SlideShare uma empresa Scribd logo

Sudo is no longer enough

Ryan Gallavin
Ryan Gallavin

The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.

Tecnologia
1 de 4
Baixar para ler offline
WHITE PAPER PRIVILEGED ACCESS MANAGEMENT WHY SUDO IS NO LONGER ENOUGH Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 2 Sudo is a free open-source access control tool that requires costly and labor-intensive custom configuration to meet privilege access management and compliance requirements. Sudo may be a reasonable solution for controlling privileged accounts for organizations with small server infrastructures, but it lacks the administration efficiencies, architectural vision, and security-related compliance requirements that are needed to effectively protect critical assets for organizations running hundreds and thousands of diverse Unix and Linux servers. There are six primary challenges with using sudo to control privileged accounts: First, sudo lacks efficient, centralized administration. System administrators can spend considerable time building and distributing sudoers files across the server estates. Sudo lacks the ability to easily put servers into local categories, classify users by various roles, and define the associated access rules, methods readily available through the latest privileged access management solutions on the market. The point is that it does not integrate well with Identity Management systems. Second, sudo introduces a security risk because it is controlled by local files. The burden is on the security admins to distribute these files appropriately. To do the distribution well, each server typically needs to have a unique file, but in most cases, shortcuts are taken by administrators, which results in giving administrative users too much privilege. As well, the sudo configuration file is stored in a way that local administrators could easily make modifications… a big security risk. Third, sudo may create a compliance issue. The distributed sudo conf files are not liked by auditors because they utilize “static trust”. The sudo configuration files need to be secured. Organizations using sudo may have problems passing audits because of this. Fourth, organizations using sudo must be able to distribute the file. Regardless of the methodology the distribution method must be maintained, resulting in hidden costs. Fifth, sudo does not inherently provide the ability to link multi- factor authentication as part of the privileged user authorization process. Elevating the authentication requirements in order to elevate privilege provides greater flexibility in the methods used to authenticate any given user, based on the access request parameters. There are other options to sudo for controlling privileged account access. A good example is the solution from Fox Technologies, BoKS ServerControl. BoKS ServerControl transparently grants privileged access permissions, without sharing privileged account passwords. With BoKS, policies can be created that adapt to the circumstanced based on the factors such as: who is asking, from where, to where, using what protocol, when, what they want to do. FollowingisacomparisonbetweenSudoandBoKSServerControl’s privileged access management capabilities: Privileged Access Management: Why Sudo Is No Longer Enough The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 3 OpenWare/Sudo BoKS ServerControl Access is allowed if the local sudoers file permits it, unless configured to only use LDAP. This could create a security risk. There is no access to privileged accounts unless a fine-grained access rule is defined and then granted in real-time by FoxT ServerControl. Sudoers config files must be manually copied to each local machine (or the files must be transfer periodically) for any change. Can be viewed as “static trust” by auditors, which is undesirable. Using sudo, an admin can create a method for each host to get the file it needs with “least privilege”, but it isn’t automatic, and it isn’t easy. Access policies reside in a central database and updates are almost instantaneous. Enables organizations to pass audits since the local trust relationships do not reside in operating system files that could then be exploited and create a security risk. The default with sudo is to put user activity logs on the local server. You could configure sudo to send logs to remote server, but that requires configuration effort and it is more complex. Audit log are automatically stored on the master security server in a directory only readable by root. Most importantly, audit logs are stored in a way that local administrators cannot modify them. Statically defined permissions. If and when an access policy is changed by security officers, it is then available to all FoxT protected servers immediately. As well, authorization/access permissions adapt based on time of day, day of week, who is making request, etc. Cumbersome to implement, manage, and maintain. The BoKS system is managed centrally and changes are immediately implemented throughout the domain. System admin doesn’t spend hours building and distributing sudoers files. Simple method of creating and managing access routes. Regular updates to new functionality under maintenance programs. Control of sudoers file may not be limited by privilege. This is a problem where a server is running critical applications, and sudo controls which privileged commands can be run against privileged data. If the control is the sudoers file, then the control issues are: • Who has the right to update the file? • Logging of file update • Link to change management processes • Versioning of file • Exclusion by authority and role to RW file • Access to RW the file on the server by some other priv. route (i.e. su) BoKS centrally controls the authorization to utilize privileged accounts, without sharing the privileged account password, based on fine-grained access rules. In addition, administration of these authorizations is separately controlled with granular sub-administration.
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 4 While sudo provides an adequate method for privileged access management in small server estates, it is a cumbersome utility with the potential to create increased exposure to insider fraud for organizations trying to control access across large, diverse server infrastructures. In addition to requiring highly paid system administrators to spend a great deal of time building, and distributing sudoers files, sudo also forces you to rely on the individual expertise of your system administrator to plan and implement sudo in such a way that provides “least privileges”. The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates. ABOUT FOX TECHNOLOGIES Fox Technologies, Inc. helps companies protect corporate information assets, simplify compliance and streamline administration with an award-winning access management and privileged account control solution. Our access management software centrally enforces granular access entitlements in real time across diverse server environments. Copyright © 2014 FoxT. All rights reserved. FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.

