"Ioan Nemes" <[EMAIL PROTECTED]> writes: > One of them administer systems (might have a hundred of *NIX - > and other servers to look after), the other one administers > the network (and might have a few hundred network devices, > like routers, firewalls, etc.). They might not even see each > other for months! Can you see the difference?
Of course. Most of the time there is a real need for a separate network team. Network management has very little to do with the day to day maintenance of unix systems. The two can easily be separated. But can you separate unix administration and unix security so easily? The problem I've been seeing is more like this: IT department structures where there are teams for doing nothing managing the web server processes and document roots, teams only for handling identity management and account creation, teams for security, DBA teams that own their special slice of the OS. All teams that never meet or collaborate. I've also worked for a couple of very large organizations that did it the right way - they split teams of sysadmins off according to the projects that they were responsible for, and let them have complete control over them. My suggestion, in the article I linked to previously, was to get rid of this rigid compartmentalization and to pay more attention to systems as a whole. Some single entity, be it a person or a team, needs to have full knowledge and control and ownership of the systems they are responsible for -- and this means security -- or those systems are going to be out of control. To me, the worst part is taking the security responsibility out of the hands of the system administrators and giving it to people who have no responsibility for the systems they are evaluating. This creates an adversarial relationship between the teams, and (this is the part dear to me) it strongly devalues the role of the system administrator. The competent ones will leave, and their replacements will be ever more incompetent, even dangerously so. -- deanna
