SlideShare a Scribd company logo

Sudo is no longer enough

Ryan Gallavin
Ryan Gallavin

The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.

Technology
1 of 4
Download to read offline
WHITE PAPER PRIVILEGED ACCESS MANAGEMENT WHY SUDO IS NO LONGER ENOUGH Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 2 Sudo is a free open-source access control tool that requires costly and labor-intensive custom configuration to meet privilege access management and compliance requirements. Sudo may be a reasonable solution for controlling privileged accounts for organizations with small server infrastructures, but it lacks the administration efficiencies, architectural vision, and security-related compliance requirements that are needed to effectively protect critical assets for organizations running hundreds and thousands of diverse Unix and Linux servers. There are six primary challenges with using sudo to control privileged accounts: First, sudo lacks efficient, centralized administration. System administrators can spend considerable time building and distributing sudoers files across the server estates. Sudo lacks the ability to easily put servers into local categories, classify users by various roles, and define the associated access rules, methods readily available through the latest privileged access management solutions on the market. The point is that it does not integrate well with Identity Management systems. Second, sudo introduces a security risk because it is controlled by local files. The burden is on the security admins to distribute these files appropriately. To do the distribution well, each server typically needs to have a unique file, but in most cases, shortcuts are taken by administrators, which results in giving administrative users too much privilege. As well, the sudo configuration file is stored in a way that local administrators could easily make modifications… a big security risk. Third, sudo may create a compliance issue. The distributed sudo conf files are not liked by auditors because they utilize “static trust”. The sudo configuration files need to be secured. Organizations using sudo may have problems passing audits because of this. Fourth, organizations using sudo must be able to distribute the file. Regardless of the methodology the distribution method must be maintained, resulting in hidden costs. Fifth, sudo does not inherently provide the ability to link multi- factor authentication as part of the privileged user authorization process. Elevating the authentication requirements in order to elevate privilege provides greater flexibility in the methods used to authenticate any given user, based on the access request parameters. There are other options to sudo for controlling privileged account access. A good example is the solution from Fox Technologies, BoKS ServerControl. BoKS ServerControl transparently grants privileged access permissions, without sharing privileged account passwords. With BoKS, policies can be created that adapt to the circumstanced based on the factors such as: who is asking, from where, to where, using what protocol, when, what they want to do. FollowingisacomparisonbetweenSudoandBoKSServerControl’s privileged access management capabilities: Privileged Access Management: Why Sudo Is No Longer Enough The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 3 OpenWare/Sudo BoKS ServerControl Access is allowed if the local sudoers file permits it, unless configured to only use LDAP. This could create a security risk. There is no access to privileged accounts unless a fine-grained access rule is defined and then granted in real-time by FoxT ServerControl. Sudoers config files must be manually copied to each local machine (or the files must be transfer periodically) for any change. Can be viewed as “static trust” by auditors, which is undesirable. Using sudo, an admin can create a method for each host to get the file it needs with “least privilege”, but it isn’t automatic, and it isn’t easy. Access policies reside in a central database and updates are almost instantaneous. Enables organizations to pass audits since the local trust relationships do not reside in operating system files that could then be exploited and create a security risk. The default with sudo is to put user activity logs on the local server. You could configure sudo to send logs to remote server, but that requires configuration effort and it is more complex. Audit log are automatically stored on the master security server in a directory only readable by root. Most importantly, audit logs are stored in a way that local administrators cannot modify them. Statically defined permissions. If and when an access policy is changed by security officers, it is then available to all FoxT protected servers immediately. As well, authorization/access permissions adapt based on time of day, day of week, who is making request, etc. Cumbersome to implement, manage, and maintain. The BoKS system is managed centrally and changes are immediately implemented throughout the domain. System admin doesn’t spend hours building and distributing sudoers files. Simple method of creating and managing access routes. Regular updates to new functionality under maintenance programs. Control of sudoers file may not be limited by privilege. This is a problem where a server is running critical applications, and sudo controls which privileged commands can be run against privileged data. If the control is the sudoers file, then the control issues are: • Who has the right to update the file? • Logging of file update • Link to change management processes • Versioning of file • Exclusion by authority and role to RW file • Access to RW the file on the server by some other priv. route (i.e. su) BoKS centrally controls the authorization to utilize privileged accounts, without sharing the privileged account password, based on fine-grained access rules. In addition, administration of these authorizations is separately controlled with granular sub-administration.
Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 4 While sudo provides an adequate method for privileged access management in small server estates, it is a cumbersome utility with the potential to create increased exposure to insider fraud for organizations trying to control access across large, diverse server infrastructures. In addition to requiring highly paid system administrators to spend a great deal of time building, and distributing sudoers files, sudo also forces you to rely on the individual expertise of your system administrator to plan and implement sudo in such a way that provides “least privileges”. The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates. ABOUT FOX TECHNOLOGIES Fox Technologies, Inc. helps companies protect corporate information assets, simplify compliance and streamline administration with an award-winning access management and privileged account control solution. Our access management software centrally enforces granular access entitlements in real time across diverse server environments. Copyright © 2014 FoxT. All rights reserved. FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.

