This is a continuation of our previous article, in which we discussed how to eliminate the poor practice of sharing the root, administrator (or any other privileged account) across UNIX, Linux and Windows platforms using Centrify Standard Edition.
We build on this knowledge to tackle a bigger challenge: privileged execution of individual apps tied to session capture and replay.
Why implement granular Role-Based Access?
Prospects and customers come to us because of one or more of these issues:
In UNIX & Linux systems:
- They use sudo, but realize that there are challenges related to the administration and reporting of privileges based on that model.
- Privileged users end up doing this "sudo su -" or "dzdo su -" this makes it hard to truly detect who performed what actions in critical systems.
- There are poorly written but critical apps that require Administrator privileges to run, this means that a large population of users have admin rights in their PCs.
- There are too many members in privileged groups in AD just to be able to perform simple tasks.
- You are using Windows 2012 or Windows 8 and the "quick and easy" privileged elevation provided by Centrify's DirectAuthorize for Windows (New Desktop) is not available in these platforms.
Across all platforms
Organizations may have adopted a control (such as a password vault), and although now they have a better handle of who has access to a privileged account (and can approve/deny access) and the passwords are rotated, they realized that:
- They can't pass tougher audits that require the implementation of a strict Role Based Access Control
- Certain actions can't still be accounted for (some folks bypass the vault system and connect directly)
- Costs for added capabilities and users are growing exponentially
- The approvals process is too lax due to the fact that a lot of users need privileged actions as part of their job (even for simple operational tasks)
- Due to costs, the vault system is not replicated in Dev, QA environments and production processes are not uniform across the board.
Although there's been a significant investment in the capability of log aggregation, it is very hard to be able to reproduce the actions performed by privileged users or to assess suspicious activity.Read more...