Threats arise if security requirements are not met. Therefore, to maintain security, it is necessary to implement measures that ensure security requirements are satisfied at all times.
[Measures to ensure confidentiality and integrity]
User authentication
One way to prevent unauthorized access to or illegal operations on a server is user authentication.
Operating system authentication controls the users who can access Systemwalker Operation Manager. System administrators, operations administrators and operations staff are identified and authenticated, and if identification or authentication fails, access to Systemwalker Operation Manager is denied.
If the Extended User Management function [UNIX version] is used, it is also possible to register Operation Manager users who can access Systemwalker Operation Manager independently of the users registered with the operating system. This enables user management to be conducted totally within Systemwalker Operation Manager itself, which can improve the security of operations.
Also, when the Systemwalker authentication repository is used, Systemwalker product's user management can be centralized, resulting in more secure operations for the entire system, as well as a reduction of the administrative duties of the system administrator. Also, if single sign-on can use the Systemwalker authentication repository, then operations staff can use multiple Systemwalker products securely with a single login.
Access control
To prevent unauthorized access to systems and important assets, it is necessary to control which users can access which assets.
Two effective ways to prevent unauthorized access are to keep the number of users who can access a system to a minimum, and to ensure that system administrators and operations administrators give careful consideration before deciding on the range of information that operations staff can access.
This security measure sets the users that are permitted to access projects and the rights of these users.
To prevent a user performing operations that are outside his or her duties, it is necessary to correctly assign the authority appropriate to user's role.
This security measure restricts which users are permitted to submit demand jobs, start job nets with Job Execution Control attributes, and use Jobscheduler commands.
Execution user restrictions
One effective way to prevent unauthorized operations is to only permit jobs to be executed by their intended users. This will ensure that no unintended operations are conducted.
Define precisely which users have permission to run jobs beforehand.
Audit log
Using audit logs to regularly check for signs of unauthorized access is an effective way to detect or prevent suspicious user behavior and unauthorized access. Damage can be kept to a minimum by sensing suspicious operations and using audit logs to track and deal with the user behavior that caused those operations. To maintain the security of operations, the system administrator must monitor the audit logs that are output. Fujitsu recommends enabling output of audit logs.
In addition to the security measures above, which can be implemented using Systemwalker Operation Manager functions, it is also important to set up and implement information security policies for the organization so that appropriate education is provided to Operation Manager users. Security measures must be comprehensive, and should include operation rules as well as function-related measures.
Some of the security measures that are not related to Systemwalker Operation Manager functions are described below.
Physical protection and protection of the network environment
Physically protecting the hardware devices and recording media associated with Systemwalker Operation Manager is an extremely effective security measure. Concrete examples include the following:
Installing hardware devices in locked rooms that are only accessible to operations administrators
Recording all movement in and out of rooms and checking for suspicious persons (The same measures apply to people entering and leaving buildings.)
Installing hardware devices in buildings with earthquake-resistant facilities and protecting hardware from fire damage
It is also important to protect the data traffic on networks. An effective security measure when using Systemwalker Operation Manager from a Web browser is to set up the security functions for the Web server, and to protect communications using SSL.
Protection via operational measures
Operational measures must also be implemented to protect the hardware devices, recording media, and other assets that are used with Systemwalker Operation Manager. A concrete example is as follows:
Do not leave the terminal while logged into Systemwalker Operation Manager.
ID and password leaks may result in unauthorized accesses, such as intrusion, impersonation, mail viewing and data alteration. To improve security, it is important to maintain the confidentiality of IDs and passwords at all times.
IDs and passwords must be allocated properly.
Provide user IDs that have the minimum authority level required for each task.
Promptly delete user IDs that are no longer required.
Avoid using passwords that can be easily guessed, such as words that can be found in dictionaries, names, birthdays and telephone numbers. A strong password should be as long as possible (at least 5 characters) and include upper-case characters, lower-case characters, numerals and symbols to make it difficult to guess.
Passwords must be correctly managed to prevent them from becoming known to third parties. In concrete terms, this means implementing the following measures:
Do not write down passwords on paper or other material.
Change passwords regularly.
Do not allow passwords to be seen by third parties when they are being input.
The following rules must also be observed:
System administrator passwords must not be made known to anyone but the system administrator.
Operations administrator passwords must not be made known to anyone but system administrators and operations administrators.
Operations staff or general user passwords must not be made known to other operations staff or general users.
User education
Educating system users in security matters is vital to ensure that users are aware of security measures and to maintain and improve the security level of the entire organization. User education is a fundamental way of preventing a variety of threats, such as information losses and information leaks. In order to raise security-related awareness and improve the ability to handle risks, user education must be provided on an ongoing basis.
In concrete terms, this means the following:
A responsible party in the organization must select a reliable person to act as a system administrator and instruct that person to manage his or her passwords to prevent them from being known to third parties. The system administrator must select reliable persons to act as operations administrators, and then instruct operations administrators, operations staff, and general users to manage their passwords to prevent them from becoming known to others. Adherence to these rules must be enforced.
If more than one person uses Systemwalker Operation Manager on the same machine, an account must be created for each user and each user should only use his or her own user ID.
[Measures to satisfy availability requirements]
Managing completed jobs
One measure to ensure that jobs run as planned is to re-execute jobs that terminate abnormally. If a scheduled job fails to run as planned and terminates abnormally halfway through the operation for some reason, it should be restarted manually or automatically.
Operation design
When designing an operation, the resources needed for the operation should be carefully estimated so that the operation proceeds smoothly. (Refer to "Tuning of Performance" in the Systemwalker Operation Manager User's Guide for more information.)
When a large number of job nets and jobs are to be registered and operated, performance should be carefully and thoroughly tested in advance.
Backups
Backups are an important way of enabling information assets to be restored. Copies of files can be created, and spare servers and disk devices can be used to protect valuable information assets from becoming damaged or lost.
