Steps to a secure operating system
Computerworld - Today's operating systems are more sophisticated and feature-rich than ever before, which makes them substantially more useful to the enterprise but also adds to security vulnerability—unless the operating systems are configured, administered and monitored correctly. Contrary to popular belief, this can be accomplished with a minimum of fuss and bother. The key is to centralize and automate operating system security across the enterprise, rather than do it manually for each box.
In fact, the costs and risks of not centralizing and automating operating system security are enormous. Over half of the security break-ins we read about daily are the result not of inherent weaknesses in operating system technology but of operating systems not being configured properly or not being verified and monitored regularly. The operating systems were provisioned out of the box at the default security settings, which made them highly vulnerable to attack.
Today, roughly 20% of user identifications and passwords have never been changed. The word password is still a common password in many organizations. The reason administrators neglect to configure these settings properly is simple: It would take approximately 20,000 hours to provision and verify a 1,000-server network manually, as it must be done in many organizations, and few organizations can afford the necessary time and money.
|Arvind Krishna is vice president for security products at IBM Tivoli Software.
There are three things that can enhance operating system security across an enterprise network. First, provisioning of the servers on the network should be done once in one place, involving the roughly tens of separate configurations most organizations require. This image, or set of images, can then be downloaded across the network, with the help of software that automates this process and eliminates the pain of doing it manually for each server. Moreover, even if you had an instruction sheet for these key configurations, you wouldn't want local administrators to access these key configurations for each server, which is very dangerous. The best way to do it is once and for all.
Once the network has been provisioned, administrators need to be able to verify policy compliance, which defines user access rights and ensures that all configurations are correct. An agent running on the network or remotely can monitor each server continuously, and such monitoring wouldn't interfere with normal operations.
Second, account management needs to be centralized to control access to the network and to ensure that users have appropriate access to enterprise resources. Policies, rules and intelligence should be located in one place—not on each box—and should be pushed out from there to provision user systems with correct IDs and permissions. An ID life cycle manager can be used to automate this process and reduce the pain of doing this manually.
Third, the operating system should be configured so that it can be used to monitor activity on the network easily and efficiently—revealing who is and isn't making connections, as well as pointing out potential security events coming out of the operating system. Administrators can use a central dashboard that monitors these events in real time and alerts them to serious problems based on preset correlations and filtering. Just as important, this monitoring system should be set up so that administrators aren't overwhelmed by routine events that don't jeopardize network security.
Security doesn't have to be a budget buster or interfere with normal business operations. As organizations move from manual to automated security processes, there are significant cost savings to be had. Manual processes are not only expensive and inflexible; they also contribute significantly to breakdowns that add to costs. Properly configured operating system security is a business enabler that will save money as it keeps the bad guys where they belong—on the defensive.
- Editor's Note: Tips From Security Pros
- The Story So Far: IT Security
- Know Thy Users: Identity Management Done Right
- Opinion: Feeling Insecure About Databases
- Evaluate Outsourcing Partners
- Strengthen Security During Mergers
- Thwart Insider Abuse
- Privacy Protection, Step by Step
- Plug IM's Security Gaps
- Boost Your Security Career
- The Almanac: IT Security
- Buffer Overflow
- The Next Chapter: IT Security
- Thwarting attacks on Apache Web servers
- Tips for Securing Your Windows Operating System
- The Hacker's Wireless Toolbox Part 1
- How to defend against internal security threats
- Ten ways to defend against viruses
- Decoding Mobile Device Security
- Five ways to thwart threats to your network
- Secrets to the best passwords
- Social engineering: It's a matter of trust
- Five tips for effective patch management
- Security Basics: Where to Start
- Steps to a secure operating system
- WLAN chip sets open a new door to insecurity
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts