Cover V05, I11
Article

nov96.tar


Editor's Forum

Ah, security - a topic near and dear to all system administrators. This month's issue delves into various aspects of security as it relates to UNIX systems and their uses. Comparing the articles in this issue with the information that I received at the recent Usenix Security Symposium held in San Jose, California, I am left with similar impressions. First, while the basic aspects of security concerns remain relatively constant, those concerns multiply and become as distributed as our systems and software. Thus, the complexity of security administration is far greater than many managers realize. The second impression left by this issue and the Usenix event is that while the potential sources of security breaches seem more numerous, there are also numerous sources for security pearls of wisdom - tips and tricks to help you shore up the security around your systems. The challenge, of course, is to pick the right pearls and then string them together so they look "just right" when worn by your system.

Picking the right pearls is a matter of defining your security requirements after recognizing that those requirements are a balance between various operational objectives within your organization. A clear and concise definition of your security requirements will consume time, energy, and resources (another fact that management must understand). In the end, however, perusing the pearl patch will be easier and more efficient if you know the size and hue of the pearls you seek.

A security requirements document also eases the task of stringing the pearls. From that document you will know how the pearls should fit together and in what priority. The string becomes the cohesiveness of your overall security plan - in essence, that which holds together the various elements of your security policy. Similar to a real pearl string, your security plan's cohesiveness should also be as resilient and break-resistant as possible. Further, you will likely plan the stringing process long before you have all of the pearls in place.

Where is the pearl patch? It, too, is distributed. In addition to the resources listed in this issue, do not overlook traditional sources of UNIX-related information. If you were not able to attend the Usenix Security Symposium, consider obtaining a copy of the proceedings. Consider, as well, upcoming conferences. The annual Usenix Technical Conference will be held in Anaheim, California during January (see http://www.usenix.org) and will certainly include useful security information. Similarly, but in a more commercial vein, the annual UniForum conference will be held in San Francisco during March (see http://www.uniforum.org). And, dare I say, consider the security-product vendors who advertize in Sys Admin as information resources. While the products of these vendors may or may not fit your requirements, the technical specifications for those products can be enlightening.

Foremost, however, remember that security is a dynamic thing. Each day, along with its technological advances, will bring a new set of redefinitions of the same old security concerns. Stay flexible in your vigilance and remember to step back occasionally for a broader perspective.

Sincerely yours,
Ralph Barker