Conquering the sys-admin challenge

8/2/2019 Conquering the sys-admin challenge

http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 1/11

Copyright Quocirca © 2011

Bob Tarzey

Quocirca Ltd

Tel : +44 7900 275517

Email: [email protected]

Clive Longbottom

Quocirca Ltd

Tel: +44 771 1719 505

Email: [email protected]

Conquering the sys-admin challenge

The automation of sys-admin and the management of privilege and compliance

October 2011

Systems administration, or sys-admin as both the task and its practitioners

are often abbreviated to, is essential for the smooth running of an

organisation’s information technology (IT) infrastructure and business

applications. Enabling sys-admins to do their work efficiently and safely

throws up many challenges, not least because they need to operate with

higher levels of privilege than normal users.

Associating the use of privilege with individual sys-admins is essential forcompliance purposes. Ensuring all the data required by auditors is

collected and stored is necessary for maintaining infrastructure compliance

and is only guaranteed if the processes for doing so are automated. Tools

that enable the automation of sys-admin tasks are also the key to reducing

error rates, providing the confidence to delegate and making the whole

sys-admin process more efficient.

This Quocirca research report presents new data on how well organisations

are able to automate their sys-admin procedures, manage the use of privilege and satisfy the requirements of auditors. This should be of

interest to those charged with the reliable delivery of IT, and also business

managers who understand the importance of IT to their organisations.

mailto:[email protected]











© Quocirca 2011 - 2 -


The automation of sys-admin and the management of privilege and compliance

Enabling sys-admins to do their work efficiently and safely throws up many challenges, not least because they need tooperate with higher levels of privilege than normal users; a fact that also attracts the interest of auditors. Tools that

enable the automation of sys-admin tasks are the key to maintaining infrastructure compliance, reducing error rates,

providing the confidence to delegate and making the whole sys-admin process more efficient.

Sys-admins are

essential to ensuring

the smooth running

of IT systems

Systems administration, or sys-admin as both the task and its practitioners are often

abbreviated to, is essential for the smooth running of an organisation’s IT infrastructure and

applications. The task involves managing high profile servers and the business applications that

run on them, and also lower profile equipment such as network routers and switches, load

balancers and security devices. Many of these devices are in remote locations and care needs

to be taken to ensure that their maintenance is not overlooked.

Limiting the scope of

privileged accessbenefits the sys-

admin and their

employer

It is easy to grant sys-admins wider ranging privileges to do their jobs than is necessary; this

causes two problems. First, sys-admins are as prone to making errors as anyone and the

consequences of those errors can be serious if they lead to IT outages. Second, certain

standards and regulations require that the actions of individual sys-admins are recorded and

auditable. This research shows that most organisations regularly allow sys-admins far more

access than they need to do their job, which makes regulatory compliance harder to ensure.

Clear association of

the use of privilege

with individuals is

required to put

controls in place

Putting controls in place requires each sys-admin to have a unique identity and that using it is

the only way they carry out their work; access should also be taken away when no longer

needed. This ensures certain bad practices are eliminated, such as the sharing of group sys-

admins identities, which, despite being frowned upon by regulators, the current research

shows many organisations struggled to get under control. The research also shows that many

fail to close down default privileged users accounts supplied with software; a gift to hackers.

Automating tasks

helps avoid errorsand reduces the

amount of mundane

work

Few sys-admins tasks are fully automated; those that can be should be as this frees up sys-

admins to focus on more valuable activities. Automation also helps to avoid errors, whichrespondents admit are inevitable. For example, once the identity of a given device is embedded

in a script there is no longer a chance that changes will accidentally be made to the wrong

device; the research clearly shows that error rates drop if sys-admins no longer need to make

educated guesses of device identities.

Identity management

and automation

increase the

confidence to

delegate

Not all tasks can be fully automated but the more routine ones can be delegated to junior staff,

help desks and/or third party support services. However, many organisations show a reticence

to delegate because they feel they are not able to limit the scope of the privilege access they

are providing when they do so. They also worry that, having granted such access, it will not get

revoked afterwards. These problems can only be mitigated if good identity management is in

place. Automation also helps here; if certain tasks can be partially automated it is easier to

delegate them without having to spend time tutoring the staff the task has been passed to.

Identity managementand automation are

key to meeting the

demands of auditors

Auditors require certain practices and processes to be in place when it comes to sys-admin and

the use of privilege. One appalling practice admitted by some of the respondents was that they

make uncontrolled changes to sys-admins’ procedures immediately prior to audits and then

revert to the old ways afterwards. This would surely lead to an audit failure if uncovered. There

would be no need for this if better tools were in place. Privilege identity management is

essential for compliance and it is also essential to ensure the automated recording of all

privilege user activity.

