|
Posted by DaveMo on February 25, 2008, 8:21 am
Please log in for more thread options > I think that's a bit over the top.
> In the real world, I am guessing that perhaps a business owner or director=
> is hiring a system administrator but wants to have some data that is
> private. It could be the Finance Director. The question is, can this be do=
ne
> within a domain? The answer that I and others have given is:
> - You can remove access, but the admin can take it back
> - You can audit access, but the admin can change the auditing.
> So if you really don't want the admin to have access to the data you need =
to
> store it outside of the domain he is administering. For example, on a
> workstation. Then back up the workstation.
> Anthonyhttp://www.airdesk.co.uk
>
>
>
>
>
>
>
> >> If you want data to be outside the scope of a domain administrator, it =
is
> >> fairly obvious that you need to put the data outside the domain.
>
> > Brilliant! But then what is the security environment of this data
> > repository that is outside the domain? Is it another domain with a
> > different set of administrators? Is it a SAN device on the network? Is i=
t
> > a vault containing the data on magnetic media or printed reports?
>
> > And if the data is ever processed by any machine actually *on* the
> > network, what process ensures that it is inaccessible to anyone other th=
an
> > the authorized user while in use, and fully deleted once he files the
> > results away in that magical non-domain world?
>
> > You can certainly use such techniques to keep system admins from having
> > any sort of access to the information. But I am not convinced that the
> > data itself will become any more secure from unauthorized access in
> > general as a result.
>
> >> Auditing the data so that you are alerted when someone accesses it is
> >> different. It is like putting the burglar in charge of setting the alar=
m.
>
> > If that is truly the case, then we must immediately stop all auditing of=
> > security events, as this has no place in securing our data. Much better =
to
> > hide the data in a sock in the mattress in your spare bedroom where you
> > cannot possibly audit the situation, and can therefore be sure that no
> > knowledge will ever come your way of its having been accessed. In a
> > nutshell, you will have then proven it is perfectly safe.
>
> > /Al
>
> >> Anthony
> >>http://www.airdesk.com
>
> >> In article <1a3d0a6f-760d-4fbd-b134-cad4303349c3
> >> @z17g2000hsg.googlegroups.com>, david.mow...@gmail.com says...
> >>> > In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
> >>> > 71g2000hse.googlegroups.com>, david.mow...@gmail.com says...
>
> >>> > > Through a combination of setting the
> >>> > > correct policy (no access for admins) and then monitoring the
> >>> > > systems
> >>> > > so that the policy does not change, you can achieve the desired
> >>> > > compliance level for your systems.
>
> >>> > Actually, that does not meet the requirement - the requirement was t=
o
> >>> > block access by Admins to a share/file/folder/etc...
>
> >>> > It can not be done.
>
> >>> > Yes, you can provide a log that the violation has happened, but you
> >>> > can
> >>> > not stop it.
>
> >>> I don't think that you are accurately representing the problem and/or
> >>> possible solutions. Given that there are fundamental issues with
> >>> keeping an admin from doing anything on his box, this does not mean
> >>> that there aren't things you can do to make a system more secure or
> >>> more compliant. Doing something is almost always better from both a
> >>> security and compliance perspective then doing nothing at all.
> >>> Compliance inspections are never binary in either their goals or their=
> >>> results. Since no system is ever completely protected no company would=
> >>> ever pass a security audit if the requirement was to provide bullet
> >>> proof security.
>
> >>> In summary, adding systems that provide monitoring and policy
> >>> enforcement will definitely tend to make an organization more likely
> >>> to be found "in compliance" then doing nothing at all.
>
> >>> This is, of course, the view of a system implementor. If there are
> >>> compliance folks out there who would like to comment, their
> >>> contributions would be welcome.
>
> >> Dave, I work for many clients, and many of them have to provide SOX or
> >> other compliance proof.
>
> >> The simple fact is that no matter how you dice it up, if you have domai=
n
> >> admin access you have access to everything and there is no way to chang=
e
> >> that.
>
> >> Yes, logging can show that an admin violated security, but that doesn't=
> >> change the specifics - the admin has access to anything they want acces=
s
> >> to, period.
>
> >> Your Usenet client is broken, it's not properly clipping signature line=
s
> >> when you reply.
>
> >> --
>
> >> Leythos
> >> - Igitur qui desiderat pacem, praeparet bellum.
> >> - Calling an illegal alien an "undocumented worker" is like calling a
> >> =A0drug dealer an "unlicensed pharmacist"
> >> spam999f...@rrohio.com (remove 999 for proper email address)- Hide quot=
ed text -
>
> - Show quoted text -
I'm sorry, but I can't agree that this approach is a good one. Who is
going to administer the separate workstation? The Finance Director? If
the workstation is not a member of a domain, it will not enjoy the
benefits of whatever domain-based policies that are used to keep the
organizational systems healthy. If it is outside of the domain, the
Finance Directory won't be able to access the data using his domain
account so he'll need to manage another account - and probably keeping
the account info on a sticky note on his monitor!
There are audit collection systems widely available that whisk the
audit log events off of a box in real-time. Critical audit
information, such as access info for your highly confidential data in
this scenario is then collected in a database on another system which
can be under the control of a different group of admins responsible
for enforcing compliance. Like anything else, any mechanism could be
subverted if someone is really, really smart and motivated to do so,
but I think that a combination of such technologies will easily prove
due dilegence and get you past the audit.
Dave
| 
XML Sitemap