In fact, the cost and risk of not centralizing and automating operating system security is enormous. Over half of the security break-ins we read about are due to operating systems that were never configured properly, or were not verified and monitored on a regular basis. The operating systems were provisioned out-of-the-box at the default security settings, which made them highly vulnerable to attack.
Today, roughly 20 percent of user IDs and passwords have never been changed. 'Password' is still a common password in many organizations. The reason administrators neglect to configure these settings properly is simple: it would take approximately 20,000 hours to provision and verify a thousand-server network if it were done manually, as it is in many organizations. That adds up to time and cost few organizations can afford.
Taking away the pain
Those organizations that do change server security configurations manually spend an inordinate amount of their help desk resources assisting users with password enquiries, rather than dealing with more serious network issues. Given these disadvantages, it's no wonder many administrators run server operating systems at the default. It gets servers into production quickly, but adds significantly to security risk.
Fortunately, technology exists today to take the pain out of this process.
There are three things that need to happen to enhance operating system security across the enterprise network. First, provisioning servers on the network should be done once in one place, involving the roughly tens of separate configurations most organizations require. This image, or set of images, can then be downloaded across the network, with the help of software that automates this process and eliminates the pain of doing it manually for each server. Moreover, even if you had an instruction sheet for these key configurations, you wouldn't want local administrators to access those for each server, which is very dangerous. The best way to do it is once and for all.
Once the network has been provisioned, administrators need to be able to verify policy compliance, which defines user access rights and ensures that all configurations are correct. An agent can be running on the network, or remotely, that monitors each server continuously, and does not interfere with normal operations.
Second, account management needs to be centralized to control access to the network and to ensure that users have appropriate access to enterprise resources. Policies, rules and intelligence should be located in one place - not on each box - and should be pushed out from there to provision user systems with correct IDs and permissions. An ID lifecycle manager can be used to automate this process and reduce the pain of doing this manually.
Third, the operating system should be configured so that it can be used to monitor activity on the network easily and efficiently - revealing who is and isn't making connections, as well as pointing out potential security events coming out of the operating system. Administrators can use a central 'dashboard' that monitors these events in real time, and alerts them to serious problems based on preset correlations and filtering. Just as important, this monitoring system should be set up so that administrators are not overwhelmed by routine events that do not jeopardize network security and normal business operations.
Getting on with the essentials
To summarize, three things are essential in ensuring operating system security.
- A centralized infrastructure is needed to automate operating system configurations across the enterprise network, using a limited number of images, which can be downloaded once and for all. Most security break-ins are caused by the failure to configure operating systems properly.
- Users can then be provisioned on these operating systems based on policies that specify user access rights, IDs and permissions - all of which can be automated by an ID lifecycle manager.
- Once administrators have created the correct security policy, they need to monitor what's going on inside the enterprise, and pre-empt potential security violations before they jeopardize the business.
Perhaps most important, the best security in the world doesn't have to be a budget buster or interfere with normal business operations. As organizations move from manual to automated security processes, there are significant cost savings to be had. Manual processes are not only expensive and inflexible; they contribute significantly to breakdowns that add to costs. In fact, properly configured operating system security is a business enabler that will save money as it keeps the bad guys inside and out where they belong - on the defensive.
Dr. Arvind Krishna is vice president for security products for IBM Tivoli Software (www.tivoli.com).