Download - Conquering the sys-admin challenge
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 1/11
Copyright Quocirca © 2011
Bob Tarzey
Quocirca Ltd
Tel : +44 7900 275517
Email: [email protected]
Clive Longbottom
Quocirca Ltd
Tel: +44 771 1719 505
Email: [email protected]
Conquering the sys-admin challenge
The automation of sys-admin and the management of privilege and compliance
October 2011
Systems administration, or sys-admin as both the task and its practitioners
are often abbreviated to, is essential for the smooth running of an
organisation’s information technology (IT) infrastructure and business
applications. Enabling sys-admins to do their work efficiently and safely
throws up many challenges, not least because they need to operate with
higher levels of privilege than normal users.
Associating the use of privilege with individual sys-admins is essential forcompliance purposes. Ensuring all the data required by auditors is
collected and stored is necessary for maintaining infrastructure compliance
and is only guaranteed if the processes for doing so are automated. Tools
that enable the automation of sys-admin tasks are also the key to reducing
error rates, providing the confidence to delegate and making the whole
sys-admin process more efficient.
This Quocirca research report presents new data on how well organisations
are able to automate their sys-admin procedures, manage the use of privilege and satisfy the requirements of auditors. This should be of
interest to those charged with the reliable delivery of IT, and also business
managers who understand the importance of IT to their organisations.
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 2/11
Conquering the sys-admin challenge
© Quocirca 2011 - 2 -
Conquering the sys-admin challenge
The automation of sys-admin and the management of privilege and compliance
Enabling sys-admins to do their work efficiently and safely throws up many challenges, not least because they need tooperate with higher levels of privilege than normal users; a fact that also attracts the interest of auditors. Tools that
enable the automation of sys-admin tasks are the key to maintaining infrastructure compliance, reducing error rates,
providing the confidence to delegate and making the whole sys-admin process more efficient.
Sys-admins are
essential to ensuring
the smooth running
of IT systems
Systems administration, or sys-admin as both the task and its practitioners are often
abbreviated to, is essential for the smooth running of an organisation’s IT infrastructure and
applications. The task involves managing high profile servers and the business applications that
run on them, and also lower profile equipment such as network routers and switches, load
balancers and security devices. Many of these devices are in remote locations and care needs
to be taken to ensure that their maintenance is not overlooked.
Limiting the scope of
privileged accessbenefits the sys-
admin and their
employer
It is easy to grant sys-admins wider ranging privileges to do their jobs than is necessary; this
causes two problems. First, sys-admins are as prone to making errors as anyone and the
consequences of those errors can be serious if they lead to IT outages. Second, certain
standards and regulations require that the actions of individual sys-admins are recorded and
auditable. This research shows that most organisations regularly allow sys-admins far more
access than they need to do their job, which makes regulatory compliance harder to ensure.
Clear association of
the use of privilege
with individuals is
required to put
controls in place
Putting controls in place requires each sys-admin to have a unique identity and that using it is
the only way they carry out their work; access should also be taken away when no longer
needed. This ensures certain bad practices are eliminated, such as the sharing of group sys-
admins identities, which, despite being frowned upon by regulators, the current research
shows many organisations struggled to get under control. The research also shows that many
fail to close down default privileged users accounts supplied with software; a gift to hackers.
Automating tasks
helps avoid errorsand reduces the
amount of mundane
work
Few sys-admins tasks are fully automated; those that can be should be as this frees up sys-
admins to focus on more valuable activities. Automation also helps to avoid errors, whichrespondents admit are inevitable. For example, once the identity of a given device is embedded
in a script there is no longer a chance that changes will accidentally be made to the wrong
device; the research clearly shows that error rates drop if sys-admins no longer need to make
educated guesses of device identities.
