What is SOX/CobiT?
In response to the major accounting scandals of Enron,
WorldCom, Tyco, and Global Crossing and their subsequent effect of billions of lost dollars on the US Economy, President Bush signed into law
the Sarbanes-Oxley Act, "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."
Sarbanes-Oxley (SOX) introduces highly significant legislative changes to financial practice and corporate governance by requiring increased regulatory compliance and accountability of public companies and their financial health. The intent of this law is to reinforce corporate integrity and enhance investor confidence by requiring CEO certification of financial statements, mandating real-time disclosure of information important to investors, and establishing an oversight board for the accounting industry.
COBIT is the IT Governance Institute’s IT governance and
control framework, most frequently used to help achieve
Sarbanes-Oxley Act compliance, but also ensuring security and
availability of IT assets in general
How does SOX & CobiT relate to
AAA based network
security?
From an IT security perspective,
SOX is vague in many areas, especially as it relates to the
specifics of, "how to comply," because SOX does not
provide exact information security procedures or processes that
companies will need to have in place for compliance. Nor does it
recommend any specific IT solution for compliance. On the other
hand, there are parts that are very specific and have a direct
impact on IT budgets. For example, the law states that all
business records, including electronic records and electronic
messages, must be saved for "not less than five years."
With this data-storage requirement it is clear that SOX has and
will continue to have a noticeable effect on corporate IT
departments.
In addition to the obvious and
"between the lines" IT requirements, SOX mandates
corporations to demonstrate sound financial controls governing
their business processes and then test those controls quarterly.
Of course, manually documenting and testing these controls is one
way to do that, but the costs for labor and time would be
considerable and present a procedural and logistical nightmare. It
just makes sense that companies would look to automate as much of
the process with software and hardware platforms to quickly
address their dilemma.
A typical AAA server such as Cisco Secure ACS may contain
three main network security policies:
- Network end-user/identity access control (VPN, Wifi,
VLAN etc)
- Network administrator user access control (typically
TACACS+ Device Administration)
- AAA Server administrator access control (ie config
changes on the AAA server itself)
In addition to the raw policy data "locked up" inside the ACS
database the mass of accounting, authentication, administration
event and failure logs hold a wealth of valuable data. From the
viewpoint of good governance its critical to be able to:
- Validate the policies in place are actually working with
no unforeseen consequences
- Easily spot exceptions and violations of policy
- Instigate a forensic analysis of the logs to find out
what really happened.
 |
how aaa-reports!
supports SOX/CobiT |
 |
Documentation & security policy
validation
Most aaa server
products have little or no ability to document their
configuration. This often leaves systems administrators taking
screen dumps of GUI screens.
aaa-reports!
can directly import database information from Cisco Secure ACS in
order to generate reports, for example:
NEW!
TACACS+ Device Admin (TDA)
reports. These document everything from the ACS Network
Config to Shared Device Command Sets (DCS), Network Access
Restrictions (NARs) and how they are used. See
aaa-reports! for TDA for more
information.
which device administrators
have access to any given device (or set of devices)
what privilege
level is allowed to each admin group
what account
restrictions are in place - such as password expiration,
address filters etc
what controls
are enforced for each type of network access eg wireless, vpn,
dial etc
view the ACS users in the
query builder, filter, sort, query and export!
policy audit
Having documented
and validated the deployed policies it is essential put in place a
sufficient audit plan to continually assess their
effectiveness.
aaa-reports!
aids this process with a new set of enhanced
TDA reports:
What
groups/users have access to specific devices (or device
groups)
What commands
are authorised by groups/user on specific devices (or device
groups)
What users
have policy that overrides their group settings
What policy
items are defined but not actually being used
Much more...
Also with exception reports:
out-of-hours
usage
excessive failed
authentications
network access
restriction (NAR) failures
device admin
command authorization failures
excessive
numbers of session, throughput and/or duration
In addition to
simply looking for exceptions, aaa-reports! includes an
ever increasing set of "canned" reports to drill down
into network activity:
have required
configuration updates been successfully deployed to all access
devices, if not which
if a device was
mis-configured, who was responsible, what did they do and when
who had a given
ip address on the network at a specific time
how are specific network services being utilized
many more..
Finally, aaa-reports!
offers advanced features such as
Consolidation of
multiple log files into a single database with built-in data
archiving
Powerful search
tools for building complex multi-parameter queries using a
simple point and click interface - no programming or knowledge
of SQL required
|