Conclusions:Having the tools in place that enable the automation of many sys-admin tasks and the management and recording of

privilege user activity are the key to reducing error rates, meeting the demands of auditors, ensuring compliance,

providing the confidence to delegate and making the whole sys-admin process more efficient.




© Quocirca 2011 - 3 -

Introduction –

sys-admins and sys-admin

IT systems need administrating and that requires

system administrators; in the trade, the practitioners

that carry out this work are often referred to as sys-

admins, as is their work. Sys-admins have a broad

range of responsibilities from deploying new

software and devices through to managing data and

users and disposing of equipment that is no longer

wanted. Increasingly, they are also tasked with

integrating externally provided IT services with those

that they manage internally.

On top of all this, sys-admins play an increasingly

important role in ensuring their organisations are incompliance with various regulations. There are two

elements to this: first they are guardians of much of

the information required by auditors, and reporting

this tends to take more and more of their time.

Second, their own activities, usually carried out with

higher levels of privilege than normal users, are of

particular interest to the auditors.

A rough calculation suggests there are between 1 and

2 privileged users for every 100 normal users, at least

among smaller organisations (1,000 –2,000

employees, Figure 1). This is based on researchcarried out for this report into sys-admin practices

among UK based organisations.

The research investigated the extent of sys-admin

bad practices, the controls that are exerted over

privileged users, the degree to which sys-admin tasks

were being automated and/or delegated and how

thoroughly key sys-admin goals were being achieved.

Two of the most important goals are ensuring the

continuous availability of the IT infrastructure

(business continuity) and the recording and

preparation of data for auditors for compliance

purposes.

This Quocirca research report outlines the state of

play in the sys-admin world and should be of interest

to any business or IT manager that wants to assess

where their organisation stands when it comes to

sys-admin practices; the granting, use and

management of privileges; and their ability to comply

with certain standards and regulations.

Limiting the scope of

access for sys-admins

All employers would like to think they can trust their

employees, but most know that, in some cases,

implicit trust will be misplaced. This is a particular

worry when it comes to sys-admins because of the

privileges they need to do their job. It is not that sys-

admins are any more prone to malicious behaviour

than other employees (although some are), but that

the very privileges they have means that errors they

make in carrying out their day-to-day work can have

wide ranging and serious consequences.

For example, the failure to backup up a server

properly (or at all) may mean data is lost and a

project is put back by days or weeks; wrongly

reconfiguring a network firewall may lead to remote

users being locked out of systems they need to

access; or spinning down the wrong disk volume for

maintenance purposes may leave an email server out

of action.




© Quocirca 2011 - 4 -

Anything that can be done to minimise the chance of

such errors is going to help the sys-admins

themselves and the businesses they serve. Restricting

the granting of privileges, both to the individual and

the time access is granted for, are essential to help

achieve this. Furthermore, the automation of routinetasks can cut down error rates and ensure the

completion of many of the activities required for

audits.

One of the most fundamental and widespread bad

practices is the over-granting of privilege; that is

providing more privilege than is necessary for a sys-

admin to do a given task at a given time. Of the

potential bad practices examined in the current

research two of the most common were the opening

of a whole of a Microsoft Windows Domain (a related

set of devices) to a given sys-admin and providing

access to data when there was no need (Figure 2).

The truth is that, in most cases, sys-admins need no

access to the underlying user data to do their jobs; at

most they need access to just systems data. For one

class of organisation – the providers of on-demand IT

services (software, platform and/or infrastructure as

a service) – guaranteeing that sys-admins cannot

access user data is an essential part of their service

level agreements. They have to separate user data

from systems data and are proof that it can be done

whilst ensuring sys-admins can achieve one of their

main goals – to provide highly available IT services.

The over-granting of privilege is not necessary.

Indeed, with the right tools and procedures in place,

it is quite possible to turn the whole process on its

head, by only granting privilege for specific tasks and

devices for a limited period of time. For example, if a

given firewall needs reconfiguring, it is better to grant

access to that device for a named sys-admin for the

estimated time needed to complete the work than

provide continuous access to all sys-admins forever.

The current research shows that those organisationsthat have in place the tools to restrict privileges,

actually reduce the access that sys-admins have to

data they have no need to see (Figure 3).

Tools that enable this can also help reduce other bad

practices that were admitted to in the current

research; for example, by guiding a sys-admin to a

specific device, there is no chance they willaccidentally work on the wrong one by making an

educated guess at its identity, which is especially easy

to do with IP addresses. 80% of organisations

admitted this happened, at least occasionally (Figure

2) and this clearly leads to increased error rates

(Figure 4). However, perhaps the most import aspect

of having tools in place for aiding sys-admins and

managing privileged access is the ability to link the

identities of specific sys-admins with given tasks.