Identity management
and automation
increase the
confidence to
delegate
Not all tasks can be fully automated but the more routine ones can be delegated to junior staff,
help desks and/or third party support services. However, many organisations show a reticence
to delegate because they feel they are not able to limit the scope of the privilege access they
are providing when they do so. They also worry that, having granted such access, it will not get
revoked afterwards. These problems can only be mitigated if good identity management is in
place. Automation also helps here; if certain tasks can be partially automated it is easier to
delegate them without having to spend time tutoring the staff the task has been passed to.
Identity managementand automation are
key to meeting the
demands of auditors
Auditors require certain practices and processes to be in place when it comes to sys-admin and
the use of privilege. One appalling practice admitted by some of the respondents was that they
make uncontrolled changes to sys-admins’ procedures immediately prior to audits and then
revert to the old ways afterwards. This would surely lead to an audit failure if uncovered. There
would be no need for this if better tools were in place. Privilege identity management is
essential for compliance and it is also essential to ensure the automated recording of all
privilege user activity.
Conclusions:Having the tools in place that enable the automation of many sys-admin tasks and the management and recording of
privilege user activity are the key to reducing error rates, meeting the demands of auditors, ensuring compliance,
providing the confidence to delegate and making the whole sys-admin process more efficient.
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 3/11
Conquering the sys-admin challenge
© Quocirca 2011 - 3 -
Introduction –
sys-admins and sys-admin
IT systems need administrating and that requires
system administrators; in the trade, the practitioners
that carry out this work are often referred to as sys-
admins, as is their work. Sys-admins have a broad
range of responsibilities from deploying new
software and devices through to managing data and
users and disposing of equipment that is no longer
wanted. Increasingly, they are also tasked with
integrating externally provided IT services with those
that they manage internally.
On top of all this, sys-admins play an increasingly
important role in ensuring their organisations are incompliance with various regulations. There are two
elements to this: first they are guardians of much of
the information required by auditors, and reporting
this tends to take more and more of their time.
Second, their own activities, usually carried out with
higher levels of privilege than normal users, are of
particular interest to the auditors.
A rough calculation suggests there are between 1 and
2 privileged users for every 100 normal users, at least
among smaller organisations (1,000 –2,000
employees, Figure 1). This is based on researchcarried out for this report into sys-admin practices
among UK based organisations.
The research investigated the extent of sys-admin
bad practices, the controls that are exerted over
privileged users, the degree to which sys-admin tasks
were being automated and/or delegated and how
thoroughly key sys-admin goals were being achieved.
Two of the most important goals are ensuring the
continuous availability of the IT infrastructure
(business continuity) and the recording and
preparation of data for auditors for compliance
purposes.
This Quocirca research report outlines the state of
play in the sys-admin world and should be of interest
to any business or IT manager that wants to assess
where their organisation stands when it comes to
sys-admin practices; the granting, use and
management of privileges; and their ability to comply
with certain standards and regulations.
Limiting the scope of
access for sys-admins
All employers would like to think they can trust their
employees, but most know that, in some cases,
implicit trust will be misplaced. This is a particular
worry when it comes to sys-admins because of the
privileges they need to do their job. It is not that sys-
admins are any more prone to malicious behaviour
than other employees (although some are), but that
the very privileges they have means that errors they
make in carrying out their day-to-day work can have
wide ranging and serious consequences.
For example, the failure to backup up a server
properly (or at all) may mean data is lost and a
project is put back by days or weeks; wrongly
reconfiguring a network firewall may lead to remote
users being locked out of systems they need to
access; or spinning down the wrong disk volume for
maintenance purposes may leave an email server out
of action.
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 4/11
Conquering the sys-admin challenge
© Quocirca 2011 - 4 -
Anything that can be done to minimise the chance of
such errors is going to help the sys-admins
themselves and the businesses they serve. Restricting
the granting of privileges, both to the individual and
the time access is granted for, are essential to help
achieve this. Furthermore, the automation of routinetasks can cut down error rates and ensure the
completion of many of the activities required for
audits.
One of the most fundamental and widespread bad
practices is the over-granting of privilege; that is
providing more privilege than is necessary for a sys-
admin to do a given task at a given time. Of the
potential bad practices examined in the current
research two of the most common were the opening
of a whole of a Microsoft Windows Domain (a related
set of devices) to a given sys-admin and providing
access to data when there was no need (Figure 2).
