Protect Your Security Infrastructure: Observe Proper Segregation of Duties
The following excerpt has been taken from our ebook, The Ultimate Guide to Protecting Your Security Infrastructure in the Broader Data Center.
Observe Proper Segregation of Duties
System administration and security administration are not the same job, and those functions should be done by different people.
This is a hard point to make to server engineering and administration groups, and it can be hard to contemplate in Windows, where so many functions are incorporated into Active Directory that the system administrators want to own it.
Segregation of duties is a control often used in finance to limit conflicts of interest and fraud. For IT, this means restricting operational control of a system so that the team that designs it does not have privileged access to the production system. For security systems, that means that the ability to add, modify, or delete security principals, such as users, groups, computers, or service entities, in AD or any similar system that should be strictly limited to a group that performs those functions. The Domain Administrator role should not be used as the global server administrator role. Create a different role for that, and leave the Domain Administrator role for those that are truly tasked with managing security.
This is hard to do. The systems administration team has a vital interest in making sure that the LDAP directory structure in AD is done right. But that’s an engineering function – the actual task of creating the directory objects, such as OUs and groups, in production is best left to a dedicated security administration group. Look on this the same way you look at code: developers build it and an operational group deploys it into production and runs it.
Want to read more? We’ve got six more steps to help you take control of protecting your data center in our ebook.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.