- Computer security still relies on usernames and passwords for authentication and user/group IDs for authorization, leaving systems vulnerable to attackers who gain administrator-level access.
- Privileged Identity Management (PIM) systems like CA Privileged Identity Manager were introduced to control administrator access by granting privileged access only according to predefined protocols.
- CA Privileged Identity Manager uses kernel-level call intercepts and two-factor user identification to block even root-level access compromises, ensuring that only the original logged in user can access their private data, even if another user gains root/administrator access.
1. Controlling the Core
Regardlessof whetheranapplicationsolutionsuiteishostedonpremise,inthe cloudorsome
combinationof the two,someone somewhere still needstoaccessserverspace toperformthe basic
functionsof installation,configuration,andmaintenance. Of course incloudspace thismay be
somebodyelse’sproblemwhile inonpremisespace the responsibility maybe squarelyonyour
shoulders.
Computersecurityhasnotchangedmuch inthe past generationsof hardware spinningandoperating
systemre-inventing. The currentaccessmodel still usesthe same authenticationcomponentsof
somethingyouare,somethingyou have,orsomethingyouknow withthe mostbasicandeasiest
offeringbeingausername andpassword combination. Onthe authorizationfrontwe still have userand
groupID’s for UNIX and a plethoraof fine-grainedpre-definedaccessrightsforMicrosoftWindows.
While the standardtriedandtrue residentsecuritysystemsare quite goodforblocking aberrantaccess
at most levels,everyoperatingsystemhasone securityhole thatisthe holygrail of rogue access. On
UNIX thisisroot and onMicrosoft WindowsthisisAdministrator. Sure,the namescanchange to
protectthe innocent(renamingAdministrator,forexample) butonce kernel-levelaccesshasbeen
attainedthenthe worldisthe infiltrator’soystertobe consumedslowlyandwithsavor.
In the not toodistantpast,wavesof technologieswereintroducedtoauditthe activityof keyplayers. It
was believedthatif one couldreviewwhathappenedduringamaliciouseventthenthe exposure could
be mitigatedsomewhattorecoverassetsandpreventfuture failures. Recordingactivityisaverygood
wayto watch the good guysdo goodthingsfor compliance auditability,butitdoesnothingtoprevent
the trulymaliciousadministratorfromjustplaincopyingorwipinganentire system. Simplyput,
auditingisakinto watching a videoof your100 inch televisionwalkoutyourfrontdoorwithabsolutely
no powerto blockthe exit.
To counterthe audit-onlymodel andbringascopedlimitationtosensitive accountaccess,CA Privileged
IdentityManager(PIM) wasintroduced. The termPIMhas seenseveral iterationsfromSharedAccount
Management(SAM) toPrivilegedAccessManagement (PAM) andbackto PIM. But,while the acronyms
have changed,the concepthas remainedthe same. Basically,grantuberaccessto those usersthat
require suchaccessbut control the grantingto a pre-definedprotocol.
In the UNIXworldthismeansthat the root userhas the abilitytologin as root,but onlyif someone else
agreesto,or grants,the permissiontodoso. Since multiple administratorsmayneedtoaccessthe root
account,the account isknownas being“shared”;hence the Sharedasinthe SAMacronym.
The PIM model,then,givesauserthe keyto the front door,a lockedclosetorsafe; and allowsthatuser
to access the facility. Youmayhave multiple userswiththe same keyinthe same space atthe same
time,butpropermonitoring(auditing,recording) will show whateachindividual isdoing.
2. Now,inall honesty,UNIXandLinux have done a fine jobof removingthe usernamed“root”fromthe
requirementof beingdirectlyaccessed. Specifically,the currentsecure shell (SSH) offeringscanprohibit
directroot logon, andthe sudo(superuserdo) facilityenablesa“common”userto performroot-level
functionssimplybyissuingagreedupon,orgranted,commands. SeLinuxisinthe offering,aswell. And,
as mentioned,MicrosoftWindowshasaverynice array of roles thatmay be assignedtoenable usersto
have quite a range of privileges.
So,we nowhave bothUNIX andMicrosoft Windowswithadministrative scope limitingresidentsecurity
systemabilities,aPIMmodel tolimituberaccessinadditiontothe residentsecuritymodel,and
monitoringtorecordall activities. Great!
Well,no.
The precedingkeepshonestpeople honestbutdoesnotaddresswhathappenswhenyetone more hole
isexposed. And,yes,the axiomof all software is that“there isalwaysone more bugor one more hole.”
So,whetheritisa bufferoverflowexposureorsome otherobscure entrypoint,youcanbe assuredthat
someone somewherewillfindsomethingthatisnotgood.
ZeroDay attacks are no longerinfrequentbutsufficientlycommontofinallymake exposedfinancial
data a Dark Webcommodity. And,yes,phishingisaprimaryentrypoint;hence the commentaboutPIM
and recordingkeepinghonestpeoplehonest.
CA Technologies(CA) PrivilegedIdentityManagerisa servercentricsecurityofferingthathasthe power
to scope root on UNIXand AdministratoronMicrosoftWindows. The operative wordshere are “server
centric”and “scope”. Simplyput the servercomponentof CA PrivilegedIdentityManagerworksat a
level thatwill blockevenaroot shell accesscompromise.
The way thisworksisnot magic butis basedonkernel levelsyscall interceptscombinedwithatwo-
factor useridentificationmodel.
Upon serverlogon,CA PrivilegedIdentityManagercapturesthe logginginuserandwritesthatdatum
to a private internal table. The usernotedinthe initial logoneventisthe userthatisthenchecked
againstresource accessauthorizations.
For example,if Alice logsonandsu’sto root,CA PrivilegedIdentityManagerwill know the userasAlice
while UNIX will knowthe userasroot. So, forall UNIX activities,the currentshellistreatedasroot. But,
and thisisa verybigand veryprotective but,if there are private datathatshouldonlybe accessedby
Alice thenanyother“root” userwill nothave the abilitytoaccessthose data. Evenif a “true root” logs
inthat userwill notbe able to access Alice’sdata.
Where thismulti-level accessscopingisveryimportantisinthe situationwhere trulyprivatedata
shouldbe maintainedastrulyprivate data. Justbecause ashell canrationallygainaccessto or usurp
kernel level accessshouldnotmeanthatthe shell shouldbe able toaccessprotecteddata.
Thinkaboutit.
3. In closing,the above discusseda bitusingUNIXexamplesbutasgoesUNIXso goesMicrosoftWindows.
The verysame securityofferingsare common inbothoperatingsystemssoitispossible toensure that
Alice’sdataare protectedonboth UNIXand MicrosoftWindows.
And,yes,CA TechnologieshasaPIMofferingasdoesCyberArk, Lieberman,andothers. But,this
discussiondealswithcontrollingthe core dataaccess whichisfundamental toall serversuitesand
shouldbe considered regardlessof the PIMproviderinuse.
DennisPierce
IT SecurityArchitect