Why Securing Access is Crucial

For most organizations, it is critical to control access to computer and application resources to prevent disruptions of service, data tampering, or security breaches. For many organizations, it is also critical to monitor and report on user activity to ensure regulatory compliance with government or industry standards. However, managing who has access to sensitive data, core business services, and the computers and applications that perform vital functions is especially difficult in data centers that include a mix of virtual and physical computers running different operating systems and platform versions.

Why Managing User Account Information Might be a Problem

In a cross-platform environment, you are likely to have multiple identity stores that might have overlapping or conflicting information about the user population. You might also have several different authentication methods—with varying degrees of security—that you are required to manage. For example, in a typical environment with a mix of Linux and UNIX computers, you might have to maintain any combination of the following authentication methods:

  • Local configuration files on individual UNIX servers and workstations to

    identify local users and groups.

  • NIS or NIS+ servers and maps to store account and network information for

    groups of UNIX servers and workstations.

  • Kerberos realms and a Key Distribution Center to provide authentication for

    some users and services.

  • Lightweight Directory Access Protocol services to support LDAP queries and

    responses.

Managing all of these services separately can be costly and inefficient. In addition, users who have access to more than one application or computer platform often have to remember multiple login accounts with conflicting user name or password policy requirements. Individual applications might also require the use of a specific authentication method. For example, a database application or a web service might require users to have a database- or application-specific account.

If you have an environment where user and group account information is stored in multiple locations rather than in a single repository, it is likely that you have overlapping, conflicting, or out-of-date information about who should have access to the computers in your organization. You might also be using less secure authentication and authorization services than required, if you are relying on local configuration files or NIS servers and maps. For example, if you are in an organization that is subject to regulatory compliance, an audit might require you to improve the security of the authentication and authorization services you use.

Why Managing Access and Privileges Might be a Problem

Most organizations require some groups of users to be allowed to use administrative accounts and passwords. For example, you might want to grant these permissions to allow some users to log on to computers that host administrative applications or data center services, but restrict access so that users can only log on when appropriate.

In many cases, the primary way you secure access to computers is by granting a limited number of users or groups root administrative privileges or configuring sudoers rights locally. These common practices leave computers vulnerable to insider threats and present a security risk that might be exploited by an external attack. As common as it is, granting administrative access rights is likely to violate the principal of least privilege, which is intended to minimize your exposure to these types of risks.

In other cases, users who need administrative privileges to perform specific tasks might use a shared administrator and service account password. However, shared passwords reduce accountability, leave computers vulnerable to insider threats, and are also often flagged by auditors as a security issue. If you are in an industry that has compliance requirements, shared passwords might present a significant business risk.

How Server Suite can Reduce Security Risks

To reduce the overhead of managing account information and access rights across your organization, Server Suite provides the following key features:

Secure Authentication and Identity Management

Server Suite enables you to define and manage the identity attributes in user profiles, consolidate and simplify the management of account information, improve the security of authentication and directory services, and enforce consistent password and account policies.

Role-based Access Rights

Server Suite enables you to define and manage access rights and role definitions, restrict which users can do what on specific sets of computers or during specific periods of time, and control and restrict access to administrative privileges.

Delegation of Authority

Server Suite enables you to delegate administrative activity on a task-by-task basis. By delegating individual tasks to specific users or groups, you can establish a separation of duties at the level of granularity you require.

Auditing of Activity

Server Suite enables you to collect and store an audit trail of user activity when and where you want it. With the auditing service, you can selectively capture and analyze only audit trail events or all user and computer activity.

These features can be used together or independently, depending on the type of licenses you purchase and the specific requirements of your organization. For example, some licenses for Server Suite might enable identity management, access control, and privilege management. Other licenses might enable auditing of user activity and reporting services.

How Zones Help you Organize Information

One of the most important aspects of managing computers with Server Suite software is the ability to organize computers, users, groups, and other information about your organization into zones. A Server Suite zone is a logical object that you create to organize computers, rights, roles, security policies, and other information into logical groups. These logical groups can be based on any organizing principle you find useful. For example, you can use zones to describe natural administrative boundaries within your organization, such as different lines of business, functional departments, or geographic locations. You can also use zones to isolate computers that share a common attribute, such the same operating system.

Zones provide the first level of refinement for access control, privilege management, and the delegation of administrative authority. For example, you can use zones to create logical groups of computers to achieve the following goals:

  • Control who can log on to specific computers.
  • Grant elevated rights or restrict what users can do on specific computers.
  • Manage role definitions, including availability and auditing rules, and role

    assignments on specific computers.

  • Delegate administrative tasks to implement “separation of duties” management

    policies.

You can also create zones in a hierarchical structure of parent and child zones to enable the inheritance of profile attributes, rights, roles, and role assignments from one zone to another or to restrict local or remote access to specific computers for specific users or groups.

Because zones enable you to grant specific rights to users in specific roles on specific computers, you can use zones as the first level of refinement for controlling who has access to which computers, where administrative privileges are granted, and when administrative privileges can be used.

You can also use zones to establish an appropriate separation of duties by delegating specific administrative tasks to specific users or groups on a zone-by-zone basis. With zones, administrators can be given the authority to manage a given set of computers and users without granting them permission to perform actions on computers in other zones or giving them access to other Active Directory objects.