2012 JiJi Technologies All rights reserved. Privacy Policy

Transcription

1

2 Page 02 INDEX Introduction:...3 Problem Definition: Security Auditing: Audit Logs: Compliance Adherence with Organization s security policy...4 Audit requirements for IT infrastructure:...4 Factual Data Audit: (Prevalence Audit)...4 Change Audit:...4 Real Time Alerts:...4 Technologies to be audited:...4 Existing Solutions...4 Snapshotting:...5 Real Time Alerts:...5 JiJi s Innovative Solution...6 Effective Prevalence Reports:...6 Change Auditing Solutions:...6 Accuracy Mode:...6 Periodic Polling:...7 Benefits...7 Real Time Alerts...7 Scheduled Delivery:...7 Architecture:...7 System Live Monitoring:...8 Event Log Synchronization:...8 Analyzing Event Logs:...9

3 Page 03 Introduction: IT Audits are required to keep the business process clean, clear and compliance with the state and federal laws. It also helps the IT administrators to find any discrepancies in systems securities, as well as enforcing pre-defined company s IT policies. A company, which responsibly meets the compliance and security, wins the confidences of their investors and clients. Problem Definition: IT Administrators are burdened with cross-checking, validating and resolving a huge number of problems to keep the IT environment safe and secure. The significant problems are penned here. 1. Security Auditing: There is no gainsaying of the fact that in every IT industry, the prime cause of concern is security of the data and hence naturally everybody will be hell-bent on protecting their data by way of auditing toward off unauthorized accesses. In a real time example, it will be lurking danger if a company allows one of its former users to leave the company without proper de-provisioning. Hence it is very essential to be in possession of various types of reports about AD for identifying the threats. But windows servers will be of little help to offer any reports about AD. 2. Audit Logs: To extend our resource management capabilities, we offer control to multiple sets of users for the resource(s). Now, the problems remain unanswered when one poses famous questions like, Who, What, When and Where the changes were effected. Under these circumstances, the Audit Logs get prominence for getting every action analyzed thoroughly when faced with any problems. Although Windows Event Logs is capable of capturing AD, GPO events, it offers us a huge stock of every window events. Hence if anyone ventures to go through them, find it cumbersome and tedious. Apart from that, the logs are poor in description of the changes. As a result of which actions could not be matched properly. 3. Compliance The organizations, which are required to comply with the regulations of HIPAA, SOX etc. have a duty cast upon them to audit as to how the users use their authorizations.

4 Page Adherence with Organization s security policy Every organization has a bounden duty to formulate a security policy as a guideline for streamlining their security as and when required. Since it is a basic necessity for security planning, one should be vigilant in ensuring its adoption in letter and spirit. For this purpose, it is important to audit the security policy of the organization to see that it is up to the mark to the organization s requirements. During the audit, factors such as password complexities, maximum password age of a user, account lockout processes and other configured audit policies must also be considered. Audit requirements for IT infrastructure: The threats and problems which are identified and known lead us to plan and define the auditing requirements. We must first define the possible categories of auditing. Factual Data Audit: (Prevalence Audit) The prevailing data obtained from systems must be duly considered for auditing. Quantitative reporting on current status could be a good solution. However, the requirement spreads further. Since the quantum of reports obtained will be a huge one, it will be a daunting task to the Auditor to analyze all. It will be of immense help to him if the above reports are defined and filtered so that he can search and export without any hassle. Change Audit: This audit is for raking through the history for information. The records of past events help us to learn about the causes. Apart from this, subscribing for real time message alerts for high sensitive changes is a must for avoiding risks. Every actions/change must be recorded with the details of Who, When, What and Where. Real Time Alerts: Though there are existences of change auditing solutions, it will be not complete without real time alert for high sensitive changes. Also, the alert must carry change information such as Who, When, What, Where to their subscribers. Technologies to be audited: In order to make the IT organizations to comply with all the regulations stipulated in the Audit Policy, it is imperative to audit the following windows server components. Active Directory: Active Directory provides a centralized management solution for an IT environment, which does authentication and authorization of users. This is a big system, which must be audited for locating proper access privileges and actions happening on day to day basis. Group Policy Objects: GPO controls the working environment of users and computers in a centralized environment. Auditing GPO configuration settings, such as password policies, account policies and audit log policies are mandatory to keep the environment safe and secure. Exchange Server: For auditing mailbox restrictions, usage of mail boxes in exchange, servers are predominant SharePoint server: While auditing the changes like when a document or item is edited, viewed, checked in or checked out, deleted, or its permissions changed, share point auditing naturally gets its paramount place

