OS Security Outside the Box
But these elements also add to security vulnerability, unless the operating systems are configured, administered and monitored correctly.
Contrary to popular belief, this can be accomplished with a minimum of fuss and bother. The magic bullet is to centralize and automate operating system security across the enterprise, rather than do it manually for each box.
In fact, the cost and risk of not centralizing and automating operating system security is enormous. Over half of the security break-ins are due to operating systems that were never configured properly, or were not verified and monitored on a regular basis. The operating systems were provisioned out-of-the-box at the default security settings, which made them highly vulnerable to attack.
Steps to TakeThere are three things that need to happen to enhance operating system security across the enterprise network.
1. Provisioning servers on the network should be done once in one place, involving the roughly tens of separate configurations most organizations require. This image, or set of images, can then be downloaded across the network, with the help of software that automates this process and eliminates the pain of doing it manually for each server. Moreover, even if you had an instruction sheet for these key configurations, you wouldn’t want local administrators to access these key configurations for each server. That’s dangerous. The best way to do it is once and for all.
Once the network has been provisioned, administrators need to be able to verify policy compliance, which defines user access rights and ensures that all configurations are correct. An agent can be running on the network or remotely that monitors each server continuously, and doesn’t interfere with normal operations.
2. Account management needs to be centralized to control access to the network and to ensure that users have appropriate access to enterprise resources. Policies, rules and intelligence should be located in one place – not on each box – and should be pushed out from there to provision user systems with correct IDs and permissions. An ID lifecycle manager can be used to automate this process and reduce the pain of doing this manually.
3. The operating system should be configured so that it can be used to monitor activity on the network easily and efficiently – revealing who is and isn’t making connections, as well as pointing out potential security events coming out of the operating system. Administrators can use a central “dashboard” that monitors these events in real-time, and alerts them to serious problems based on preset correlations and filtering. Just as important, this monitoring system should be set up so that administrators are not overwhelmed by routine events that do not jeopardize network security and normal business operations.
Perhaps most important, the best security in the world doesn’t have to be a budget buster or interfere with normal business operations.
As organizations move from manual to automated security processes, there are significant cost savings to be had. Manual processes are not only expensive and inflexible; they contribute significantly to breakdowns that add to costs. In fact, properly configured operating system security is a business enabler that will save money as it keeps the bad guys inside and out where they belong – on the defensive.
There also is concern over security of e-business over the Web.
In the course of deploying new applications, security has probably been implemented on an application-by-application basis. With disparate applications that require different security approaches, it is almost impossible to administer, manage and maintain a coherent, cohesive security policy efficiently.
In a white paper, “IBM Tivoli Access Manager for e-business,” there are positive suggestions on how software can enhance the efficiency and efficacy of security throughout an operational environment. Such a powerful solution extends authentication and authorization beyond software to other applications, and provides unified robust administration, more secure Web single-sign-on, enhanced performance, availability and scalability.