Editor's Forum
Ah, security - a topic near and dear to all system
administrators. This
month's issue delves into various aspects of security
as it relates to
UNIX systems and their uses. Comparing the articles
in this issue with
the information that I received at the recent Usenix
Security Symposium
held in San Jose, California, I am left with similar
impressions. First,
while the basic aspects of security concerns remain
relatively constant,
those concerns multiply and become as distributed as
our systems and
software. Thus, the complexity of security administration
is far greater
than many managers realize. The second impression left
by this issue and
the Usenix event is that while the potential sources
of security
breaches seem more numerous, there are also numerous
sources for
security pearls of wisdom - tips and tricks to help
you shore up the
security around your systems. The challenge, of course,
is to pick the
right pearls and then string them together so they look
"just right"
when worn by your system.
Picking the right pearls is a matter of defining your
security
requirements after recognizing that those requirements
are a balance
between various operational objectives within your organization.
A clear
and concise definition of your security requirements
will consume time,
energy, and resources (another fact that management
must understand). In
the end, however, perusing the pearl patch will be easier
and more
efficient if you know the size and hue of the pearls
you seek.
A security requirements document also eases the task
of stringing the
pearls. From that document you will know how the pearls
should fit
together and in what priority. The string becomes the
cohesiveness of
your overall security plan - in essence, that which
holds together the
various elements of your security policy. Similar to
a real pearl
string, your security plan's cohesiveness should also
be as resilient
and break-resistant as possible. Further, you will likely
plan the
stringing process long before you have all of the pearls
in place.
Where is the pearl patch? It, too, is distributed. In
addition to the
resources listed in this issue, do not overlook traditional
sources of
UNIX-related information. If you were not able to attend
the Usenix
Security Symposium, consider obtaining a copy of the
proceedings.
Consider, as well, upcoming conferences. The annual
Usenix Technical
Conference will be held in Anaheim, California during
January (see
http://www.usenix.org) and will certainly include useful
security
information. Similarly, but in a more commercial vein,
the annual
UniForum conference will be held in San Francisco during
March (see
http://www.uniforum.org). And, dare I say, consider
the security-product
vendors who advertize in Sys Admin as information resources.
While the
products of these vendors may or may not fit your requirements,
the
technical specifications for those products can be enlightening.
Foremost, however, remember that security is a dynamic
thing. Each day,
along with its technological advances, will bring a
new set of
redefinitions of the same old security concerns. Stay
flexible in your
vigilance and remember to step back occasionally for
a broader
perspective.
Sincerely yours,
Ralph Barker
|