Most experienced IT auditors have come head to head with the oh-so-familiar "skills shortage" paradox. It goes something like this...
Auditor: "I have found that developers are changing programs and migrating those programs to production. In effect, they are making changes in the production environment. How do you assure that IT changes are controlled?"
IT Manager: "I don't have the human resources to segregate [insert functions here, e.g.
developers from implementors,
DBA's from data security specialists,
reviewers from doers], so I review and approve every IT change."
The paradox is a sometimes an evasive tactic taken by a cornered IT manager. More often, though, skills deficit is a legitimate and significant management challenge. But is management review and approval really an effective control over unwanted change in the IT environment? If you're an IT professional, would you be more likely to do the right thing because you are granted approval by a supervisor, or because you are aware that your actions are being observed?" If you're an IT manager, have you ever approved a change that you didn't fully understand, or trusted the programmer to do the right thing?
What should IT managers do, then, when faced with staff performing overlapping, incompatible job roles? If you don't have a feasible means to segregate duties, then consider deploying an audit logging solution. Logs tell management what was done, when it was done, and what effect it had on the system. And they often offer a clue that a match was struck
before the forest is ablaze.
Recognize, though, that audit logging isn't trivial. First, it requires that logs are actually monitored. This often means deploying system management and log integration software. Some of the more sophisticated software has features like cross-log correlation, dashboards, alerts, and triggers. Triggers are a corrective, and sometimes preventive, control because they can take an action based on the occurence of an event or pattern of events. For example a trigger can freeze a user's account if her privileges are raised and they attempt to perfrom an action that be incompatible with their job roles. Consider triggers in your solution evaluation.
Configuring the logging and monitoring solution can be a challenge. To be effective, the solution must minimally capture security events from operating systems, databases, and applications. Logs may be numerous, and might be captured in any of several standard formats, as well as any number of proprietary ones. Some logs are human readable, while others require translation. There is not yet a single accepted standard for log file formatting and presentation (but there are ongoing efforts to develop one). Look for a solution that helps with some of the
heavy lifting of consolidating, aggregating, and presenting log data.
Audit logging systems can easily be overwhelmed by
noise, i.e. events that have no significance to the activities that management chooses to monitor. Logging and monitoring solutions should be highly configurable, allowing for tuning in on only those events that are meaningful for management control. Configurability is should take high importance in your product evaluation.
Before the audit logging system is deployed, it must be protected from accidental or malicious alteration. The raw log records must be inaccessible to anyone who is being monitored—usually everyone in IT. Place the log server within a private subnet, accessible only by the group responsible for information security, and make sure that sensors (the components that record events and post them to the logs) are secure. Many commercial and open-source solutions have built-in protections, and there is abundant best-practice guidance in the problem domain. (see
NIST Special Publication 800-92)
If an IT environment has segregation of duties conflicts that make it difficult to control changes to IT assets, management is best advised to employ a compensating control for the conventional
review and approval process. While it is the easiest control to implement, review and approval is also the weakest because it relies fully on trust:
- In the reviewer/approver to understand each and every proposed change and only approve the tested and necessary ones, and
- In the implementor to completely and accurately communicate every proposedchange and its impact to the reviewer/approver, and to gain approval before implementing the change.
The control is inherently prone to breakdown because it relies people. People are fallible. That's why compensating controls are so important to managing risk. Logging and monitoring is a viable solution that should be taken into consideration as a supplement to existing review/approval controls wherever segregation of duties is problematic. Logging and monitoring doesn't solve the skills shortage paradox. But if done right, it will minimize the incumbent risk.
I had a Google drive-by (n. an accidental stumbling onto an interesting link while searching for a completely unrelated topic) on Edward Tufte’s classic article in Wired Magazine. PowerPoint Is Evil censures slideware, slideware users, schools, businesses, Microsoft, and anyone with an association to PowerPoint or like software. It’s outrageously funny and uncannily profound.
Posts