5 Page 06 Existing Solutions In the IT industry, nobody can be blind to the fact that the market is thriving with tons of solutions for auditing of enterprise systems. Naturally everybody will be in a dilemma if asked to choose a suitable and cost-worthy solution to match with their requirements. It is true that most of the solutions will be able to generate various kinds of reports which the administrator may be looking for. To mention a few reports among the voluminous reports are, inactive users reports, lost logon reports, reports based on shared resources, group reports etc. In this connection it will not be out of place to mention here that the above reports are directly pulled up from the AD. In the case of small organizations, there will not be much problem to lay their hands on the reports from the AD. But for the administrators in big organizations, it will be an unenviable task since they have to cater to the needs of huge numbers of entities in their networking process they may have to squander their considerable energy and time, as huge retrieval from AD, directly turns the application non responsive or to work slow. Snapshotting: Some of the companies provide change audit reports which may display approximate history of changes, leaving a lot to their guessing. They tend to use periodic snapshot for active directory and compare the difference between the data stored on the previous snapshot and the present one. As a result, the monitoring will be given up between the snapshot periods. For an example when an object undergoes change from A-> B->C->D within a day and the administrator opts to looks at the tool once in a week, he will rightly feel that the object has changed from A to D leaving the gap unfathomed. He will be utterly in the dark with regard to the happenings between A and D. Failing Scenario: Consider the case shown in the following figure. As shown in the figure, if a user joins a security group and removed subsequently within the snapshot period, then no changes will be reported. No alerts will be sent, though subscribed for changes. It leaves us in a guess as to what has happened during the snapshot period within the system. Increasing the snapshot frequency to tighten the secure, will in turn piles plenty of loads on your application servers which cause the application to work slow and abnormal. In this way it proves that it is not a complete change auditing solution Real Time Alerts: Those who are familiar with IT parlance may naturally bound to think that the word Alerts are very essential to monitor changes. But as far as the existing solutions are concerned, the word Real Time Alert is either missing or been provided with least information, which may not be helpful for a perfect auditing.

6 Page 06 JiJi s Innovative Solution Primarily the JiJi AuditReporter caters to all the requirements of auditing specified in section Audit Requirement Effective Prevalence Reports: Keeping into consideration about the obvious auditing problems, JiJi has perfected their solutions in an optimal way. Their solution synchronizes the AD data with local database and pulls the required report from it which in turn will lead to report generation for large set of objects swiftly and amazingly. This is a correct way of generating reports. If there is any change in any of the objects of AD, the same will be picked up in real time to be synchronized with the database. It is to be noted that this synchronization process will be done in the background and changes alone are updated without endangering the entire AD. Hence there is no wonder for the appreciation this solution has got from the IT industry for its effective and quick access to the reports without disturbing the entire AD. Change Auditing Solutions: AuditReporter avoids snapshotting which is not a complete solution for change auditing as discussed in section snapshotting JiJi AuditReporter also provides following change auditing modes to fulfill individual requirements of the IT industry: Accuracy Mode: 1. Accuracy Mode 2. Periodic Polling Accuracy mode captures changes real time by monitoring both active directory and event logs to provide details about each and every change. If an object undergoes changes from A->B->C->D during the stipulated time, JiJi captures all the changes in the background and will provide you the details such as Who, What, When and Where for all changes. The authorization scenario explained in the section snapshotting will also be rightly captured, provided delivering the alerts on time. Thus it proves to be a complete change auditing solution.

