Manage Learn to apply best practices and optimize your operations.

Best practices: Separation of duties for security administrators

In this Q&A, expert Michael Cobb explores separation of duties for security administrators with access to domain controllers and servers running Windows, UNIX and Linux.

What type of access would you suggest should be granted to security administrators for:

  • Windows 2000 & 2003 servers
  • UNIX servers
  • Linux servers
  • Domain Controllers

Unfortunately, apart from the domain controllers, you haven't said what services are running on your Windows, UNIX and Linux servers so I can't give you any specific recommendations. However there are established practices for assigning permissions to security administrators to avoid anyone abusing their privileged position.

separation of duties (SoD), sometimes referred to as segregation of duties, is the concept of splitting the tasks and privileges required for a specific security process among multiple people. It acts as an internal control to reduce the potential damage caused by the actions, accidental or malicious, of any one individual by restricting the amount of power and influence they hold over key systems. It also ensures that people don't have conflicting responsibilities, such as reporting on themselves or their superiors. The objective is to eliminate the possibility of a single user being in a position where one can carry out and conceal an illicit action. So, for example, if any of your administrators can delete, edit, or copy data without being detected, then you need to look at the separation of their duties and tasks.

Ideally any task that is potentially subject to misuse needs to be divided into separate steps and each step assigned to a different person. Responsibilities must be assigned to individuals in such a way as to establish checks and balances within the system and minimize the opportunity for unauthorized access or fraud. Breaking up a process to achieve SoD involves ensuring that the steps required to complete that process can only be completed if each step is followed, and that no one person has the power to complete the process on their own. So the person that approves an action, the person that carries out the action, and the person that monitors the action must all be separate. By separating the authorization, implementation and monitoring roles, it means several people would have to work in collusion to successfully commit a fraud.

A separation should exist in terms of your organization's reporting structure as well as job responsibilities. Security administrators, for example, shouldn't report to the managers directly responsible for the daily management of your servers. This will ensure that their ability to maintain security controls is not influenced by those individuals that are part of the process being controlled. It's also essential that there's separation between the development, operation and testing of security within your IT infrastructure. Check too that your security administrators aren't responsible for other tasks, such as programming or backups that could result in a conflict of duties.

Finally, implement the principle of least privilege whereby users are given the least amount of privileges required to perform their tasks. A security administrator may need to be able to analyze server log files, so he will need read permission, but there is no need to grant him write permission as well. The principle of least privilege applies throughout an organization right up to board level. A person's authorization rights in the system should match their tasks, not their seniority within the organization.

More on this topic


This was last published in February 2010

Dig Deeper on Information security policies, procedures and guidelines