Recommended

0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討Timothy Chen
 
Audit observation
Audit observationAudit observation
Audit observationShaswat Khatiwada
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM DatasheetCyd Isaak Francisco
 
Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo
 
Fasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 

Recommended

0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討Timothy Chen
 
Audit observation
Audit observationAudit observation
Audit observationShaswat Khatiwada
 
PCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuitePCI-DSS Compliance Using the Hitachi ID Management Suite
PCI-DSS Compliance Using the Hitachi ID Management SuiteHitachi ID Systems, Inc.
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
DLP and MDM Datasheet
DLP and MDM DatasheetDLP and MDM Datasheet
DLP and MDM DatasheetCyd Isaak Francisco
 
Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo Secure Document (FSD) for SharePoint
Fasoo Secure Document (FSD) for SharePoint Fasoo
 
Fasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo Secure Document for IBM FileNet
Fasoo Secure Document for IBM FileNetFasoo
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
CV WS
CV WSCV WS
CV WSZahid Tyagi
 
Capstone project
Capstone projectCapstone project
Capstone projectDawit Bogale, MCE, PE, PMP
 
Case report javeed
Case report javeedCase report javeed
Case report javeedjaveed baig
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentRyan Gallavin
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
protocol ppt
protocol pptprotocol ppt
protocol pptjaveed baig
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentationKathy Knox
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoningjaveed baig
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building exploreralessiobacchin
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building exploreralessiobacchin
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendationJoseph Maloney
 
RRR Red Bandana
RRR Red BandanaRRR Red Bandana
RRR Red BandanaLogan Visnick
 
Address ua
Address uaAddress ua
Address uaSvetlana Artyukhova
 
H
HH
Heqraa
 
Pomiar pr
Pomiar prPomiar pr
Pomiar prMaciej Grzywacz
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)健興 郭
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Totumdocs DMS
Totumdocs DMSTotumdocs DMS
Totumdocs DMSYogesh Tiwari
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsHitachi ID Systems, Inc.
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxkaverizanzane1
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 

More Related Content

Viewers also liked

Case report javeed
Case report javeedCase report javeed
Case report javeedjaveed baig
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentRyan Gallavin
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentationKathy Knox
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoningjaveed baig
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building exploreralessiobacchin
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building exploreralessiobacchin
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendationJoseph Maloney
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)健興 郭
 

Viewers also liked (16)

CV WS
CV WSCV WS
CV WS
 
Capstone project
Capstone projectCapstone project
Capstone project
 
Case report javeed
Case report javeedCase report javeed
Case report javeed
 
FoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications DocumentFoxT BoKS ServerControl Full Specifications Document
FoxT BoKS ServerControl Full Specifications Document
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
 
protocol ppt
protocol pptprotocol ppt
protocol ppt
 
Kartell presentation
Kartell presentationKartell presentation
Kartell presentation
 
Javeed case presentation op poisoning
Javeed case presentation op poisoningJaveed case presentation op poisoning
Javeed case presentation op poisoning
 
Graphisoft virtual building explorer
Graphisoft virtual building explorerGraphisoft virtual building explorer
Graphisoft virtual building explorer
 
virtual building explorer
virtual building explorervirtual building explorer
virtual building explorer
 
JMaloney (1) recommendation
JMaloney (1) recommendationJMaloney (1) recommendation
JMaloney (1) recommendation
 