Managing privileged

identities

One worrying practice when it comes to being able to

link individual sys-admins with specific tasks is the

use of group sys-admin accounts. The sharing of

usernames and passwords among multiple sys-

admins not only means you never know who has




© Quocirca 2011 - 5 -

been doing what (which auditors require) but it also

leads to weaker overall security.

If sys-admins are sharing a group identity, passwords

will seldom be changed, because informing all the

people that need to know it is cumbersome. It alsomeans that former staff will often still have access

details after they have moved on. The problem is

exacerbated if contractors and other short-term

temporary staff members (temps) are involved, as is

often the case with sys-admin.

Scrapping the use of group sys-admins accounts

altogether is the only solution to this problem; it also

makes it much easier to ensure privilege access is

stopped when it is no longer needed. The majority of

organisations interviewed for the current research

struggled with controls in these areas (Figure 5).

Having the tools in place to be able to grant privileges

to specific users for specific systems and devices for

specific periods of time or to perform specific tasks

enables other good practices to be put in place.

Examples of these are requiring strong authentication

(e.g. use of hardware tokens and/or biometrics as

well as passwords) and single sign-on (a single point

of authentication for sys-admin tasks across a

number of devices).

Assigning privileges to given individuals and not

groups also makes it easier to ensure a given sys-

admin’s privileges are fully revoked when no longer

required.

The insidious risk of default privileged user accounts

can also be more easily brought under control; these

are the ones provided with software when it is first

installed, such as root access for operating systems. If

all privilege access is restricted to assigned users,

default accounts can be searched for and closed

down. Default privilege accounts are a gift to hackers,

who will search them out as an easy access point to

achieve deeper penetration of targeted IT

infrastructure.

Another common practice that can be a problem isthe embedding of privilege details into software

programs and scripts that need privileged access

(Figure 6). This is often necessary but needs to be

done with care. The programs/scripts in question

should be assigned privileged user identities all of

their own and login details masked. If this is not the

case, the details may be compromised; a real

problem if a group access identity is being used.

This issue is at its worse when embedded privileged

user details are transmitted in the open to carry out

remote management tasks, such as the backup of a

branch office server. If the scripts for this are

transmitted un-encrypted and the privileged user

login details are in the clear, intercepting the traffic

would provide yet another gift to hackers.

Often the reason that such scripts are developed is to

automate the work of sys-admins. This is a good thing

if it can be done securely as it can free up time spent

on mundane tasks, leaving sys-admins free to focus

on more productive activities. There are other

benefits to automation too.

Automating away sys-

admins errors

Mundane tasks are another area where mistakes are

made. All organisations admitted that sys-admins

made errors (Figure 7), although that error rate

varied by industry (Figure 8). The automation of




© Quocirca 2011 - 6 -

mundane tasks, where possible, should reduce error

rates.

Few tasks are fully automated (Figure 9). Increasing

the degree of automation should decrease error ratesas well as freeing up sys-admin time for other tasks or

perhaps getting rid of a few expensive contractors.

Automation also means tasks will be performed more

regularly; the current research shows this to be true

for server backups (Figure 10), a task that, in most

cases, should be carried out on a daily basis.

Network and security devices should also be backed

up, although perhaps not daily. For many, a backup

should be triggered only when the device’s

configuration is changed. However, unless this is

automated, the task is sometimes overlooked (Figure11). The failure of such devices and the inability to

recover them can lead to access and security issues.

There is one time in the life of a device when the aim

should be to delete any sensitive data that exists on it

for good; when it has reached the end of its useful

life and is to be disposed of. Many network and

security appliances have confidential information

about users or infrastructure; for example a VPN

device could have a privileged account on it to access

user directory information.




© Quocirca 2011 - 7 -

More than a third of the respondents to this survey

were not confident they always achieved this (Figure

12). Automated processes for de-provisioning devices

can ensure they are safe to pass on to 3rd parties for

resale or disposal.

Even when tasks cannot be fully automated,

automating parts of a given sys-admin’s task should

also give senior staff more confidence to delegate

tasks to juniors and contractors, something the

current research shows many do not have the

confidence to do.

The confidence to

delegate All too often there is a reticence to delegate sys-

admin tasks (Figure 13). When this is the case, senior

sys-admin personnel end up doing tasks that could be

done by juniors, temps or even help desk staff. This is

an inefficient use of resources.

One reason may simply be the time taken to explain

how to do a task; semi-automation also helps solve

this. In addition, having the ability to restrict the

assignment of privileges, as outlined earlier, would

provide more confidence to delegate. The inability to

restrict the time and scope of privilege access were

both issues that concerned interviewees when it

came to delegation, as well as a worry that, oncegranted, such privilege would not be revoked (Figure

14).

