The Business Case for Auditing Your Servers

It is interesting that when I talk to IT professionals and ask them about their security and compliance requirements for their server infrastructure that in some instances IT pros tell me that auditing their server infrastructure doesn’t apply to their organization or they can kick the proverbial can down the road. I can understand that sentiment if their organization was a small-to-medium sized business that may not be a public company and have to deal with SOX, or not in a well regulated industry that has to deal with HIPAA or FERC/NERC, but when an larger organization that is in a regulated industry states that they don’t need auditing on all their servers it seems a bit of evangelism is needed to get customers to realize that it is in their best interest to do so. I would also argue that this same evangelism should be considered by smaller organizations. In this blog post and a few others to follow I am going to talk a bit more about auditing, and in this one will discuss the business needs for auditing your servers.

Coming out of the financial meltdown and in the face of number of ongoing security hacks (Zappos being the latest), the reality is that organizations right now are facing significant waves of regulatory compliance demands and security concerns. To address auditors’ needs and make sure proprietary information is not being stolen by insiders or outsiders, IT must have end-to-end visibility and control over users, applications, servers and devices to ensure the business is protected while being agile enough to respond to quickly changing business conditions. Historically this involved securing and locking down on-premise devices, servers and applications. Now the same type of security capabilities must apply to IT resources that are outside the firewall and are not directly operated by IT departments (e.g. servers being deployed on Amazon, Rackspace, etc.)

But often times the business justification cannot be articulated to senior management why auditing must occur, or IT organizations may think that detail auditing does not apply to their systems. Here are three business reasons why I believe your entire server infrastructure should be audited:

1. Compliance Demands Require It

Many IT personnel believe that industry and government compliance requirements don’t apply to their organizations. But if your company is public, takes credit card orders, stores patient health information, etc. your organization is on the hook to be compliant. The fact is the myriad of compliance regulations create ongoing challenges for enterprises in every industry and many companies must meet multiple requirements for internal controls (SOX), payments data security (PCI DSS), patient health information (HIPAA) and other industry specific requirements (GBLA, NERC/FERC and FISMA/NIST SP 800-53). For example, common to every major compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity, privileges are limited to only ones needed to perform job functions and user activity is audited with enough detail to determine what events occurred, who performed them and the outcome. Below is a table of some the compliance rules and the corresponding requirements for auditing:

Compliance rule Description
Sarbanes-Oxley Section 404 (2) …contain an assessment … of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
PCI DSS Section 10.2.1-2 10.2 10.2 Implement automated audit trails to reconstruct the [user activity], for all system components
1. Verify all individual access to cardholder data.
2. Verify actions taken by any individual with root or administrative privileges.
HIPPA 164.312(b) Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
NIST SP 800-53 (AU-14) The information system provides the capability to:
a. Capture/record and log all content related to a user session; and
b. Remotely view all content related to an established user session in real time.
NERC CIP-005-1 R3 (Monitoring Electronic Access) Implement and document an electronic or manual process(es) for monitoring and logging access

2. Mitigating Insider Attacks

It turns out that many of the security breaches that have made headlines over the last year occurred because of insiders causing damage vs. an outside hack. Mitigating the risk of insider attacks that can lead to a data breach or system outage remains a key concern for security managers. Several factors have led to an increase in insider incidents including the sharing account credentials, privileged users with many credentials across systems and assignment of privileges that are too broad with respect to the job responsibilities of the user. Because many organizations have privileged users that are geographically dispersed organizations must be have visibility into the activities of local and remote administrators and users.

For example, auditing user activity can create the accountability required for security and compliance including:

  • Capture and search historical user activity so that suspicious actions can be examined to determine if an attack is occurring — before the damage is done.
  • Change privileged user behavior through deterrents ensuring that trustworthy employees are not taking shortcuts and disgruntled employees know any malicious actions will be recorded.
  • Establish a clear, unambiguous record for evidence in legal proceedings and dispute resolution.

And insider threats are not going away, one report from US-CERT (with cooperation from the U.S. Secret Service) estimated that 86% of internal computer sabotage incidents are perpetrated by a company’s own technology workers and 33% of participants in the 2011 CyberSecurity Watch Survey responded that insider attacks are more costly than external ones.

3. Third-Party Access, Troubleshooting and Training

Today’s business environment is driving enterprises to find cost efficiencies at every level of their operations. Outsourcing, off-shoring and cloud computing are giving organizations agility, flexibility and the cost control they require to remain competitive but, organizations are still responsible for the security and compliance of their IT systems. This is made clearer in newly revised compliance requirements that specifically call out the enterprise’s responsibility when contracting Independent Software Vendors, Service Providers and outsourcing firms. In fact, the HITECH act enhancements to HIPAA closed one of the last loopholes related to third-party liability.

Third-party user access creates even more impetus to deploy auditing. In addition to the insider attacks and compliance demands already mentioned third-party access increases the pressure to quickly troubleshoot ailing systems, auto-document critical processes and create training procedures for personnel hand-offs, which occur more frequently with contractors and service providers.

So now that the arguments have been made to help justify implementing auditing for your server infrastructure, what are some of the tactics you can take, and what are the pros and cons of each? I will tackle that in my next blog post. [Special thanks to David Berman for help on the compliance aspect of this blog post.]