RRR Red Bandana
RRR Red BandanaRRR Red Bandana
RRR Red Bandana
 
Address ua
Address uaAddress ua
Address ua
 
H
HH
H
 
Pomiar pr
Pomiar prPomiar pr
Pomiar pr
 
Warren buffet(ch)
Warren buffet(ch)Warren buffet(ch)
Warren buffet(ch)
 

Similar to Sudo is no longer enough

Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...BeyondTrust
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsHitachi ID Systems, Inc.
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop SecureDirect Deals, LLC
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxkaverizanzane1
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docxtamicawaysmith
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityFredReynolds2
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesSahithi Naraparaju
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxAgusto Sipahutar
 
Client Server Network Security
Client Server Network SecurityClient Server Network Security
Client Server Network SecurityMithilDoshi1
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3jemtallon
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsStuart McIntyre
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio
 
Running head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxRunning head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxcowinhelen
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesHitachi ID Systems, Inc.
 
A Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access PrivilagesA Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access Privilagesijeei-iaes
 
Benefits of Switching to Virtualization
Benefits of Switching to VirtualizationBenefits of Switching to Virtualization
Benefits of Switching to VirtualizationTyrone Systems
 

Similar to Sudo is no longer enough (20)

Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
Totumdocs DMS
Totumdocs DMSTotumdocs DMS
Totumdocs DMS
 
Integrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO SystemsIntegrating Hitachi ID Management Suite with WebSSO Systems
Integrating Hitachi ID Management Suite with WebSSO Systems
 
5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure5 Ways to Keep Your Remote Desktop Secure
5 Ways to Keep Your Remote Desktop Secure
 
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptxTitle Fedora Linux OS Access Control__20231104_222610_0000.pptx
Title Fedora Linux OS Access Control__20231104_222610_0000.pptx
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx2Windows Server Proposal for Dynamic SolarKelvin L.docx
2Windows Server Proposal for Dynamic SolarKelvin L.docx
 
Locking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database SecurityLocking Down Your Data: Best Practices for Database Security
Locking Down Your Data: Best Practices for Database Security
 
documentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemesdocumentation for identity based secure distrbuted data storage schemes
documentation for identity based secure distrbuted data storage schemes
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
Secure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptxSecure File Sharring-owncloud.pptx
Secure File Sharring-owncloud.pptx
 
Client Server Network Security
Client Server Network SecurityClient Server Network Security
Client Server Network Security
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
access-control-week-3
access-control-week-3access-control-week-3
access-control-week-3
 
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) DeploymentsPlanning Optimal Lotus Quickr services for Portal (J2EE) Deployments
Planning Optimal Lotus Quickr services for Portal (J2EE) Deployments
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical Brief
 
Running head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docxRunning head Identifying Potential Malicious Attacks1IDEN.docx
Running head Identifying Potential Malicious Attacks1IDEN.docx
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
A Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access PrivilagesA Secured Cloud Data Storage with Access Privilages
A Secured Cloud Data Storage with Access Privilages
 
Benefits of Switching to Virtualization
Benefits of Switching to VirtualizationBenefits of Switching to Virtualization
Benefits of Switching to Virtualization
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 

Recently uploaded (20)

