Security vs. operations

The long view of security strategies for your network.

In a closed discussion group to which I belong, a member posed the following interesting problem. The participant has very kindly allowed me to publish the conversation with some details changed to preserve anonymity.

The member started the discussion as follows:

* * *

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In a closed discussion group to which I belong, a member posed the following interesting problem. The participant has very kindly allowed me to publish the conversation with some details changed to preserve anonymity.

The member started the discussion as follows:

* * *

In the past I have asked how information assurance (IA) in positioned within your organization. In some, IA is a part of operations, in some it is the same people doing both IA and operations, some organizations have IA teams that act as internal consultants to operations, and some have IA operations that work alongside production operations.

I have a question in a similar vein. For those security functions that require administrator privileges, do your IA personnel have either Local or Domain Administrator accounts? We are debating a philosophical issue here where our requests to be granted local admin privileges on servers are denied, but the subsequent requests we make of the people that have admin privileges to do the work we are unable to perform go unanswered. Essentially we are in a position of not being able to perform certain tasks related to security, and we are not getting cooperation from the production support teams. We wonder if security personnel at other organizations are given administrator accounts or not.

* * *

I responded:

* * *

I think the critical element here is as follows:

“[O]ur requests to be granted local admin privileges on servers are denied, but the subsequent requests we make of the people that have admin privileges to do the work we are unable to perform go unanswered.”

In a production environment, distributing administrator privileges may disrupt production controls, so I can understand the desire to centralize the administrator functions to a group of people who work closely with others within the production team.

However, assigning responsibilities without authority is never good.

I think that you should explore and analyze the roots of this breakdown in communication between your group and the production team that is supposed to be (but isn't) supporting you. Has the rift developed recently or is it historical? Are there specific personal conflicts that may account for this division between the teams? Are their conflicts between the managers of these groups? Do the obstructive personnel understand the requests and their urgency? Are they perhaps overworked and therefore assigning lower priority than they ought to in scheduling responses to specific requests?

By focusing on the underlying organizational dynamics here, you may be able to present a recent case to your manager so that he or she can take appropriate action to resolve the problem constructively.

But simply pointing how other organizations handle the assignment of administrator privileges is, in my experience, unlikely to get you very far.

* * *

The participant elaborated on the situation:

* * *

> distributing administrator privileges may disrupt production controls<

I worked for several years as a systems administrator before specializing in security, so I completely agree. In fact, I do not _want_ administrator privileges unless I absolutely need them.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.