Recomendados

0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討Timothy Chen
 
Audit observation
Audit observationAudit observation
Audit observationShaswat Khatiwada
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM DatasheetCyd Isaak Francisco
 
Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo
 
Fasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 

Recomendados

0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討Timothy Chen
 
Audit observation
Audit observationAudit observation
Audit observationShaswat Khatiwada
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM DatasheetCyd Isaak Francisco
 
Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo
 
Fasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
CV WS
CV WSCV WS
CV WSZahid Tyagi
 
Capstone project
Capstone projectCapstone project
Capstone projectDawit Bogale, MCE, PE, PMP
 
Case report javeed
Case report javeedCase report javeed
Case report javeedjaveed baig
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentRyan Gallavin
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
protocol ppt
protocol pptprotocol ppt
protocol pptjaveed baig
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentationKathy Knox
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoningjaveed baig
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building exploreralessiobacchin
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building exploreralessiobacchin
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendationJoseph Maloney
 
RRR Red Bandana
RRR Red BandanaRRR Red Bandana
RRR Red BandanaLogan Visnick
 
Address ua
Address uaAddress ua
Address uaSvetlana Artyukhova
 
H
HH
Heqraa
 
Pomiar pr
Pomiar prPomiar pr
Pomiar prMaciej Grzywacz
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)健興 郭
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Totumdocs DMS
Totumdocs DMSTotumdocs DMS
Totumdocs DMSYogesh Tiwari
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsHitachi ID Systems, Inc.
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxkaverizanzane1
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 

Mais conteúdo relacionado

Destaque

Case report javeed
Case report javeedCase report javeed
Case report javeedjaveed baig
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentRyan Gallavin
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentationKathy Knox
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoningjaveed baig
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building exploreralessiobacchin
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building exploreralessiobacchin
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendationJoseph Maloney
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)健興 郭
 

Destaque (16)

CV WS
CV WSCV WS
CV WS
 
Capstone project
Capstone projectCapstone project
Capstone project
 
Case report javeed
Case report javeedCase report javeed
Case report javeed
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications Document
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
 
protocol ppt
protocol pptprotocol ppt
protocol ppt
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentation
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoning
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building explorer
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building explorer
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendation
 
RRR Red Bandana
RRR Red BandanaRRR Red Bandana
RRR Red Bandana
 
Address ua
Address uaAddress ua
Address ua
 
H
HH
H
 
Pomiar pr
Pomiar prPomiar pr
Pomiar pr
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)
 

Semelhante a Sudo is no longer enough

Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsHitachi ID Systems, Inc.
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxkaverizanzane1
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docxtamicawaysmith
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityFredReynolds2
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesSahithi Naraparaju
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxAgusto Sipahutar
 
Client Server Network Security
Client Server Network SecurityClient Server Network Security
Client Server Network SecurityMithilDoshi1
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsStuart McIntyre
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio
 
Running head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxRunning head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxcowinhelen
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
A Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access PrivilagesA Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access Privilagesijeei-iaes
 
Benefits of Switching to Virtualization
Benefits of Switching to VirtualizationBenefits of Switching to Virtualization
Benefits of Switching to VirtualizationTyrone Systems
 

Semelhante a Sudo is no longer enough (20)

Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
Totumdocs DMS
Totumdocs DMSTotumdocs DMS
Totumdocs DMS
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO Systems
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database Security
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptx
 
Client Server Network Security
Client Server Network SecurityClient Server Network Security
Client Server Network Security
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical Brief
 
Running head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxRunning head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docx
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
A Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access PrivilagesA Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access Privilages
 
Benefits of Switching to Virtualization
Benefits of Switching to VirtualizationBenefits of Switching to Virtualization
Benefits of Switching to Virtualization
 

Último

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 

Último (20)