The truth is that, in most cases, sys-admins need no
access to the underlying user data to do their jobs; at
most they need access to just systems data. For one
class of organisation – the providers of on-demand IT
services (software, platform and/or infrastructure as
a service) – guaranteeing that sys-admins cannot
access user data is an essential part of their service
level agreements. They have to separate user data
from systems data and are proof that it can be done
whilst ensuring sys-admins can achieve one of their
main goals – to provide highly available IT services.
The over-granting of privilege is not necessary.
Indeed, with the right tools and procedures in place,
it is quite possible to turn the whole process on its
head, by only granting privilege for specific tasks and
devices for a limited period of time. For example, if a
given firewall needs reconfiguring, it is better to grant
access to that device for a named sys-admin for the
estimated time needed to complete the work than
provide continuous access to all sys-admins forever.
The current research shows that those organisationsthat have in place the tools to restrict privileges,
actually reduce the access that sys-admins have to
data they have no need to see (Figure 3).
Tools that enable this can also help reduce other bad
practices that were admitted to in the current
research; for example, by guiding a sys-admin to a
specific device, there is no chance they willaccidentally work on the wrong one by making an
educated guess at its identity, which is especially easy
to do with IP addresses. 80% of organisations
admitted this happened, at least occasionally (Figure
2) and this clearly leads to increased error rates
(Figure 4). However, perhaps the most import aspect
of having tools in place for aiding sys-admins and
managing privileged access is the ability to link the
identities of specific sys-admins with given tasks.
Managing privileged
identities
One worrying practice when it comes to being able to
link individual sys-admins with specific tasks is the
use of group sys-admin accounts. The sharing of
usernames and passwords among multiple sys-
admins not only means you never know who has
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 5/11
Conquering the sys-admin challenge
© Quocirca 2011 - 5 -
been doing what (which auditors require) but it also
leads to weaker overall security.
If sys-admins are sharing a group identity, passwords
will seldom be changed, because informing all the
people that need to know it is cumbersome. It alsomeans that former staff will often still have access
details after they have moved on. The problem is
exacerbated if contractors and other short-term
temporary staff members (temps) are involved, as is
often the case with sys-admin.
Scrapping the use of group sys-admins accounts
altogether is the only solution to this problem; it also
makes it much easier to ensure privilege access is
stopped when it is no longer needed. The majority of
organisations interviewed for the current research
struggled with controls in these areas (Figure 5).
Having the tools in place to be able to grant privileges
to specific users for specific systems and devices for
specific periods of time or to perform specific tasks
enables other good practices to be put in place.
Examples of these are requiring strong authentication
(e.g. use of hardware tokens and/or biometrics as
well as passwords) and single sign-on (a single point
of authentication for sys-admin tasks across a
number of devices).
Assigning privileges to given individuals and not
groups also makes it easier to ensure a given sys-
admin’s privileges are fully revoked when no longer
required.
The insidious risk of default privileged user accounts
can also be more easily brought under control; these
are the ones provided with software when it is first
installed, such as root access for operating systems. If
all privilege access is restricted to assigned users,
default accounts can be searched for and closed
down. Default privilege accounts are a gift to hackers,
who will search them out as an easy access point to
achieve deeper penetration of targeted IT
infrastructure.
Another common practice that can be a problem isthe embedding of privilege details into software
programs and scripts that need privileged access
(Figure 6). This is often necessary but needs to be
done with care. The programs/scripts in question
should be assigned privileged user identities all of
their own and login details masked. If this is not the
case, the details may be compromised; a real
problem if a group access identity is being used.
This issue is at its worse when embedded privileged
user details are transmitted in the open to carry out
remote management tasks, such as the backup of a
branch office server. If the scripts for this are
transmitted un-encrypted and the privileged user
login details are in the clear, intercepting the traffic
would provide yet another gift to hackers.
