Creating a secure access control infrastructure at the systems level
CURRENT THREAT SCENARIO
Linux and UNIX operating systems provide only one root account that enables every system administrator, database administrator or help desk operator who knows the root password to access applications and databases whether or not such access is necessary based on job classification or security clearance. Once in possession of the root password, an employee can gain access to confidential data; sabotage, steal, or modify data; and delete audit trails. Additionally, this violates government compliance regulations and industry standards such as SOX, PCI DSS, HIPAA and GLBA to create a secure access control infrastructure and adhere to security best practices.
For fine-grained process control of privileged access to UNIX and Linux environments, Symark PowerBroker not only provides root access management, it places controls on ac-cess to specific applications, commands and files, capturing activity down to the keystroke level when required. Its capabilities go beyond commodity utilities to assure greater control over a wider range of security, compliance, and confidence risks, at the level expected of an enterprise-class commercial solution.When an administrator makes a request to perform a task on a PowerBroker-secured host, the request is submitted to the PowerBroker Master Host. The Master Host evaluates the request against defined policy. If approved, the task runs on the target host in a nor¬mal mode, under privileged user credentials. When secured tasks are not executing on the Master Host, inputs/outputs and events are logged to I/O and event logs on PowerBroker Log Servers.PowerBroker provides a flexible scripting language for policy definition, controlling access based on a wide range of parameters including user, group, netgroup or host membership; NIS, NIS+ or LDAP authentication; or the context of access to or from a specific host, or at a specific date or time. Policy can be defined as simply as an access control list for a straightforward, non-programmatic means of invoking control, or in detailed limitations of access to specific files or directories, data or commands. Keystroke logging can be in¬voked as desired, which not only provides detailed insight into activity risks but—just as importantly—validates the integrity of trustworthy IT professionals and supports more responsive IT service management by revealing human interaction in root cause analysis of service issues.PowerBroker goes beyond commodity utilities such as sudo, which limits controls on root-level access according to users, groups and command or program execution privileges.
PowerBroker provides support for various compliance requirements such as SOX, HIPAA, Gramm Leach Bliley, etc and industry standards such as PCI DSS by creating a secure access control infrastructure at the systems level. It accomplishes this by granularly limiting access via its rich policy scripting language and documenting that access.
Symark International, Inc.
30401 Agoura Road, Suite 200
Agoura Hills, CA 91301