(RADIATOR) Digipass token decentralisation, corporate risk assessment

Bosse Klykken bosse at linpro.no
Fri Jul 29 06:27:43 CDT 2005


My client has expressed some concern regarding some Digipass features in
Radiator and their current risk assessment and security policy requiring
vital processes to be segmented between departments. In order to allow
them to keep adhering to existing policy, the client wants Radiator to
implement some extra security features regarding the process of unlocking
Digipass tokens.

What is needed is an ACL feature for the Digipass module in Radmin, so
that the process of handling accounts and hardware tokens can be
segmented. The accounts and user attributes should be administred from
one department (like IT operations - group A), while the physical
allocation and handling of Digipass tokens should be administred from
another department (like HR - group B). A third department, (like
Security - group C), should be the only instance having a Digipass token
allowed to unlock any allocated Digipass tokens.

Today, Radiator makes it possible to segment some of these processes
between Group A and B (where group A actually assigns the Digipass tokens
in Radiator, while Group B handles the physical allocation), but there are
no ACLs (AFAIK) defining that only group C will be allowed to unblock a
Digipass token. This could be implemented by allowing the sysadmin to
define one or two master digipass tokens that would allow a user in Group
A to unblock a Digipass calculator only after getting the action verified,
logged and processed by Security before they are issued a one-time Digipass
token to allow access to this interface. The point here is to minimalize
the possibility of foul play by involving seperate departments in the whole
process, and also to guarantee that there will be a paper trail.

Have OSC any thoughts on this, or considered implementing this feature in
Radmin? I'd like to know before I start working on a patch for this myself.

.../Bosse
-- 
Bosse Klykken, operations consultant
Linpro AS - http://www.linpro.no

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list