Unix & Linux Least Privilege Investment - How to Extend Your Value

This is the final blog in a series that reviews Unix/Linux use cases for least privilege, security and compliance.

In my last blog, I discussed deeper levels of auditing necessary to prevent unwanted changes to Unix/Linux files, scripts and systems in a compliance context. The first blog in the series covered the basics for Unix/Linux security. Since we covered some security and compliance use cases already, the focus of this blog will be primarily focused on use cases that extend the value of your least privilege investment by integrating with other solutions in your security portfolio.

Achieving Fully Integrated Enterprise Password Management and Least Privilege

For a password storage solution to operate, a second level account (functional account) is required for the safe to be able to drive password changes if the managed account password becomes out of sync or unknown to the safe. This is also true for any application that needs higher privileges, such as scanning tools, automated remote administration, etc. These accounts pose a risk on the target system due to their required privilege level of ‘user password manager’.

By installing PowerBroker for Unix & Linux with PowerBroker Password Safe and adding a simple policy, any user account – even one with extremely limited rights on the target system – can be granted the privileges needed by Password Safe to function. This ensures increased security and tighter compliance by not having accounts with privileges typically required for functional accounts to operate and lowers the attack surface of the given host.

Integrating Privileged Password Management with Command Execution

Sometimes, administrators need to perform an action on a target host that requires the use of an account/password which may not reside on the host itself. Running a command via PowerBroker for Unix & Linux, i.e. pbrun sqlplus, PowerBroker for Unix & Linux can retrieve credentials from a password storage solution for use in the execution of the requested command. This integration ensures that organizations can not only control their privileged credentials but enable very granular command control on target systems once the credential is retrieved.

Consolidating Accounts and Directories to Simplify Access and Reduce Attack Surfaces

When users and administrators need access to a system, a user account needs to be created on each Unix/Linux host to provide system access for the user. Rights for these user accounts are often bloated and clean-up of accounts, along with their associated rights, often goes unchecked when an employee changes roles or leaves an organization. Organizations need a way reduce the number of accounts being created, control which server those consolidated accounts can logon to and what rights that user has after they have been authenticated.

PowerBroker Identity Services, coupled with PowerBroker for Unix & Linux, provides account consolidation along with consolidated system access rights and a least privilege system to control user rights post-logon. A user’s Active Directory group membership can control what servers that user can access and a centralized policy will tightly control and audit a user’s activities during each authenticated session.

As an additional benefit, PowerBroker Identity Services allows users to log onto Unix, Linux, or Mac systems using their Active Directory (AD) usernames and passwords, without requiring additional infrastructure or password synchronization. PowerBroker facilitates migration from multiple authentication mechanisms, identities, and directories to a single Active Directory-based infrastructure for all systems and users. This centralizes control and speeds user onboarding and offboarding.

Next Steps

In this blog series, I have reviewed 11 use cases for taking greater control and improving security on your Unix/Linux systems – everything from the basics, to more advanced use cases to those that extend the value of it. Download the white paper that summarizes these use cases – and more. And as always, if you would like to see the product in action, schedule a one-one-demo today.