(RADIATOR) Digipass token decentralisation, corporate risk assessment

Mike McCauley mikem at open.com.au
Fri Jul 29 08:04:42 CDT 2005 

Hello Bosse,

Thanks for your note.

Radmin currently enforces some permission restrictions when doing operations 
on Digipass tokens. Generally speaking the administrator must have the USER_E 
(user edit) permission to Allocate, Deallocate, Reset the token etc.

This could be segmented into more fine-grained permissions for different 
operations by modifying cgi-bin/private/showDigipass.pl, and adding the 
appropriate permissions to the Radmin permissions databse.

Hope that helps.
Cheers.


 
On Friday 29 July 2005 21:27, Bosse Klykken wrote:
> My client has expressed some concern regarding some Digipass features in
> Radiator and their current risk assessment and security policy requiring
> vital processes to be segmented between departments. In order to allow
> them to keep adhering to existing policy, the client wants Radiator to
> implement some extra security features regarding the process of unlocking
> Digipass tokens.
>
> What is needed is an ACL feature for the Digipass module in Radmin, so
> that the process of handling accounts and hardware tokens can be
> segmented. The accounts and user attributes should be administred from
> one department (like IT operations - group A), while the physical
> allocation and handling of Digipass tokens should be administred from
> another department (like HR - group B). A third department, (like
> Security - group C), should be the only instance having a Digipass token
> allowed to unlock any allocated Digipass tokens.
>
> Today, Radiator makes it possible to segment some of these processes
> between Group A and B (where group A actually assigns the Digipass tokens
> in Radiator, while Group B handles the physical allocation), but there are
> no ACLs (AFAIK) defining that only group C will be allowed to unblock a
> Digipass token. This could be implemented by allowing the sysadmin to
> define one or two master digipass tokens that would allow a user in Group
> A to unblock a Digipass calculator only after getting the action verified,
> logged and processed by Security before they are issued a one-time Digipass
> token to allow access to this interface. The point here is to minimalize
> the possibility of foul play by involving seperate departments in the whole
> process, and also to guarantee that there will be a paper trail.
>
> Have OSC any thoughts on this, or considered implementing this feature in
> Radmin? I'd like to know before I start working on a patch for this myself.
>
> .../Bosse

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list