Throughout the earlier items on our Top 10 List, the concept of access control came up rather frequently (either directly or indirectly), so let’s focus a bit more on it. As described in XYPRO’s HP NonStop Server Security Handbook, “Access Control is the whole array of tools and procedures used to limit, control, and monitor access to information and utilities. Access control is based on a user’s identity and membership in predefined groups. Access control makes it possible to control the use, availability, integrity, and confidentiality of objects and information on the HP NonStop Server.”
Clearly, access management is very important. However, it can be a daunting challenge to individually manage all the various access privileges for every user. The effectiveness of even an excellent security access management plan can be weakened when its corresponding administrative overhead is too high. With this in mind, we come to the #5 NonStop Security Fundamental:
#5: Strengthen access management with role-based access control (RBAC)Role-based access control (RBAC) is a security approach in which system access and permission rights are grouped according to user roles and then individual users are assigned to a role. The security system then makes access decisions according to the user’s role.
The idea here is quite simple: using role-based access can reduce management overhead and facilitate the implementation and enforcement of standardized access rules—all of which strengthens security access management.
While possible, setting up RBAC with Safeguard requires extensive administration. Third-party solutions, like XYGATE Access Control (XAC), provide a more manageable method of implementing RBAC. The single, major difference between XAC and Safeguard RBAC is the ability to define control by job function in XAC. Safeguard simply isn’t architected for role-based control whereas a solution like XAC is designed for it.
Using ACLGROUPs for RBAC. As with all XYPRO products, XAC is developed around the concept of ACLGROUPs. ACLGROUPs allow you to define control based on job function (database administrator, systems administrator, security administrator, etc.). You start by defining roles THEN you add users to those roles. Users can have zero or more roles. Access is granted based on the role as opposed to the user.
For example, ACLGROUPS can be used to provide different access rights, based on role, to SQLCI functions. Let’s say all database administrators are assigned to the “DBA” group and need full access to SQLCI functions. To enable this, a rule is written in the DBA ACLGROUP to allow this role unfettered access to SQLCI and all other database manipulation functions and utilities. However, system administrators may only need read-only access to SQLCI; therefore, their ACLGROUP (let’s call it “SYSADMIN”) is written to allow just read-only access to SQLCI (with PURGE, UPDATE, DROP, ALTER and CREATE disabled) . Now, managing individual users’ access is as simple as assigning them the appropriate roles—ACLGROUP rules will then correctly determine access rights.
The RBAC in this example requires only a small number of rules in XAC that can be applied to zero or more users using wildcards/regular expressions—and that can be extended to aliases. Once the rules are in place, you can add or remove users’ access to functions at any time.
Doing this in Safeguard requires a unique rule per user per subsystem/binary/program. Safeguard does NOT have the ability to limit access to specific commands within a subsystem as XAC does. So, while possible, RBAC in Safeguard, requires extensive manual intervention and an enormous amounts of rules—and every change introduces an opportunity for human error that could lead to stability issues.
Don’t forget auditing! Using XAC for RBAC provides another important benefit: XAC auditing can also be done at a much lower level. Safeguard can record what userid accessed what object at what time, but little else. With XAC, exact commands and output can be logged with non-repudiation (XAC can be configured to prompt for the users password before allowing sensitive commands).
A major note for alias users: Safeguard auditing and protection are always based on the underlying userid. Safeguard does not treat aliases as unique, only the underlying userid. XAC (and all XYGATE modules) can differentiate between aliases and grant/revoke access and audit based on userid and/or alias.
Alright, well that’s #5: Strengthen access management with role-based access control (RBAC). RBAC simplifies security administration and can enable a greater degree of security and control for your HP NonStop systems.
Stay tuned to the XYPRO blog site—next up on our list is NonStop Security Fundamental #4. Also, get notified automatically when new XYPRO blogs come out by following XYPRO on LinkedIn or Twitter.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HP NonStop Server Security: A Practical Handbook and Securing HP NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL.
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).