[MUSIC] In this lesson, I'll talk about separation of duties. Separation of duties is important as system administrators to not only ensure that we are doing the correct things at the correct times, but also that it stands up to scrutiny. We're going to look at a case study or, at least, a scenario that describes how we should do separation of duties. We're going to look at how auditing is critical for system administration and also look at how daily operation plays into what we should be auditing. So let's say that we are a system administrator for a bank or a online retailer, or a retailer in general. We're going to have financial systems. Those financial systems are critical to our business. So let's say that a system administrator, myself, and another person are the only two people or maybe there's a third person that knows that system and is the administrator of that system. So what happens if we have to open up a port just for a few minutes? One of your colleagues says hey, we need to check something real quick. And so we open up the port. If we forget to close it, what happens? Somebody may get in. So we need to have checks and balances in place. One of those checks and balances is called separation of duties. And this is separate from normal system administration. So how do we prove that something happened or didn't happen? We can't trust the other system administrators to make sure that they did something. Because they're systems administrators. They probably have administrator access or in the case of Linux maybe route access to a server. We need another party that is impartial to the system looking at the security of everything. So, what happens if there's an investigation? Do you perform it as a system administrator or does somebody else? We need that separation because it stands up to scrutiny. So if I am the one that is looking at the files, could I destroy some evidence? Probably. So somebody that has at least some knowledge of the system may be able to be that impartial third party. If you tell on your other system administrators that they may be doing something that's not right, you're also going to look bad, but you could report that to a third party and they could investigate. As system administrators, remember last, a couple of lessons ago, I actually talked about integrity. We need to have integrity, but that's not always everybody's MO. Okay. So we need a impartial third party. We need other checks and balances in place for that separation of duty. Somebody that's looking at the system and somebody, well, is auditing the system, and somebody that is also administering the system. Separation of duties allows two parties, groups or teams to become the checks and balances for the other person. Or the other team or group or whoever has the system.Their job is for assistant administration, for example. So for PCI, payment card industry, we may have different entities checking other entities. So let's say that we're a retailer, and we have multiple stores. We have a security person from one store and a security person from another store. They may not have access to each others' other systems, however, we could, as system administrator from this store, investigate their system and they could investigate ours, so we have that scrutiny between two different parties, even though we manage the same type of systems, okay? Each party needs to act independently, needs to act impartially to make sure that it stands up to scrutiny. So that we have non-repudiation as well. It also eliminates conflicts of interest. Conflicts of interest are those conflicts that make somebody seem like they're doing something for benefit, okay? So the importance of auditing. Auditing systems allow us to ensure that things are being done correctly, updates are being applied to a system or, let's say that log files are being rotated properly. Okay. Disks, hard drives, for example, are not failing. So auditing ensures the ongoing operation of a system. So the person that is administering the system is going to be different from the person that is auditing the system to have that checks and balances. We see this in industry all over the place. PCI, again Payment Card Industry for example, uses auditing constantly. We also see this in HIPAA law, healthcare law, okay? So the importance of daily operation versus auditing, while auditing may make sense to you, and if it's working as intended, we shouldn't see anything, we still need those checks and balances. So, even though we have a daily operation and systems are normal, how do we ensure the normalcy of the system? We need auditing in place, okay? Impartial third parties also can provide this type of auditing. Examples of types of audits include risk assessments, PCI DSS audits, penetration tests, HIPAA audits as well. So in conclusion, separation of duties allows us to have checks and balances between two groups or entities to make sure that systems are operating normally and functioning to the best they can while ensuring security. When we're planning for systems or services, we need to make sure that we have some kind of separation of duties in place.
