Reducing Risks in Root Access for Superusers

Reducing Risks in Root Access for Superusers

Apr 25, 2021 / Kron

Superusers in the IT field may need root access in order to be effective and efficient due to the nature of their work. Building a team of superusers can be a logical step, especially in large-scale organizations where thousands of servers are managed. Work done with a well-managed system administrator team can be organized and possible errors can be prevented when the team uses the same root account on all servers.

These administrators eventually use the same root accounts on all servers when you have a team of superusers (for example, the system administrator team), as it is very difficult to create and maintain a large number of root accounts for thousands of servers and leads to a situation that is prone to errors.

Forming IT teams in this way is very common among companies of various sizes in each industry while the idea that sharing passwords is more effective than not sharing may sound illogical. Of course, this situation has risks in itself, there are many implicit and obvious reasons to challenge this practice.

Availability and efficiency form the basis of this practice rather than avoiding compliance with security policies or having no understanding of security. Organizations can benefit from the advantages by significantly reducing the risk with the right solution at the right time.

Root access approaches require complete trust in all team members and can operate smoothly over the years. What happens when a trusted teammate becomes a disgruntled employee or contractor?

The risk of the password being revealed increases for each individual who shares their password. This includes a high risk of lateral movement (intrusion, hacking into an account for lateral sliding, or attacking another account).

Another common application is the creation of a single shared password to gain access to many servers, an application called availability. Revealing the password in the presence of such a scenario means risking multiple servers.

The most serious risk for organizations using systems of vital importance or hosting private customer data or sensitive information is to tarnish the accountability. It becomes impossible to find a clear way to distinguish who is doing what and to predict whether something is done by mistake or malicious intent when the same accounts are used by many users. This makes useful and appropriate audit practices almost impossible.

One way to solve this is through advanced password management. The use of shared passwords, unless there is any software solution, makes it difficult to change/return passwords given the possibility that some team members may lose access or the need to notify these members before changes are made. Implementing and managing a company-wide password policy becomes a very challenging business when there is no automation.

So how can these risks be reduced? Password and session management.

Password management has two challenges: First, we need to be able to track which user uses which superuser account on any server. Secondly, the passwords of superuser accounts on these servers must be changed periodically. Users may be allowed to connect to these servers without knowing/seeing the superuser account password, as a better option.

There are two important issues in session management: The first is to identify who can connect, where, when, and to capture the session when users connect. Secondly, the creation of records/logs of individual user sessions that can be easily audited. Software solutions automatically manage the necessary account information on servers on behalf of the user, without disclosing passwords with superior session management.

Issues related to these two issues fall within the scope of the Privileged Access Management (PAM) strategy.

There are two structural approaches to this issue within Privileged Access Management (PAM): proxy approach (man-in-the-middle) and agent approach. These approaches are based on the location of the control point. The solution is placed between users and servers on a network and the entire traffic flow is provided through the proxy server in the proxy approach. The solution is built on individual servers in the "agent approach".

Both approaches have benefits within themselves; the proxy approach is applied more quickly to large networks, has a sustainable, easy-to-operate structure, and does not impose resource burden on servers. The agent approach, on the other hand, provides a more reliable control point on the servers with a more in-depth and detailed control.

Single Connect is one of the richest, holistic password, and session management solutions in the PAM market. One of the most distinguishing features of the Single Connect product family is that it is suitable for both proxy and agent approaches. You can provide maximum protection using either one or both.

Contact us to learn more about the dynamic password controller and privileged session manager.


Other Blogs