Experts have been advising for some time that companies should change the way they approach Sarbanes-Oxley compliance, and after a few trips through the annual audit cycle, company leaders are coming to understand why. It no longer makes sense to treat compliance with Sarbanes-Oxley, or SOX, as a recurring project that needs to be accomplished repeatedly at a particular point in time. A better approach is to integrate the principles of compliance into regular business processes so that compliance shows up 365 days a year — not just the day the auditor comes.
The fundamental principles of compliance are straightforward. First, you must establish internal controls — the policies, procedures, and practices that reduce risk. Second, you must enforce your internal controls, monitor their effectiveness, and be prepared to show them to auditors.
Likewise Enterprise helps overcome the challenges of establishing, enforcing, and monitoring internal controls by joining Linux, Unix, and Mac OS X computers to Microsoft Active Directory. Likewise then extends Active Directory-based authentication, access control, security settings, group policies, reporting, and auditing to Linux, Unix, and Mac.
Establishing Internal Controls
To help ensure SOX compliance, there are a number of internal controls that Likewise Enterprise can help you put in place by integrating Unix, Linux, and Mac OS X workstations and servers into Microsoft Active Directory:
- One user, one identity. Each user has a unique identity, and that user’s identity is authenticated by a secure protocol each time the user logs on a computer or accesses sensitive applications or resources.
- System-wide password enforcement. Every computer on the network requires a user to log on with a password.
- Secure authentication with the Kerberos 5 protocol.
- Role-based access control and authorization that gives users only the minimum access to perform their jobs.
- Separation of duties.
- Timed computer lockdowns after a short period without use.
- Log backups.
- One-way cross-forest trusts in Active Directory.
- System security and hardening to help prevent unauthorized access or external attacks.
- Group policies for Linux, Unix, and Mac computers to manage passwords policies, control root access, and manage logs.
Enforcing and Monitoring Internal Controls
To provide a solid foundation for dealing with annual audits, there are a number of methods of enforcing and monitoring controls that Likewise Enterprise can help you implement:
- Extending the event filter in Active Directory to Linux, Unix, and Mac OS X computers.
- Centrally managing syslogs for Unix, Linux, and Mac.
- Logging every sudoer command.
- Using group policies to deploy and manage cron scripts that alert you to changes in files or policies.
- Executing refreshes with group policies that override unknown changes to, for example, sudo and automount files.
- Provisioning, deprovisioning, and managing changes when an employee joins the company, leaves the company, or changes roles. Likewise Enterprise lets you manage changes to Linux, Unix, and Mac computers from Active Directory.
- Generating reports that detail which users and groups have access to which systems.
- Auditing capabilities for event logs that show, for example, attempts to use sudo by unauthorized personnel, failed sudo attempts, failed logon attempts, and so forth.
More Information
For a detailed description of Likewise Enterprise's feature support for establishing, enforcing, and monitoring internal controls, see the following whitepaper:
Using Likewise Enterprise to Boost Compliance with Sarbanes-Oxley