Properly defining, controlling, and monitoring administrative privileges and root accounts are real challenges for enterprises. And while in the past, controlling privileged accounts made good business sense for reducing insider fraud, today, it is mandated by regulations such as Sarbanes-Oxley. In addition to the likely potential for failing IT security audits, a lack of proper control over these accounts does lead to a significant increase in the risk of fraudulent activities by employees… a threat made even greater by worsening economic conditions.
The challenge associated with controlling privileged and root accounts increases quickly as the number of people who need powerful administrative access for various job functions grows. Furthermore, granted permissions are rarely reviewed or revoked, which means that users unintentionally accumulate more privileges over time. Native Unix and Linux systems have poor support for controlling privileged accounts. Some share root with a variety of administrative controls including creating emergency superuser accounts that are protected with dual controls; implementing a software-based solution that generates random passwords; or delegating through suid or sgid. However such processes can be readily exploited. Even elaborate processes for password check-out and resets remains dependent on someone with unlimited privileges.And there are other considerations:
how do you secure root passwords in transit?
how can you prove to auditors what “root” did?
how can you control what “root” can do once they acquire privileges?
Organizations need a way to effectively delegate, monitor, and record what root users are doing once they have acquired their privileges. Solutions on the market today only address part of the privileged account challenge. FoxT’s BoKS Access Control for Servers delivers a unique blend of capabilities that provide the most effective way to protect privileged and root accounts, without all of the overhead, costs, and complexities of a full blown Enterprise Identity and Access Management infrastructure. First, many of the common management functions in a server domain can be performed using the secure FoxT administration interface and standard fine-grained access management capabilities. This immediately reduces the amount of operations requiring administrators to know privileged passwords. Second, on FoxT protected servers, SU can only be performed if the user has a specific access route defined that allows them to do so.
Through the unique blend of capabilities delivered by FoxT, organizations are able to avoid sharing privileged account passwords for most day-to-day activities. And when operations are traceable back to a specific, physical user, organizations can significantly improve security and simplify IT audits.
Fox Technologies, Inc. (FoxT)
883 N. Shoreline Blvd. D-210,
Mountain View, CA 94043