Users of large legacy computing systems - like the mainframes made popular by IBM, Amdahl and Hitachi two decades ago - today have to deal with increasingly complex issues surrounding user rights and the provisioning of users to these systems.
This complexity is driven by a myriad of regulatory, statutory, audit, staffing other topical administrative issues that need to be addressed.
Central to debate is the significant number of "non-human" process identities (IDs) that are continuously created for batch jobs, started tasks, Customer Information Control Systems (CICS), terminals, File Transfer Protocols (FTPs) and so on.
These special groups of user IDs have come under the regularity watchdogs` spotlight because they are highly authorised and privileged. They are allowed to bypass security checking, are password-exempt and include industry-known user ID names, for example, IBMUSER, OMVS, JES and HSM.
The problem
The problem centres on the security `holes` that have developed and now exist in many companies due to the proliferation of user rights and IDs.
This is exacerbated because access can be grouped into `obvious` and `non-obvious` access.
Obvious access is that access that the administrator will notice when unwanted access to different resources is removed.
Non-obvious access is access that the administrator will say is definitely needed by the user but has, in effect, already been granted to the user through some other resource.
This results in unneeded entries in the security database which are accumulated over time. There are three basic reasons for this accumulation:
Firstly, users gain unneeded access rights due to job changes and one-time requests. When new access is added, old access is seldom removed because users transition rather than cut over cleanly to a new position.
Secondly, obsolete access accumulates in two forms access to resources that no longer exist, and redundant or unused access rights.
The third reason is that while user IDs are typically deleted when employees leave the company, the process may not catch every system and every secondary or alternate ID defined in the mainframe environment. Nor does it automatically remove access rights specific to the ID.
Moreover, cleanup is seldom done for IDs used for batch, started tasks, CICS, terminals, consultants and contractors.
Demands
The resultant confusion when access rights and user IDs become defunct and non-operational makes significant demands on operating systems, security systems, administrators and auditors.
For example, when a user has more definitions than are required, the operating/security systems must increase input/output to retrieve the data.
This, in turn, requires more memory for processing and required increased storage capacity.
For the system administrator, having more users and access rights to manage means more time spent on troubleshooting and repairing problems.
Excessive "junk" also makes it very difficult to know and trust what access is valid and active and what is inactive and possibly invalid.
The auditor`s effectiveness is also impaired because pools of obsolete data must first be waded through in order to define what is relevant and what is not.
The challenge
Altogether, these problems can create uncertainty, errors, oversights and present a significantly greater potential for security exposures.
Today, the increase in regulatory, statutory and audit requirements mandate a mechanism to address obsolete, unused, redundant and excessive access rights.
This is a challenge for mature security environments and their security administrators.
This is because the creation of the security commands to remove obsolete IDs or access is itself a labour-intensive cleanup task.
However, another equally labour-intensive task, which is rarely performed, is the creation of commands to restore what was removed.
Until now, administrators have been looking for a solution that speeds up the process of cleaning up access rights and used ID definitions.
But what is required is a solution that automates these tasks.
Automatically answered
Automated security cleanup offers an immediate and substantial response to many of the questions facing information security today.
It helps organisations to move towards more efficient cleanup processes through the identification of active-versus-inactive user IDs, resource profiles, permissions and group connections.
Permissions usage is tracked down to each specific access-list entry, whether discrete, generic or conditional.
When the standard monitoring report is executed from the tracking file, the commands can automatically be produced.
Other big business benefits of an automated solution include unattended continuous operation, as well as accurate identification of `access used` versus `unused` status.
They also include the immediate generation of accurate commands to remove excessive access and the needed commands should you need to re-implement any of the deleted access.
The automation process will of necessity include contingency planning which will reduce security risks and exposures, at the same time easing administration and improving responsiveness.
The process also enhances the auditability of any system by providing greater clarity and conciseness.
It goes without saying that the always-on `24x7` nature of the automated process enhances security performance and reduces staff workload.
From a regulatory standpoint, it entirely eliminates recertification, enables audit compliance and helps users adhere to privacy mandates while developing and/or refining role-based functions.
From CA`s perspective, its eTrust Cleanup product delivers robust, leading-edge technologies that provide critical solutions to help organisations fulfil their identity management requirements.
While eTrust Cleanup is part of the CA Identity and Access Management (IAM) Suite, it is also available as a free-standing option.
The IAM Suite is one of the most comprehensive, integrated solutions that addresses security for legacy systems, distributed computing environments and emerging Web services. This open suite leverages industry standards for simplified, more manageable integration, support and deployment.
Share
Editorial contacts