Home Tom Kemp's Centrify Blog

TOM KEMP'S CENTRIFY BLOG

How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments

Wednesday, October 22, 2008

In my last blog post I introduced DirectAuthorize, our new solution that centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. By controlling how users access systems and what they can do, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. In this post I want to drill down in more detail on the customer challenges that DirectAuthorize addresses, specifically in the areas of improving security and addressing audit and compliance requirements.

In terms of defining the market need for DirectAuthorize in the UNIX and Linux market, one first must be aware of some of the inherent limitations that these *nix-based operating system environments have as it relates to privilege password management and delegation of superuser privileges. According to analysts at Gartner (e.g. as articulated in reports such as Gartner Research Report ID# G00130427), UNIX and Linux systems inherently lack a scalable and simple model for administrative delegation as compared to Windows. This means that UNIX personnel — such as system administrators, DBAs, backup operators and help desk staff — must be given increased privileges to accomplish even narrowly focused administrative tasks such as performing backups. This led Gartner to note that "the larger and more complex the organization, the greater the number of people who will sometimes need privileged access, increasing the likelihood of mistakes and deliberate attacks." Such practices are "likely to draw the attention of the external audit."

The sharing of superuser passwords goes against best practices for security and compliance requirements that make it clear that multiple users should not share the root and/or a privileged account, but instead each should log in as themselves, and only then gain privileges based on their role within the organization. The slide below gives a sample of some of the regulations that require granular authorization be enforced. In addition, it is recommended (and in many cases for compliance reasons, required) that all administrative actions be audited. Therefore it is easy to see why authentication, authorization and auditing — the classic Triple As of identity and access management — clearly go hand-in-hand.


Regulations Require Authorization Controls

Centrify offers the only solution whose Active Directory-based authentication, authorization and auditing capabilities for cross-platform environments are built on a single, integrated architecture and delivered as a comprehensive solution — the Centrify Suite. The Centrify Suite is comprised of the following:

  • Centrify DirectControl facilitates compliance by enabling each user to log in to a UNIX or Linux system as themselves using their Active Directory credentials, drawing a line of accountability back to a centrally managed enterprise identity. DirectControl's patent-pending Zone feature provides the first level of granular access control by restricting who can log in to which set of systems.
  • Centrify DirectAuthorize provides further granular access control by controlling how these authorized users access that system, and when. It can also control what actions they can perform once on a given system.
  • Centrify DirectAudit provides verification that the access controls and authorizations are working as intended by recording all actions, and their results, taken by any individual with root or administrative privileges, another key compliance requirement.

Given that this blog is about DirectAuthorize, lets drill down a bit more on how DirectAuthorize can help organizations meet regulatory compliance requirements by locking down access to sensitive systems and eliminating uncontrolled use of root and service accounts and passwords.

DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them the specific rights needed to perform duties within that role. Roles also define times when a user can log in to a system; for example, a backup operator role might allow access to systems on Wednesdays and Fridays between the hours of 5:00 p.m. and 9:00 p.m. You can also assign roles to users for specific time periods; for example, you could assign a system administrator role to a contractor with a start date of Monday, August 4th, and an expiration date of Friday, August 29th.

Rights describe both access methods and privileges. Rights specify how users within a role can connect to systems (FTP, Telnet, SSH, etc.). Rights can also specify permitted commands and the accounts they will run under (such as the ability to create files on a system without knowing the password to a privileged account that would normally be required). You can use DirectAuthorize to give users additional rights that they would not normally have, or you can use the unique Restricted Environment feature to limit users to a "whitelist" of specific commands. Examples of roles and corresponding rights are shown in the slide below.


DirectAuthorize

DirectAuthorize's implementation of roles and rights can help organizations control how users can access the UNIX system and what they can do, as well as by eliminate a user's need to use the root account which in turn allows the root account to be locked down. In addition, DirectAuthorize can delegate rights to run specific commands with elevated privileges where authorized. This means that DirectAuthorize can ensure that root, superuser and other shared privileged accounts' password are never revealed, making your environment even more secure and compliant.

In my next blog post I will spend more time on the DirectAuthorize product architecture including a more detail discussion of roles and rights and how DirectAuthorize leverages Active Directory.

Categories: Centrify, DirectAuthorize, DirectControl for Databases, DirectControl for Systems, DirectControl for Web Apps, Group Policy, Regulatory Compliance, All
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows LiveTailrank

< Previous Article: Introducing DirectAuthorize and the Centrify Suite
> Next Article: How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux