyed. Tip 9: Be ready for the auditors Auditors take a particular interest in the actions of privileged users for many of the reasons already outlined. As well as being able to associate a given sys-admin with his or her actions, a full audit trail for the admin history of a given device should be kept. Maintaining this trail is only possible if access to the device is controlled and the tools that provide access keep a record with the necessary level of detail. Tip 10: Free sys-admins from drudgery Part of the reason why sys-admins make mistakes is that many of the tasks they have to carry out are mundane and repetitive. Automating as many of their tasks as possible and having the tools and procedures in place to allow safe delegation to junior and temporary staff can relieve some of the drudgery. It leaves sys-admins free to focus on more productive tasks that increase the value IT provides to their organisation rather than just fighting to keep the lights on. Want to see the full research? Quocirca's report Conquering the sys-admin challenge is freely available here. This article first appeared in Jan 2012 on

http://www.silicon.com

Time to tighten up on sys-admins? Ten http://www.quocirca.com tips for safer IT management

2012 Quocirca Ltd

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com

Time to tighten up on sys-admins? Ten http://www.quocirca.com tips for safer IT management

2012 Quocirca Ltd