Quis custodiet ipsos custodies?

“Who watches the watchers?” Compliance has become a hot topic for organisations facing scrutiny under the plethora of regulatory controls such as Sarbanes-Oxley, HIPAA, Basle II, etc. Many of these regulations deal with security of access to Information Systems and the provision of audit trails that provide the forensics required to determine who did what, where and when.

Unfortunately, the emphasis for any type of audit trail and reporting is focused on the end user of a system or application, and not the access of the Operations personnel whose function it is to ensure that the systems are running correctly.

In order to truly create a system access audit trail, all modes of access must be monitored. This is generally done automatically for applications that create log files, but not for systems and devices that use a serial console as its primary management interface. True, these consoles tend to be in a computer room, and so have access to them controlled, but that still doesn’t allow specific commands executed on them to be monitored, logged and archived for regulatory compliance.

How often has changing a parameter on a device caused performance degradation on the network or system?  How do you determine what command was issued, when and by whom? I have had instances where Operations Personnel and Equipment service personnel have both denied making a change, yet I know without a doubt that a change must have been made, as the configuration does not match that required by the installation. Simple control of access to the serial port of the device in question, along with logging of all operations performed through that port, would have resolved the issue. Forget ‘Big Brother’ and think ‘Accountability’.

There are many solutions on the market for “Console Access”, but not all of them allow for the logging and advanced event detection that netPrefect from Cyclone Technology can be tailored to perform. Cyclone’s software has been the choice of many blue chip companies as the most simple and cost effective way to collect and act on security information across the entire enterprise in real time, while at the same time aggregating logs of all security events by severity and type, and lastly creating a long-term audit trail.

On a final note, even if another “Enterprise Management Solution” such as Openview, Tivoli or Unicenter etc. is being used, there is still the requirement for serial console access control and auditing, as these solutions very often do not perform this function.