Friday, November 16, 2007

Getting to the problems of the root: Effective and efficient management of superuser privileges and shared account management



So, it's day 3 of the Gartner IAM conference and my first session is the above being hosted by Gartner's Ant Allan. I've blogged before that many (most, all) of the IAM vendors have either forgotten or avoided how to control superuser privileges.

Apparently, Apple has done a good job in Mac OS X handling the superuser and privilege management problems. I'll have to take a look at it.

Why are vendors building kernel-intrusive products to manage these privileged users? It seems crazy to me. If you are the vendor - why not simply fix the darn problem to begin with?! Making a tool kernel intrusive means you are reliant on the vendor to update the tool when the OS is updated otherwise you can't upgrade your systems. Additionally, and worse(!), who the heck wants a kernel intrusive tool anyway? That's a freakin' recipe for disaster ladies and gentlemen - "Please wait while I swap out parts of your operating system for these specialized components that will protect you better." - Ya, right - don't let the door hit you in the rear while you leave...

Who are the key vendors in this space (according to Ant)?

On Unix/Linux: fortefi, PassGo, OSM, S4 and Symark (Quest has OEM'ed the PassGo product)
On Windows: dotNet factory, NetIQ, Quest (hooray!)
z/OS: IBM, Vanguard, Powertech, betasystems
Superuser (i.e., kernel intrusive) tools: CA, foxt, IBM
Network level: eDMZ, Xceedium

Fisher and M-Tech both come from the provisioning world and have pushed into the "superuser privilege management" space. Not surprising.

Interesting that nothing was mentioned for managing database admin passwords and those type of privileged accounts. Ant does not think that the major IAM vendors are not going to be embracing these types of scenarios - which is stupid.

Ant's recommendations...
  • Minimize the number of users with full superuser privileges - This one is obvious
  • Eliminate shared passwords for shared accounts - Indeed
  • Eliminate hard-coded passwords for service accounts - Yes, please! Hearing that someone had one hard-coded for 18 years made my stomach turn.
  • Look for tools from your preferred IAM vendors - Don't hold your breath.

OK, that's it from me here at the Gartner conference. I'm heading back home to Seattle - from sun and fun to wet and wild!

Have a great weekend everyone!


Technorati Tags:
,

No comments: