http://www.networkcomputing.com/shared/printArticle?article=nc/922/922f1.html&pub=nwc
Finally! A Light at the End of the Tunnel
By David Willis
Managing security for an policy for a large organization with a variety of
computing platforms is a tough job that gets tougher all the time.
Organizations change so quickly that simply keeping systems current is an
accomplishment. New systems are added, operating systems and applications
are upgraded, network entry points proliferate and new security flaws crop
up every day. Staff turns over, contractors come and go, and support
departments endure downsizing, leaving fewer people to manage more
systems. Typically, those who remain focus on delivering service for end
users rather than on network protection.
The daily task of protecting information falls to the security policy
administrator, who has his or her hands full simply managing what's
already in place--ensuring that system accounts and permissions are set up
properly and that information is always available to those who need it
(and no one else). Most often the policies are implemented by
others--security managers rarely manage boxes on a daily basis--and they
must take care not to make it hard for people to get their jobs done.
Policies must be understandable, auditable, enforceable and nonintrusive.
It's a tall order.
By comparison, life in a homogeneous environment is easy. IBM mainframe
shops have IBM RACF or Computer Associates International's CA-ACF2 for
granular security management. Well-established products extend mainframe
security management into distributed environments. Tools for administering
a single-platform network operating system do an adequate job, with a few
well-documented exceptions: In large, interconnected Windows NT
installations, for example, the sheer volume of accounts and trust
relationships is known to swallow an inordinate amount of administrative
time. Unix systems have similar architectural flaws, including limited
capacity for management delegation and clumsy access-control-list
mechanisms.
Still, while many tools can secure and manage Windows NT, Unix and NetWare
within themselves, rarely do they span multiple platforms. Without a
mainframe to centralize it all, there is only a handful of security-policy
management tools that can control users and resources served by diverse
operating systems. Computer Associates, PLATINUM technology and Tivoli
Systems have tools that manage user accounts, control file-level access
and enforce a policy hierarchy.
Security Gains Each vendor takes a slightly different approach to policy
management, but our hands-on experience in Network Computing's Real-World
LabsŪ at Syracuse University and in Dallas showed that whatever the
method, these powerful product suites represent a substantial leap forward
for large, security-conscious organizations. Given enough time and
effort, these suites will save policy administrators work and will align
systems more rapidly within the organization.
[see original URL for rest of article..]
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Dec 8 08:56:55 1998