The granular granting of privilege to clearly identified

individuals, be they senior, junior or temporary

employees, is essential to another aspect of the

management of sys-admin activity – providing data

for auditors.

Satisfying the auditors

A major motivation for putting in place good

practices for the management of sys-admins and the

use of privileges is to meet the requirements of

auditors. An audit may require all sorts of

information regarding who has access to what on a

given organisation’s IT systems and who changed

what, on which device and when.

Some standards are specific about the management

of privileged users. One of the controls in the IT

service management standard (ITSM) ISO 270001

states, “the allocation and use of privileges shall be

restricted and controlled ”. The Payment Card

Industries Data Security Standard (PCI DSS)

recommends, “auditing all privileged user activity ”.

It may be the pressure to meet these demands that

leads to one final appalling bad practice, the

uncontrolled changes to sys-admin procedures

immediately prior to audits which then lapse




© Quocirca 2011 - 8 -

following the audit. Over two thirds of respondents

admitted this happened at least occasionally; for

some it was a regular practice (Figure 15).

Fully automating the collection of this data, such asconfiguration settings, would reduce the pressure on

IT staff and save time during the audit process;

however, less than 10% had achieved this (Figure 16).

Even fewer had fully automated the process for

remediating audit gaps; being able to do this would

ensure organisations stayed in compliance between

audits and eliminate the need for bad practices being

put in place to dupe auditors, which, if uncovered,

would surely lead to an audit failure anyway.

Automated processes around auditing makes suredata is continually gathered, that all records of

privileged user activity are collected and that each

sys-admin task can be associated with an individual

sys-admin, all of which the majority of organisations

fail to fully achieve (Figure 17). There is strong

evidence that automation improves things

considerably; those who automated the collection of

data for audits were almost three times as likely to

fully achieve their data collection goals than those

with no or little automation (Figure 18).

Conclusion

Although granting privileged access to sys-admins is a

necessity, the process should be managed to reduce

the prevalence of bad practices. Automation is an

essential part of achieving this; it also enables task

delegation, freeing up senior IT staff and ensures

mundane tasks are carried out reliably and regularly

and securely.

Automation also ensures that the necessary data is

collected for audits and enables organisations toprove that their use of privilege is compliant.

Tools that enable automation of sys-admin tasks and

regulate the actions of privileged users are good for

both sys-admins and the business they serve.




© Quocirca 2011 - 9 -

Appendix - demographics

The following graphs show the demographic

breakdown of the respondents included in the

survey:



About Osirium

Osirium drives down operational risk and eases the pain of managing and maintaining multi-vendor ITinfrastructures by providing a central, secure access point and a “built -in” best practice foundation whichtracks all sys-admin changes in the infrastructure and enables you to easily meet and maintain compliance.

Osirium dramatically improves productivity and reduces human error by automating routine and repetitivesys-admin tasks and delegating them to less costly help desk staff, to provide faster problem resolutionswith fewer errors.

Osirium is establishing itself as a new and unique IT infrastructure security solution and is already helpingsome of the world’s biggest brands and public sector bodies.

For more information please see: www.osirium.com

http://www.osirium.com/







About Quocirca

Quocirca is a primary research and analysis company specialising in the

business impact of information technology and communications (ITC).

With world-wide, native language reach, Quocirca provides in-depth

insights into the views of buyers and influencers in large, mid-sized and

small organisations. Its analyst team is made up of real-world

practitioners with first-hand experience of ITC delivery who continuously

research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to

technology adoption – the personal and political aspects of an

organisation’s environment and the pressures of the need for

demonstrable business value in any implementation. This capability to

uncover and report back on the end-user perceptions in the market

enables Quocirca to provide advice on the realities of technology

adoption, not the promises.

Quocirca research is always pragmatic, business orientated and

conducted in the context of the bigger picture. ITC has the ability to

transform businesses and the processes that drive them, but often fails to

do so. Quocirca’s mission is to help organisations improve their success

rate in process enablement through better levels of understanding and

the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly

surveying users, purchasers and resellers of ITC products and services on

emerging, evolving and maturing technologies. Over time, Quocirca hasbuilt a picture of long term investment trends, providing invaluable

information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and

services to help them deliver on the promise that ITC holds for business.

Quocirca’s clients include Oracle, Microsoft, IBM, O2, T -Mobile, HP,

Xerox, EMC, Symantec and Cisco, along with other large and medium-

sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

REPORT NOTE:This report has been writtenindependently by Quocirca Ltd

to provide an overview of theissues facing organisations thathave to face up to thechallenges of sys-admin andthe use of privilege.

The report draws on Quocirca’sextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient

environment for future growth.

Quocirca would like to thankOsirium for its sponsorship ofthis report and the researchbehind it.

http://www.quocirca.com/



Documents

Conquering the sys-admin challenge