[unisog] Separation of Duties

Trevor Odonnal trevoro at byu.edu
Mon Jul 9 17:23:18 GMT 2007


Hello all,

 

Here at BYU we are looking at a possible solution to an issue that has
been a problem for some time.  Currently our development, staging
(testing), and production environments are more or less mixed together.
This means that the engineers (server, software, and database) have the
same authority and access to production systems as they do to
development and staging systems.  This has led to an ongoing problem
with separation of duties.  Lately there has been an issue with
Engineers handling access control and security functions instead of the
Operations Security team (of which I am a part).  We have suggested to
upper management the following:

 

1.	Separate Development, Staging, and Production environments into
separate subnets.
2.	Separate Development and Staging authentication trees from the
Production authentication tree.
3.	Allow Engineers the right to maintain and manage security
functions in the development and staging environments as they see fit.
4.	Once a server, platform, or application has been fully tested
and placed into production, all security functions and access control
will be managed solely by the Operations Security and Account Management
groups.

 

The idea here is to maintain a level of accountability and separation of
duties in the production environment.  I have been given the task of
locating any other universities that may have put such a strategy in
place and open a dialogue with them to determine how this change might
affect us here at BYU.  Is there anyone on this list who has implemented
a similar strategy to the one I have described above that would be
willing to share their experiences with us?  Thanks in advance to all
who respond.

 

Trevor O'Donnal CISSP, CCFE

Network Security Analyst

Brigham Young University

(801) 422-1477

trevoro at byu.edu

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070709/e59af3d7/attachment.htm 


More information about the unisog mailing list