7 Page 07 JiJi recommends accuracy mode, since we could not take chances on changes which happens on high sensitive data. Real time alerts will be issued as real time in this mode. Periodic Polling: By using this mode you will be at liberty to set the duration as you like to poll for the changes in Active Directory. After the polling is done, the local database will be updated with the actual data and change information. As explained in accuracy mode, the event logs will be analyzed after the polling to find the who and where information. Apart from polling frequency, the other factor which enables polling would be a scheduled task which polls first before generating the report. Also user can explicitly request polling before he pulls the report. Hence quantitative reports will be of real time. Periodic polling is advantageous over Accuracy mode in few aspects. This reduces the load on application servers. However, the changes detected will not be 100% accurate and the alerts would not be on real time as in accuracy mode. Periodic polling is totally supreme over snapshot modes, as the quantitative reports will be of real time here. Also the loads on application servers are hugely brought down. Benefits Real Time Alerts It will be interesting to note that the JiJi AuditReporter has been designed in such a way as to deliver real time alerts on every change in AD, GPO and Exchange. What is meant by Real time is, fully live. Whenever changes take place it will be reflected to the user within seconds. Accuracy mode monitors windows server components and event log in live and in background to capture the changes real time. Then the subscribers will receive notifications right at the moment. JiJi have really done justice to the word Real Time Alert by delivering the reports within seconds as soon as the change takes place. In this way JiJi Solutions distinguish themselves from other existing solutions in this regard. Scheduled Delivery: In case anyone wants the reports to be audited on a weekly or monthly basis, the JiJi AuditReporter will enable the users to keep pace with their schedules by duly automating the process. If a recipient is keen on receiving the reports on changes up to a specific period, the JiJi AuditReporter will promptly pick up the reports as specified by the recipient and forward the same instantly. Apart from this, the reports will be delivered in four different formats namely HTML, PDF, EXCEL and CSV as per users choice. Architecture: It should be specially mentioned here that the JiJi AuditReporter s architecture has been built so as to match with the auditing requirements. It may be noteworthy to mention here that the synchronization methodology adopted in the JiJi AuditReporter will update just the changes alone from AD to the data store. In this way it lessens the load factor during the process. Since the changes are being updated in real time, it will be factual as well as real time.

8 Page 08 System Live Monitoring: Changes happening in the windows components (AD /GPO / Exchange) will be monitored live. Once a change is detected, a transaction will be initiated to update the local Images table and the changes table. It updates the new value in images table and stores the requisite information such as what the change is, when it was changed and its old value in the changes table. As regards to change details whom and where, the information will be collected from eventlogs table. Processing event logs are discussed below. Event Log Synchronization: A background process will be going on to synchronize the windows Event log information with a local event log data base. JiJi AuditReporter considers the following seven different event categories from the windows event logs for analyzing the changes: 1. User Account Management. 2. Active Directory Access. 3. Directory Service Changes. 4. Logon. 5. Computer Account Management. 6. Security Group Management. 7. Distribution Group Management.

9 Page 09 Analyzing Event Logs: JiJi AuditReporter s analyzing engine matches the output from AD on live monitoring with the event log entries. This algorithm finds out the right change almost perfectly and duly updates the change records database tables with from whom and where the changes have taken place. In accuracy mode, the analysis happen real time and in periodic synchronization mode this analysis gets triggered on a preset frequency. With all such micro level design strategies and implementation, the JiJi AuditReporter truly excels in its job swiftly and accurately. Please contact us for any further requirements or support. Contact us through the following addresses. For Sales: sales@jijitechnologies.com For Support: support@jijitechnologies.com For Website related queries: webmaster@jijitechnologies.com For Other information: info@jijitechnologies.com