Skip to main content

How functional and secure AES is

How functional and secure AES is? The Philippine electorate will once again go to polls and decide who will lead the nation in the next six years of their lives. This important event which will elect new president, vice president and 12 senators for national posts, and seats are also being contested for provincial, city and municipal levels, is expected to be counted unofficially in 24 hours, concluded or canvassed officially in a few days or so but authorities and observers expected it to be done in less than a week. Last presidential election, it was known three days after close of election precincts. This is especially true for nation states, not only the Philippines, that conducts their elections using automated election or computerized-and-networked voting systems. In PH, the past automated elections were encumbered with technical issues and fraudulent results, uttered and written everywhere by many concerned and affected individuals and institutions alike. This time, we could say

Super privilege accounts, an IT double bind

IT organization must be able to demonstrate that even Windows administrator and Unix root and related super privilege accounts can be controlled. It must be emphasized very strongly that it is inviolable to business to make mistake induced by IT in a surprising manner.

Inadvertent use and access to these accounts can be devastating to business and its reputation to stakeholders.

Meaning all systems are being used by everyone, authorized, without the IT people having to look, tinker and update configuration from time to time. Everything is final in the production systems except for regular software including firmware updates that must be applied, still they must be approved first. Though there are chokepoints (software are released but will require regular update, and stability, if any, is achieved that way only) where a system malfunctions, they are only temporary and can be fixed easily by focusing on an affected account or process. They don’t impact business system or whole IT operations. With monitoring and regular maintenance work 99.999% uptime in all business systems are achievable.

The use of such super privilege accounts must be managed according to IT necessities. It must be approved by the company management or assigned officer-in-charge before it can be used indicating, say, what specific need i.e. application or access to certain resource and why the use of it; where will it be used: which computer or server? If approved and as soon as it is used, even when system monitoring and alert has been provisioned for such activities, anybody who use it must still take note of their login time; and logout time—and any further proof there is if any. It’s better to be sure in everything especially supporting business operations or production systems.

IT team can also exhibit a strong measure along with approved environmental and logical controls and that employees as well as primary stakeholders’ data and documents, especially containing personal and privilege information therein are assured. That relevant mechanisms are in place to protect organizational and enterprise computing systems and information.

And for the customers service's sake, IT personalities should be able to accommodate promptly any request made by anyone who inquire about their IT resource(s), credentials and data. Where they are stored, when they are processed, and how they are managed and secured. It is a good way to show technical facilities to the the stakeholders or colleagues that their own resource is accessible and can be manipulated only by their respective owner. However, this haven’t been a normal activity within IT and mostly not being done due to limitation of allocated IT resource. Worst without an able technical facilities.

Organization can emphasize that IT is for business purposes as they would state in their business conduct and practices. These texts must be visited by IT practitioners and adjust them if senior management overlook it. And be open to their activities and have them understood by everyone or colleagues. Then apply them technically across the enterprise or business systems. Without these, we have the normal IT that loiter with a trigger happy fingers where business people doesn't understand or have no say at all even when their production is being affected, worst business is performing bad.

Say, senior management cannot be bothered form time to time for the super privilege account. Would they rather give it away and cross-fingers that everything will be okay? This is laxity and accident may just be waiting to be unleased.

Super privilege account usage can be monitored but would not prevent deliberate and harmful execution of commands. It can be, however, secured by another layer, say the account better stays with systems and/or security administrators, but it requires an authentication including the so-called M|2FA, voicecall, SMS, push notification, FIDO, Symantec VIP, RSA security key including maybe digital certificates, to get through. Systems, application and data related commands must be approved before they are executed, too, and if a platform has no capability for it then at least it must be stated in a policy and must be known very clearly by concerned technical staff.


Administer with the super privilege accounts once with finality and after that use them only for system maintenance purposes and probably when there is a need to dig a little bit deeper on suspicious activities.

Comments

Popular posts from this blog

[TW] IT documents, audit and leaders

IT documents comes with different names such as the following: - Manual or handbook, - Policies and procedures, - Management systems, - Project plans. In the real world we have various names with unique descriptions and purposes when in fact they could be made to do a uniform direction for which actions are based for the entire IT initiatives, probably the longest in IT lifecycle is operation. The problem is our inclination on something else which is wrong. IT remains an IT area. Business remains a business area. The same problem is carried out when we conduct IT audit. Most audit are missing the gists in which IT is being used by businesses. We once said that an effective IT audit is conducted by IT people themselves but there is something wrong with that even. Business and accounting people have been doing it with a different bias and preconceived notions which doesn't make the cut for IT direction and audit respectively. Leaders play the same game and so the problem continues an

[TW] Technology impact on enterprises, consumer and data

The best time to learn the art and science of technology consulting or just the necessary practice required for a business not to be left behind or not to bleed cash unnessentially is now. Technology is magnanimous but it doesn't mean it has to continue being an alien to almost everyone. Technologies surrounding computers, the Internet, programmable devices, sensors, AI, differentiated network convergence and decentralized systems, data and content are gaining an unprecedented development and adaptation within, and greatly affecting, enterprises, societies and their people. It must be the more powerful that everyone become a learned stakeholder, not just an end-user and leave everything to the vendor, service provider and their technology counterparts. Smart cities are a giant technological upgrade and the experience must make people deal more for their lives in a better way. Why make everyone learn? Businesses can focus what matters to them. Technology can primarily help organizat