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 

Sudo is no longer enough

  • 1. WHITE PAPER PRIVILEGED ACCESS MANAGEMENT WHY SUDO IS NO LONGER ENOUGH Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840
  • 2. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 2 Sudo is a free open-source access control tool that requires costly and labor-intensive custom configuration to meet privilege access management and compliance requirements. Sudo may be a reasonable solution for controlling privileged accounts for organizations with small server infrastructures, but it lacks the administration efficiencies, architectural vision, and security-related compliance requirements that are needed to effectively protect critical assets for organizations running hundreds and thousands of diverse Unix and Linux servers. There are six primary challenges with using sudo to control privileged accounts: First, sudo lacks efficient, centralized administration. System administrators can spend considerable time building and distributing sudoers files across the server estates. Sudo lacks the ability to easily put servers into local categories, classify users by various roles, and define the associated access rules, methods readily available through the latest privileged access management solutions on the market. The point is that it does not integrate well with Identity Management systems. Second, sudo introduces a security risk because it is controlled by local files. The burden is on the security admins to distribute these files appropriately. To do the distribution well, each server typically needs to have a unique file, but in most cases, shortcuts are taken by administrators, which results in giving administrative users too much privilege. As well, the sudo configuration file is stored in a way that local administrators could easily make modifications… a big security risk. Third, sudo may create a compliance issue. The distributed sudo conf files are not liked by auditors because they utilize “static trust”. The sudo configuration files need to be secured. Organizations using sudo may have problems passing audits because of this. Fourth, organizations using sudo must be able to distribute the file. Regardless of the methodology the distribution method must be maintained, resulting in hidden costs. Fifth, sudo does not inherently provide the ability to link multi- factor authentication as part of the privileged user authorization process. Elevating the authentication requirements in order to elevate privilege provides greater flexibility in the methods used to authenticate any given user, based on the access request parameters. There are other options to sudo for controlling privileged account access. A good example is the solution from Fox Technologies, BoKS ServerControl. BoKS ServerControl transparently grants privileged access permissions, without sharing privileged account passwords. With BoKS, policies can be created that adapt to the circumstanced based on the factors such as: who is asking, from where, to where, using what protocol, when, what they want to do. FollowingisacomparisonbetweenSudoandBoKSServerControl’s privileged access management capabilities: Privileged Access Management: Why Sudo Is No Longer Enough The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates.
  • 3. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 3 OpenWare/Sudo BoKS ServerControl Access is allowed if the local sudoers file permits it, unless configured to only use LDAP. This could create a security risk. There is no access to privileged accounts unless a fine-grained access rule is defined and then granted in real-time by FoxT ServerControl. Sudoers config files must be manually copied to each local machine (or the files must be transfer periodically) for any change. Can be viewed as “static trust” by auditors, which is undesirable. Using sudo, an admin can create a method for each host to get the file it needs with “least privilege”, but it isn’t automatic, and it isn’t easy. Access policies reside in a central database and updates are almost instantaneous. Enables organizations to pass audits since the local trust relationships do not reside in operating system files that could then be exploited and create a security risk. The default with sudo is to put user activity logs on the local server. You could configure sudo to send logs to remote server, but that requires configuration effort and it is more complex. Audit log are automatically stored on the master security server in a directory only readable by root. Most importantly, audit logs are stored in a way that local administrators cannot modify them. Statically defined permissions. If and when an access policy is changed by security officers, it is then available to all FoxT protected servers immediately. As well, authorization/access permissions adapt based on time of day, day of week, who is making request, etc. Cumbersome to implement, manage, and maintain. The BoKS system is managed centrally and changes are immediately implemented throughout the domain. System admin doesn’t spend hours building and distributing sudoers files. Simple method of creating and managing access routes. Regular updates to new functionality under maintenance programs. Control of sudoers file may not be limited by privilege. This is a problem where a server is running critical applications, and sudo controls which privileged commands can be run against privileged data. If the control is the sudoers file, then the control issues are: • Who has the right to update the file? • Logging of file update • Link to change management processes • Versioning of file • Exclusion by authority and role to RW file • Access to RW the file on the server by some other priv. route (i.e. su) BoKS centrally controls the authorization to utilize privileged accounts, without sharing the privileged account password, based on fine-grained access rules. In addition, administration of these authorizations is separately controlled with granular sub-administration.
  • 4. Privileged Access Management: Why Sudo Is No Longer Enough Fox Technologies, Inc. | www.foxt.com | sales@foxt.com | 616.438.0840 4 While sudo provides an adequate method for privileged access management in small server estates, it is a cumbersome utility with the potential to create increased exposure to insider fraud for organizations trying to control access across large, diverse server infrastructures. In addition to requiring highly paid system administrators to spend a great deal of time building, and distributing sudoers files, sudo also forces you to rely on the individual expertise of your system administrator to plan and implement sudo in such a way that provides “least privileges”. The new privileged access management solutions available on the market today provide highly efficient and effective alternatives to sudo. Using these modern approaches, you will be able to reduce the risk of insider fraud, streamline regulatory compliance, and greatly reduce the effort required to administer your server estates. ABOUT FOX TECHNOLOGIES Fox Technologies, Inc. helps companies protect corporate information assets, simplify compliance and streamline administration with an award-winning access management and privileged account control solution. Our access management software centrally enforces granular access entitlements in real time across diverse server environments. Copyright © 2014 FoxT. All rights reserved. FoxT logo is a trademark of FoxT, Inc. Other product and company names herein may be registered trademarks and trademarks of their respective owners.