Current pain points in the security of enterprise IT system administration and maintenance:

• Complexity of system leads to multiple roles of system administrators

Currently the complexity of the IT system requires the administrator to take multiple roles (system administration, database, administration, security management, auditing as well as system programming, etc) in system administration. There is no well-defined processes and technical methodologies for system administrators to follow while playing the above multiple roles simultaneously

• Remote system administration

Since company computing resources such as servers and networking devices are centralized in certain locations, often infeasible for local direct administration. Maintenance personnel often rely on remote access such as Telnet and SSH to remotely logon and conduct administration operations. Thus, company servers and networking devices can be physically accessed through networking

• Account sharing

The afore-mentioned multiple roles often result in a single person to participate in the maintenance of multiple sets of equipment. Furthermore, since the same equipment may be administered by multiple persons, for convenience, maintenance personnel with similar roles often share the same system account. The account sharing, however, will potentially result in undeterminable user identities, impossible to know who performed what operations, leaving holes for security compromises.

• Password change-over

One of the key measures for system security is periodic password updates and comprehensive password composition rules. This approach is not very effective for core system maintenance personnel since it requires manual notifications to all the personnel. As a result, this approach is often not strictly used.

• Control of access rights

Control of access rights determines what role a user should take to log onto a specific machine and what operations the user is allowed to perform on that machine. In current management scheme, there is no well-established access rights list, impossible to know what user are allowed to access what machine by what roles. Nor is there any effective technical means to support executions of the access rights

• Auditing of user access

Unable to effectively record user access. Since some knowledgeable system operators are can purposely change or delete system logs, system logs can not be based to perform reliable analyses.