18.1. IntroductionSecurity administration takes place in an ever-changing landscape of new systems, new vulnerabilities, and new tools. As threats to computer security evolve, so too do the practices and tools of security administration. On one level, computers are being used in larger numbers and broader applications, forcing security administrators to deal with increasingly large volumes of information and placing correspondingly more demands on their tools. Many existing tools place much of the cognitive load for analysis onto the user, an unacceptable situation given the trends of ever more computers and network traffic to monitor. Administrators would clearly benefit from advances in analytics, automation, and visualization tools. On another level, computer systems are increasingly connected, providing access for an ever-wider variety of client systems including laptops, cell phones, PDAs, etc. The diversity of computing devices complicates security management and planning significantly. Increasingly complex software architectures create more opportunities for vulnerabilities to arise. With more components integrated and interacting in various ways in these architectures, there is a growing potential for unanticipated vulnerabilities. Sometimes, security breaches take advantage of multiple vulnerabilities in systems, making patterns of attack hard to predict. As a result, security administrators need to know how various devices and systems work and interact to analyze developing situations. In short, all of these changes to the information technology landscape make the job of the security administrator increasingly difficult. So, how do security administrators secure our computing systems, defend them against attacks, limit damage proactively, and recover from attacks rapidly? In this chapter, we describe results from our ongoing field studies of system administration at various computing centers across the U.S. In these studies, we examined the work practices, tools, organization, and environments of security, database, web, storage, and operating system administrators. So far, we have conducted 10 such field studies, where we observed approximately 25 administrators over a total 40 days.[1], [2] We collected about 250 hours of video, which we analyzed to varying degrees of detail. In these studies, our approach has been ethnography, which involved entering the system administrators' environments and observing their practices, tools, and interactions for extended periods of time. Our analysis is based on Grounded Theory,[3], [4] in which we do not use ethnography to validate a previously formulated hypothesis, but instead draw all our conclusions from what we observed.
In this chapter we focus only on our findings in the area of security administration. We start with an overview of the attacks that security administrators work to prevent, and the tools that they use toward this end. We then give an overview of the current practices of security administration by profiling two representative security administrators, and detail five case studies to illustrate security work and the challenges faced by security administrators. We also discuss how current tools support or fail security administrators' practices. Lastly, based on these findings, we outline some of the opportunities that lie ahead to improve security administration tools. |