Resources for Sarbanes-Oxley (SOX)

Implementing Least-Privilege Security Management in Complex Linux and UNIX Environments

infosecurity-us.com

Virtually all government and private security regulations, such as Sarbanes-Oxley and the Payment Card Industry’s Data Security Standard, have a few common requirements: that access to sensitive data and servers be granted only to those whose job function requires it, and that those individuals are granted only the privileges they need to perform their duties. This “least-privilege” security model has obvious merits in theory, but in practice it can be challenging to implement, particularly in Linux and UNIX environments, where it is still all too common for administrators to share passwords to root or other superuser accounts. How, for example, do you give backup administrators the superuser privilege to copy a database and move it to another volume without giving them access to the database itself? While sudo and other tools provide some help, they can be cumbersome to manage and implement and become unworkable in complex environments with hundreds of heterogeneous servers and multiple administrators with widely varying job roles and authority.

View the Resource

Share or bookmarklet this web page at: