Tom Kemp's Centrify Blog

Privileged User Management (aka Superuser Privilege Management aka Privileged Account Management) Continues to Gain Mindshare

Tuesday, March 3, 2009

I have been beating the drum a bunch lately on privileged user management ("PUM" — the expression Forrester uses) aka superuser privilege management ("SUPM" — the expression Gartner uses) aka privileged account management ("PAM" — the expression Burton Group uses). Check out my recent blogs on this topic: overview of the problem, how the recent Fannie Mae security incident was in all likelihood caused by not having this capability in place, and how a recent court ruling is not showing any love to companies negatively impacted by this problem. Well Gartner has just weighed in again on this topic in a just published report, and in this blog post I will give you some of my thoughts on the report and also discuss a recent article that I wrote on this subject that was published on

But first, what is superuser privilege management and why is this an issue that needs to be addressed in IT organizations? This issue arises from that fact that most operating systems, applications and databases have an administrative account to enable installation, configuration, administration and management of those platforms. And most large organizations have multiple personnel that need to administer Windows or UNIX systems ("the sys admins"), multiple personnel that administer their Oracle or DB2 databases ("the DBAs"), and multiple personnel who either develop applications ("the developers") and/or administer applications ("the app admins"). This means that, in effect, there are multiple people that have "keys" (i.e. administrative access) to these "doors" (i.e. systems and applications) and the valuable information that reside behind those doors.

As Gartner notes on page 2 of this presentation, organizations need to worry about important things such as (and the bullets below are direct quotes from the slide):

  • How many users have the keys for every door?
  • Do users get their own keys or share keys?
  • Do you know who is using which key when?
  • Do you even know how many keys you have?

Gartner has further weighed in on this topic with the publication of a new report entitled "Superuser Privilege Management Tools for IBM i, Unix and MS Windows Server Operating Systems" (Gartner report #G00164893). Authors Perry Carpenter and Ant Allan summarize the heart of the overall problem by saying that "accidental misuse and deliberate abuse of superuser privileges [can] yield critical compliance and privacy risks with potentially severe financial and reputational impacts."

The report not only describes which tools exists to enable SUPM on the various platforms (including the Centrify Suite) but also discusses how SUPM tools can manage authorization by controlling privileges (e.g. commands that are allowed), by controlling scope (on what resources and systems), by controlling access time (e.g. midnight to 3 a.m. or just on weekends), or through a combination of the above.

The permissions and restrictions described above are exactly what DirectAuthorize can enable. DirectAuthorize does this via roles and rights. A role is a logical job function (e.g. backup operator, DBA, web developer, application administrator, etc.) that carries with it specific rights that are needed to perform duties within a role. Rights describe both access methods and privileges, specifically:

  • PAM (Pluggable Authentication Module) Access rights identify the specific PAM-enabled interfaces and applications the user can access, such as FTP, Telnet, SSH, or Informix.
  • Privileged Commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account.
  • Restricted Environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (sash). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.

Roles are defined for a DirectControl Zone, which is a logical collection of DirectControl-managed systems. Active Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Zone, or to a specific computer. For example, in the Engineering Zone the user Fred could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.

One of the key recommendations from the Gartner report that I found most interesting was their recommendation that IT organizations should "Favor products that ... exploit existing infrastructure components (to reduce cost and to simplify implementation and maintenance)." Ironically, the only vendor and product that Gartner documented that leverages an existing de facto standard infrastructure was Centrify and our Centrify Suite, which leverages a customer's pre-existing Active Directory deployment. Unlike all the other SUPM solutions that typically store their policy data in proprietary data stores and/or leverage proprietary administrative servers, the Centrify Suite stores its policy management capabilities (to enable role-based access control and authorization) directly in Active Directory. And our solution is the only solution for *nix that provided the ability to cache locally the policies.

Finally, be sure to check out my article on superuser privilege management on — it was only coincidence that my article and Gartner's report were published the same week, but indicative of the relevance and importance of the topic.

< Previous Article: CAC for Mac: Integrating DOD Common Access Cards (CAC) with Apple Macintosh
> Next Article: NASA, DoD Among Growing Numbers of Federal Agencies Banning USB Drives