Often the reason that such scripts are developed is to
automate the work of sys-admins. This is a good thing
if it can be done securely as it can free up time spent
on mundane tasks, leaving sys-admins free to focus
on more productive activities. There are other
benefits to automation too.
Automating away sys-
admins errors
Mundane tasks are another area where mistakes are
made. All organisations admitted that sys-admins
made errors (Figure 7), although that error rate
varied by industry (Figure 8). The automation of
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 6/11
Conquering the sys-admin challenge
© Quocirca 2011 - 6 -
mundane tasks, where possible, should reduce error
rates.
Few tasks are fully automated (Figure 9). Increasing
the degree of automation should decrease error ratesas well as freeing up sys-admin time for other tasks or
perhaps getting rid of a few expensive contractors.
Automation also means tasks will be performed more
regularly; the current research shows this to be true
for server backups (Figure 10), a task that, in most
cases, should be carried out on a daily basis.
Network and security devices should also be backed
up, although perhaps not daily. For many, a backup
should be triggered only when the device’s
configuration is changed. However, unless this is
automated, the task is sometimes overlooked (Figure11). The failure of such devices and the inability to
recover them can lead to access and security issues.
There is one time in the life of a device when the aim
should be to delete any sensitive data that exists on it
for good; when it has reached the end of its useful
life and is to be disposed of. Many network and
security appliances have confidential information
about users or infrastructure; for example a VPN
device could have a privileged account on it to access
user directory information.
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 7/11
Conquering the sys-admin challenge
© Quocirca 2011 - 7 -
More than a third of the respondents to this survey
were not confident they always achieved this (Figure
12). Automated processes for de-provisioning devices
can ensure they are safe to pass on to 3rd parties for
resale or disposal.
Even when tasks cannot be fully automated,
automating parts of a given sys-admin’s task should
also give senior staff more confidence to delegate
tasks to juniors and contractors, something the
current research shows many do not have the
confidence to do.
The confidence to
delegate All too often there is a reticence to delegate sys-
admin tasks (Figure 13). When this is the case, senior
sys-admin personnel end up doing tasks that could be
done by juniors, temps or even help desk staff. This is
an inefficient use of resources.
One reason may simply be the time taken to explain
how to do a task; semi-automation also helps solve
this. In addition, having the ability to restrict the
assignment of privileges, as outlined earlier, would
provide more confidence to delegate. The inability to
restrict the time and scope of privilege access were
both issues that concerned interviewees when it
came to delegation, as well as a worry that, oncegranted, such privilege would not be revoked (Figure
14).
The granular granting of privilege to clearly identified
individuals, be they senior, junior or temporary
employees, is essential to another aspect of the
management of sys-admin activity – providing data
for auditors.
Satisfying the auditors
A major motivation for putting in place good
practices for the management of sys-admins and the
use of privileges is to meet the requirements of
auditors. An audit may require all sorts of
information regarding who has access to what on a
given organisation’s IT systems and who changed
what, on which device and when.
Some standards are specific about the management
of privileged users. One of the controls in the IT
service management standard (ITSM) ISO 270001
states, “the allocation and use of privileges shall be
restricted and controlled ”. The Payment Card
Industries Data Security Standard (PCI DSS)
recommends, “auditing all privileged user activity ”.
It may be the pressure to meet these demands that
leads to one final appalling bad practice, the
uncontrolled changes to sys-admin procedures
immediately prior to audits which then lapse
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 8/11
Conquering the sys-admin challenge
© Quocirca 2011 - 8 -
following the audit. Over two thirds of respondents
admitted this happened at least occasionally; for
some it was a regular practice (Figure 15).
Fully automating the collection of this data, such asconfiguration settings, would reduce the pressure on
IT staff and save time during the audit process;
however, less than 10% had achieved this (Figure 16).
Even fewer had fully automated the process for
remediating audit gaps; being able to do this would
ensure organisations stayed in compliance between
audits and eliminate the need for bad practices being
put in place to dupe auditors, which, if uncovered,
would surely lead to an audit failure anyway.
Automated processes around auditing makes suredata is continually gathered, that all records of
privileged user activity are collected and that each
sys-admin task can be associated with an individual
sys-admin, all of which the majority of organisations
fail to fully achieve (Figure 17). There is strong
evidence that automation improves things
considerably; those who automated the collection of
data for audits were almost three times as likely to
fully achieve their data collection goals than those
with no or little automation (Figure 18).
Conclusion
Although granting privileged access to sys-admins is a
necessity, the process should be managed to reduce
the prevalence of bad practices. Automation is an
essential part of achieving this; it also enables task
delegation, freeing up senior IT staff and ensures
mundane tasks are carried out reliably and regularly
and securely.
Automation also ensures that the necessary data is
collected for audits and enables organisations toprove that their use of privilege is compliant.
Tools that enable automation of sys-admin tasks and
regulate the actions of privileged users are good for
both sys-admins and the business they serve.
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 9/11
Conquering the sys-admin challenge
© Quocirca 2011 - 9 -
Appendix - demographics
The following graphs show the demographic
breakdown of the respondents included in the
survey:
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 10/11
About Osirium
Osirium drives down operational risk and eases the pain of managing and maintaining multi-vendor ITinfrastructures by providing a central, secure access point and a “built -in” best practice foundation whichtracks all sys-admin changes in the infrastructure and enables you to easily meet and maintain compliance.
Osirium dramatically improves productivity and reduces human error by automating routine and repetitivesys-admin tasks and delegating them to less costly help desk staff, to provide faster problem resolutionswith fewer errors.
Osirium is establishing itself as a new and unique IT infrastructure security solution and is already helpingsome of the world’s biggest brands and public sector bodies.
For more information please see: www.osirium.com
8/2/2019 Conquering the sys-admin challenge
http://slidepdf.com/reader/full/conquering-the-sys-admin-challenge 11/11
Conquering the sys-admin challenge
About Quocirca
Quocirca is a primary research and analysis company specialising in the
business impact of information technology and communications (ITC).
With world-wide, native language reach, Quocirca provides in-depth
insights into the views of buyers and influencers in large, mid-sized and
small organisations. Its analyst team is made up of real-world
practitioners with first-hand experience of ITC delivery who continuously
research and track the industry and its real usage in the markets.
Through researching perceptions, Quocirca uncovers the real hurdles to
technology adoption – the personal and political aspects of an
organisation’s environment and the pressures of the need for
demonstrable business value in any implementation. This capability to
uncover and report back on the end-user perceptions in the market
enables Quocirca to provide advice on the realities of technology
adoption, not the promises.
Quocirca research is always pragmatic, business orientated and
conducted in the context of the bigger picture. ITC has the ability to
transform businesses and the processes that drive them, but often fails to
do so. Quocirca’s mission is to help organisations improve their success
rate in process enablement through better levels of understanding and
the adoption of the correct technologies at the correct time.
Quocirca has a pro-active primary research programme, regularly
surveying users, purchasers and resellers of ITC products and services on
emerging, evolving and maturing technologies. Over time, Quocirca hasbuilt a picture of long term investment trends, providing invaluable
information for the whole of the ITC community.
Quocirca works with global and local providers of ITC products and
services to help them deliver on the promise that ITC holds for business.
Quocirca’s clients include Oracle, Microsoft, IBM, O2, T -Mobile, HP,
Xerox, EMC, Symantec and Cisco, along with other large and medium-
sized vendors, service providers and more specialist firms.
Details of Quocirca’s work and the services it offers can be found at
http://www.quocirca.com
REPORT NOTE:This report has been writtenindependently by Quocirca Ltd
to provide an overview of theissues facing organisations thathave to face up to thechallenges of sys-admin andthe use of privilege.
The report draws on Quocirca’sextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient
environment for future growth.
Quocirca would like to thankOsirium for its sponsorship ofthis report and the researchbehind it.