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 

Sudo is no longer enough

  • 1. WHITE PAPER PRIVILEGED ACCESS MANAGEMENT WHY SUDO IS NO LONGER ENOUGH Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840
  • 2. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 2 Sudo is a free open-source access control tool that requires costly and labor-intensive custom configuration to meet privilege access management and compliance requirements. Sudo may be a reasonable solution for controlling privileged accounts for organizations with small server infrastructures, but it lacks the administration efficiencies, architectural vision, and security-related compliance requirements that are needed to effectively protect critical assets for organizations running hundreds and thousands of diverse Unix and Linux servers. There are six primary challenges with using sudo to control privileged accounts: First, sudo lacks efficient, centralized administration. System administrators can spend considerable time building and distributing sudoers files across the server estates. Sudo lacks the ability to easily put servers into local categories, classify users by various roles, and define the associated access rules, methods readily available through the latest privileged access management solutions on the market. The point is that it does not integrate well with Identity Management systems. Second, sudo introduces a security risk because it is controlled by local files. The burden is on the security admins to distribute these files appropriately. To do the distribution well, each server typically needs to have a unique file, but in most cases, shortcuts are taken by administrators, which results in giving administrative users too much privilege. As well, the sudo configuration file is stored in a way that local administrators could easily make modifications… a big security risk. Third, sudo may create a compliance issue. The distributed sudo conf files are not liked by auditors because they utilize “static trust”. The sudo configuration files need to be secured. Organizations using sudo may have problems passing audits because of this. Fourth, organizations using sudo must be able to distribute the file. Regardless of the methodology the distribution method must be maintained, resulting in hidden costs. Fifth, sudo does not inherently provide the ability to link multi- factor authentication as part of the privileged user authorization process. Elevating the authentication requirements in order to elevate privilege provides greater flexibility in the methods used to authenticate any given user, based on the access request parameters. There are other options to sudo for controlling privileged account access. A good example is the solution from Fox Technologies, BoKS ServerControl. BoKS ServerControl transparently grants privileged access permissions, without sharing privileged account passwords. With BoKS, policies can be created that adapt to the circumstanced based on the factors such as: who is asking, from where, to where, using what protocol, when, what they want to do. FollowingisacomparisonbetweenSudoandBoKSServerControl’s privileged access management capabilities: Privileged Access Management: Why Sudo Is No Longer Enough The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.
  • 3. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 3 OpenWare/Sudo BoKS ServerControl Access is allowed if the local sudoers file permits it, unless configured to only use LDAP. This could create a security risk. There is no access to privileged accounts unless a fine-grained access rule is defined and then granted in real-time by FoxT ServerControl. Sudoers config files must be manually copied to each local machine (or the files must be transfer periodically) for any change. Can be viewed as “static trust” by auditors, which is undesirable. Using sudo, an admin can create a method for each host to get the file it needs with “least privilege”, but it isn’t automatic, and it isn’t easy. Access policies reside in a central database and updates are almost instantaneous. Enables organizations to pass audits since the local trust relationships do not reside in operating system files that could then be exploited and create a security risk. The default with sudo is to put user activity logs on the local server. You could configure sudo to send logs to remote server, but that requires configuration effort and it is more complex. Audit log are automatically stored on the master security server in a directory only readable by root. Most importantly, audit logs are stored in a way that local administrators cannot modify them. Statically defined permissions. If and when an access policy is changed by security officers, it is then available to all FoxT protected servers immediately. As well, authorization/access permissions adapt based on time of day, day of week, who is making request, etc. Cumbersome to implement, manage, and maintain. The BoKS system is managed centrally and changes are immediately implemented throughout the domain. System admin doesn’t spend hours building and distributing sudoers files. Simple method of creating and managing access routes. Regular updates to new functionality under maintenance programs. Control of sudoers file may not be limited by privilege. This is a problem where a server is running critical applications, and sudo controls which privileged commands can be run against privileged data. If the control is the sudoers file, then the control issues are: • Who has the right to update the file? • Logging of file update • Link to change management processes • Versioning of file • Exclusion by authority and role to RW file • Access to RW the file on the server by some other priv. route (i.e. su) BoKS centrally controls the authorization to utilize privileged accounts, without sharing the privileged account password, based on fine-grained access rules. In addition, administration of these authorizations is separately controlled with granular sub-administration.
  • 4. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 4 While sudo provides an adequate method for privileged access management in small server estates, it is a cumbersome utility with the potential to create increased exposure to insider fraud for organizations trying to control access across large, diverse server infrastructures. In addition to requiring highly paid system administrators to spend a great deal of time building, and distributing sudoers files, sudo also forces you to rely on the individual expertise of your system administrator to plan and implement sudo in such a way that provides “least privileges”. The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates. ABOUT FOX TECHNOLOGIES Fox Technologies, Inc. helps companies protect corporate information assets, simplify compliance and streamline administration with an award-winning access management and privileged account control solution. Our access management software centrally enforces granular access entitlements in real time across diverse server environments. Copyright © 2014 FoxT. All rights reserved. FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.