Privileged Users and the Mainframe

by Rob van Hoboken
January 1, 2007

Finding Solutions

The regulations tell you to implement change management procedures, apply separation of authorities, provide reporting of all actions of privileged users, etc. But when cost-savings have forced you to rely on a small team to get the job done, how can you make sure they did the right thing? When it’s impractical to limit administrator authority and privileges, a simple alternative is to monitor their activity and make sure all parties are aware of it. Psychological research has shown that a closed-circuit camera does wonders to keep people honest.

Monitoring users isn’t only a good  scare tactic for keeping employees from doing bad things, it also can be used to support the technical staff. With the right technology supporting privileged user monitoring initiatives, an administrator can show exactly what controls they’ve implemented and changed, proving they’ve completed their job to their best ability. Privileged user monitoring ensures that executives can be confident their power users aren’t manipulating reports and conducting activity detrimental to the company.

In one example, a freight-handling agency dealt with shipping manifests of many publicly traded companies. The manifests could be used to deduce the production volumes of the company and predict their revenue. With such information, one could predict the stock price, opening the door to violations of Securities and Exchange Commission (SEC) rules. In the company’s SOX compliance project, the agent requested that access to these files be limited to financial staff, but implementing changes in storage management and security infrastructure proved impractical.

The technical teams pointed out that they would be unable to live up to the Service Level Agreement (SLA) when such changes were made. As an alternative measure, real-time alerts were used to notify the data security team when systems programmers used their privileges to read confidential data. With this measure and others, the agency met its regulatory requirements and proved to customers that confidential information would be appropriately handled.

Figure 1 shows a chart of best practices for organizations to implement to address a privileged user threat without hindering productivity.

A

Summary

Privileged users are an unavoidable factor in running an IT system, and usually, they benefit the business. Cost pressures mean that one person often has several roles; these same pressures mean implementing all the controls you’d like isn’t affordable. When business priorities prevent a thorough redesign of the security definitions, monitoring of log files or real-time alerts can be used as an effective and low-impact alternative to keep your privileged users honest—and ensure none of that power is abused. Z