Controlling The Core
- 1. Controlling the Core Regardlessof whetheranapplicationsolutionsuiteishostedonpremise,inthe cloudorsome combinationof the two,someone somewhere still needstoaccessserverspace toperformthe basic functionsof installation,configuration,andmaintenance. Of course incloudspace thismay be somebodyelse’sproblemwhile inonpremisespace the responsibility maybe squarelyonyour shoulders. Computersecurityhasnotchangedmuch inthe past generationsof hardware spinningandoperating systemre-inventing. The currentaccessmodel still usesthe same authenticationcomponentsof somethingyouare,somethingyou have,orsomethingyouknow withthe mostbasicandeasiest offeringbeingausername andpassword combination. Onthe authorizationfrontwe still have userand groupID’s for UNIX and a plethoraof fine-grainedpre-definedaccessrightsforMicrosoftWindows. While the standardtriedandtrue residentsecuritysystemsare quite goodforblocking aberrantaccess at most levels,everyoperatingsystemhasone securityhole thatisthe holygrail of rogue access. On UNIX thisisroot and onMicrosoft WindowsthisisAdministrator. Sure,the namescanchange to protectthe innocent(renamingAdministrator,forexample) butonce kernel-levelaccesshasbeen attainedthenthe worldisthe infiltrator’soystertobe consumedslowlyandwithsavor. In the not toodistantpast,wavesof technologieswereintroducedtoauditthe activityof keyplayers. It was believedthatif one couldreviewwhathappenedduringamaliciouseventthenthe exposure could be mitigatedsomewhattorecoverassetsandpreventfuture failures. Recordingactivityisaverygood wayto watch the good guysdo goodthingsfor compliance auditability,butitdoesnothingtoprevent the trulymaliciousadministratorfromjustplaincopyingorwipinganentire system. Simplyput, auditingisakinto watching a videoof your100 inch televisionwalkoutyourfrontdoorwithabsolutely no powerto blockthe exit. To counterthe audit-onlymodel andbringascopedlimitationtosensitive accountaccess,CA Privileged IdentityManager(PIM) wasintroduced. The termPIMhas seenseveral iterationsfromSharedAccount Management(SAM) toPrivilegedAccessManagement (PAM) andbackto PIM. But,while the acronyms have changed,the concepthas remainedthe same. Basically,grantuberaccessto those usersthat require suchaccessbut control the grantingto a pre-definedprotocol. In the UNIXworldthismeansthat the root userhas the abilitytologin as root,but onlyif someone else agreesto,or grants,the permissiontodoso. Since multiple administratorsmayneedtoaccessthe root account,the account isknownas being“shared”;hence the Sharedasinthe SAMacronym. The PIM model,then,givesauserthe keyto the front door,a lockedclosetorsafe; and allowsthatuser to access the facility. Youmayhave multiple userswiththe same keyinthe same space atthe same time,butpropermonitoring(auditing,recording) will show whateachindividual isdoing.
- 2. Now,inall honesty,UNIXandLinux have done a fine jobof removingthe usernamed“root”fromthe requirementof beingdirectlyaccessed. Specifically,the currentsecure shell (SSH) offeringscanprohibit directroot logon, andthe sudo(superuserdo) facilityenablesa“common”userto performroot-level functionssimplybyissuingagreedupon,orgranted,commands. SeLinuxisinthe offering,aswell. And, as mentioned,MicrosoftWindowshasaverynice array of roles thatmay be assignedtoenable usersto have quite a range of privileges. So,we nowhave bothUNIX andMicrosoft Windowswithadministrative scope limitingresidentsecurity systemabilities,aPIMmodel tolimituberaccessinadditiontothe residentsecuritymodel,and monitoringtorecordall activities. Great! Well,no. The precedingkeepshonestpeople honestbutdoesnotaddresswhathappenswhenyetone more hole isexposed. And,yes,the axiomof all software is that“there isalwaysone more bugor one more hole.” So,whetheritisa bufferoverflowexposureorsome otherobscure entrypoint,youcanbe assuredthat someone somewherewillfindsomethingthatisnotgood. ZeroDay attacks are no longerinfrequentbutsufficientlycommontofinallymake exposedfinancial data a Dark Webcommodity. And,yes,phishingisaprimaryentrypoint;hence the commentaboutPIM and recordingkeepinghonestpeoplehonest. CA Technologies(CA) PrivilegedIdentityManagerisa servercentricsecurityofferingthathasthe power to scope root on UNIXand AdministratoronMicrosoftWindows. The operative wordshere are “server centric”and “scope”. Simplyput the servercomponentof CA PrivilegedIdentityManagerworksat a level thatwill blockevenaroot shell accesscompromise. The way thisworksisnot magic butis basedonkernel levelsyscall interceptscombinedwithatwo- factor useridentificationmodel. Upon serverlogon,CA PrivilegedIdentityManagercapturesthe logginginuserandwritesthatdatum to a private internal table. The usernotedinthe initial logoneventisthe userthatisthenchecked againstresource accessauthorizations. For example,if Alice logsonandsu’sto root,CA PrivilegedIdentityManagerwill know the userasAlice while UNIX will knowthe userasroot. So, forall UNIX activities,the currentshellistreatedasroot. But, and thisisa verybigand veryprotective but,if there are private datathatshouldonlybe accessedby Alice thenanyother“root” userwill nothave the abilitytoaccessthose data. Evenif a “true root” logs inthat userwill notbe able to access Alice’sdata. Where thismulti-level accessscopingisveryimportantisinthe situationwhere trulyprivatedata shouldbe maintainedastrulyprivate data. Justbecause ashell canrationallygainaccessto or usurp kernel level accessshouldnotmeanthatthe shell shouldbe able toaccessprotecteddata. Thinkaboutit.
- 3. In closing,the above discusseda bitusingUNIXexamplesbutasgoesUNIXso goesMicrosoftWindows. The verysame securityofferingsare common inbothoperatingsystemssoitispossible toensure that Alice’sdataare protectedonboth UNIXand MicrosoftWindows. And,yes,CA TechnologieshasaPIMofferingasdoesCyberArk, Lieberman,andothers. But,this discussiondealswithcontrollingthe core dataaccess whichisfundamental toall serversuitesand shouldbe considered regardlessof the PIMproviderinuse. DennisPierce IT SecurityArchitect