Section 5.4. Separation of Duties

5.4. Separation of Duties

Separation of duties is the principle that it's better to assign pieces of security-related tasks to several specific individuals. If no one user has total control of the system's security mechanisms, no one user can completely compromise the system. This principle is related to another important security principle, that of least privilege, the idea that the users and the processes in a system should have the least number of privilegesand for the shortest amount of timeneeded to do their work.

In many systems, the system administrator has total control of the system's daily operations and security functions. In secure systems, this concentration of power in a single individual isn't allowed. It's obvious that in such systems, ordinary users shouldn't be allowed to perform security-related functions (except those that are discretionary to them, such as protecting files they, themselves, own). It may not be so obvious that security-related functions should not automatically be in the bailiwick of the system administrator, who takes responsibility for other important system operations.

In highly secure systems, as many as three distinct, complementary administrative functions, or roles, may be required: a system administrator, a security administrator (sometimes called an Information System Security Officer or ISSO), and an operator.

Typical system administrator/operator functions include:

• Installing system software

• Starting up and shutting down the servers in the system

• Adding and removing system users

• Performing backup and recovery

• Handling and servicing printers

Typical security administrator functions include:

• Setting user clearances, initial passwords, and other security characteristics for new users, and changing security profiles for existing users

• Setting or changing file sensitivity labels

• Setting security characteristics of devices and communications channels

• Reviewing audit data

If an operator role is defined, the operator may perform some of the more mundane system administrator duties, such as doing backups.

The system administrator, the security administrator, and the operator may not always be different people, but in a secure system their roles must be clearly divided. Whenever the system administrator assumes the role of security administrator, for example, the person must switch hats thoroughly enough so the system is aware that the person is changing roles.

Suppose the person serving as system administrator needs to perform a security functionfor example, starting up an auditing program. She will typically have to exit from the system administrator interface and switch, in some system-defined way, to the security administrator interface before being able to run the program. Although cumbersome, this process clearly reinforces the system administrator/security administrator's understanding that the two roles are very different, with clearly delineated responsibilities that are monitored by the system. The system administrator and the security administrator play complementary roles that provide checks and balances on each other.

In some ways, these roles meet the objective of the so-called two-man control discussed in government security guidelinesthe idea that it's much less likely that two people will conspire to breach security. For example, the system administrator's job is to add new users to the system; the security administrator's is to assign a password, a clearance, and other security information to that user's account. The security administrator usually must create system administrator accounts; the system administrator cannot create his own.