Stop Spreading Roots
Del.icio.usNo it’s not a column on arborist skills, I’m referring instead to the proliferation of root capable access on UNIX systems in the corporate IT space.
All too often adminstrators, DBAs, users and other people end up with root level access to UNIX and Linux production systems. So why is this a problem? Root is, to all intents and purposes, the supreme deity of the system. A person with root level access can do literally ANYTHING to the system. Start it. Stop it. Kill processes. Disable services. Open ports. Copy data. You get the picture.
In the old world it was always simple to just give someone root access or make that person root equivalent rather than doing things the right, but sometimes difficult, way of assessing and setting the right level of privilege at the file, directory, process etc. level. Managing changes over time became problematic because of the power and complexity of the base security system. So while it’s “wrong” lots of folks became root equivalent over time because it was fast and they were “ok”.
Now we face the unbiased measurement of compliance initiatives and our systems are found to have more holes than a chunk of swiss cheese or a road sign in some unnamed state. The draconian fix is to remove the root access but while this works in the very short term, it’s not productive for the real world.
What we really need to do is to be able to simply document who needs root style access to what, without making that person root equivalent. This is where our new acquistion of Fortefi and Privileged User Management really creates value.
The idea is very simple. Make a database with a nice GUI front end so we can easily assign the right access to the right user to the right resource so that person can be granted root like privilege for the specific task or role without becoming root equivalent. The power of using this repository model is that it can provide real time validation of the user’s right to use the command or service without immediate administrator intervention. Moreover, all actions are logged, so when reporting is needed, the data is in place and easily delivers the report in a usable format. This is driven because the audit data is reposited in a secure manner that can deliver answers with great speed. In an infraction investigation, delay is expensive.
While remedial reporting is interesting the real power comes from due diligence. This daily or other interval check validates that accesses are reasonable and necessary and doesn’t require that an event occur before the risk is found. It allows managers to sign off on activity samples that creates a robust platform to satisfy auditors and security inspectors.
Novell’s Privileged User Management delivers on these requirements in the following ways:
- 100% keylogging of privileged access
- Automatic grading of risk level
- Super user privilege management
- Realtime logging and monitoring
- Proactive compliance management
- Audit the auditor
Novell’s solution not only mitigates risk and simplifies security it also saves on operational expense. For example to manage the common SUDO function across 1500 servers could take as much as 80 hours. With the Novell solution, the time required is less than six hours for the same number of servers.
So who can benefit from Novell Privileged User Management? Literally any organization that uses UNIX or Linux will benefit because root equivalence creep is not only widespread, it’s been a tacitly acceptable practice for years.
My request of you is to think of all your customers or prospects who use UNIX or Linux and make a call to share with them the real risk of root equivalence creep and ask for the opportunity to speak with them about Privileged User Management. It solves this problem quickly and efficiently and can also be an extremely proactive risk management initiative.
Until next time, peace.
Ross