Thought for the day: Linux access rights expose CIOs

Sarbanes-Oxley affects open source back-end systems, says Neil Chaney

New Asset  

Sarbanes-Oxley affects open source back-end systems, says Neil Chaney




June was a big month for IT directors of companies listed on any of the US stock exchanges, including UK firms, or having a close business relationship with a company listed there.

The Sarbanes-Oxley Act of 2002, which covers the need to protect the integrity of information provided to investors, set a deadline of last month for various criteria to be met.

According to Bloor Research, at least one chief information officer's neck is already on the block because he could not show adequate tracability of who did what to critical financial data and processes under his control.

Similar legislation is appearing in Europe. Commercial organisations will have to be able to demonstrate that they control who has access to what critical financial information and when.

In the US, non-compliance can result in fines or imprisonment. And what the US is doing today will happen here tomorrow.

It is time to review the issue, especially if you use Unix or Linux systems, which require administrators to have access at a level that allows them to view and change critical data without being audited.

Unix and Linux systems allow only two levels of user: named users who can only access and manage their own files, and "root" which has unlimited rights. But the required level of data integrity for compliance cannot be ensured if someone has unlimited access to critical information in an unmonitored, unaudited environment.

And since Unix and Linux are true multi-user operating systems and each system has its own user repository, keeping user accounts and passwords in line is more time-consuming than, say, for Windows, which uses Active Directory for centralised user authentication.

However, Unix is still the operating system of choice for large back-end database servers for most ERP packages. There are two elements to the solution: maintain a central repository of all users and where they have accounts through identity management software; and restrict the use of the root accounts and audit their use.

There are about 30 packages with various levels of capability for managing users on Unix and Linux systems. Functionality varies dramatically from one supplier to another.

The restriction of the root account can be handled through free software, such as Sudo, which is somewhat cryptic, or commercial software from a few suppliers, including at least one product that fixes both problems.

Doing nothing and hoping for the best should not be an option.

Neil Chaney is managing director of Open Systems Management

Read more on IT legislation and regulation