Conquering the sys-admin challenge
© Quocirca 2011 - 2 -
Conquering the sys
The automation of sys-admin and the management of privilege and compliance
Enabling sys-admins to do their work efficiently and safely throws up many challenges, not least because they need tooperate with higher levels of privilege than normal users; a fact that also attracts the interest of auditors.
Tools that enable the automation of sys-admin tasks are the key to maintaining infrastructure compliance, reducing error rates, providing the confidence to delegate and making the whole sys-admin process more efficient.
Sys-admins areessential to ensuringthe smooth runningof IT systems
Systems administration, or sys-admin as both the task and its practitioners are oftenabbreviated to, is essential for the smooth running of an
organisation’s IT infrastructure and
applications. The task involves managing high profile servers and the business applications thatrun on them, and also lower profile equipment such as network routers and switches, loadbalancers and security devices. Many of these devices are in remote locations and care needsto be taken to ensure that their maintenance is not overlooked.
Limiting the scope of privileged accessbenefits the sys-admin and theiremployer
It is easy to grant sys-admins wider ranging privileges to do their jobs than is necessary; thiscauses two problems. First, sys-admins are as prone to making errors as anyone and theconsequences of those errors can be serious if they lead to IT outages. Second, certainstandards and regulations require that the actions of individual sys-admins are recorded andauditable. This research shows that most organisations regularly allow sys-admins far moreaccess than they need to do their job, which makes regulatory compliance harder to ensure.
Clear association of the use of privilegewith individuals isrequired to putcontrols in place
Putting controls in place requires each sys-admin to have a unique identity and that using it isthe only way they carry out their work; access should also be taken away when no longerneeded. This ensures certain bad practices are eliminated, such as the sharing of group sys-admins identities, which, despite being frowned upon by regulators, the current researchshows many organisations struggled to get under control. The research also shows that manyfail to close down default privileged users accounts supplied with software; a gift to hackers.
Automating taskshelps avoid errorsand reduces theamount of mundanework
Few sys-admins tasks are fully automated; those that can be should be as this frees up sys-admins to focus on more valuable activities. Automation also helps to avoid errors, whichrespondents admit are inevitable. For example, once the identity of a given device is embeddedin a script there is no longer a chance that changes will accidentally be made to the wrongdevice; the research clearly shows that error rates drop if sys-admins no longer need to makeeducated guesses of device identities.
Identity managementand automationincrease theconfidence todelegate
Not all tasks can be fully automated but the more routine ones can be delegated to junior staff,help desks and/or third party support services. However, many organisations show a reticenceto delegate because they feel they are not able to limit the scope of the privilege access theyare providing when they do so. They also worry that, having granted such access, it will not getrevoked afterwards. These problems can only be mitigated if good identity management is inplace. Automation also helps here; if certain tasks can be partially automated it is easier todelegate them without having to spend time tutoring the staff the task has been passed to.
Identity managementand automation arekey to meeting thedemands of auditors
Auditors require certain practices and processes to be in place when it comes to sys-admin andthe use of privilege. One appalling practice admitted by some of the respondents was that theymake uncontrolled changes to sys-admins
procedures immediately prior to audits and thenrevert to the old ways afterwards. This would surely lead to an audit failure if uncovered. Therewould be no need for this if better tools were in place. Privilege identity management isessential for compliance and it is also essential to ensure the automated recording of allprivilege user activity.
Having the tools in place that enable the automation of many sys-admin tasks and the management and recording of privilege user activity are the key to reducing error rates, meeting the demands of auditors, ensuring compliance,providing the confidence to delegate and making the whole sys-admin process more efficient.