Host Access Management--The Business Imperatives

WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT Host Access Management: The Business Imperatives JUNE 2007 Sumner Blount CA S EC U R I T Y M A N AG E M E N T Table of Contents Executive Summary SECTION 1 2 The Business Needs for Management of Access 1. Excessive Superuser Privileges and Inadequate Role Separation 2. High Cost of Redundant Server Administration 3. System Vulnerabilities and Application Penetration Points 4. Difficult Compliance 5. Lack of Individual Accountability 6. Vulnerable Audit Logs SECTION 2 4 Management of Access: The Requirements 1. System Level Superuser Containment 2. Flexible Resource Controls 3. Process Controls 4. Secure Architecture 5. Login and Password Controls 6. Broad Authentication Support 7. Program Pathing 8. Monitoring of Critical Files 9. Cross-Platform Enterprise Access Management 10. Audit Controls SECTION 3 11 Conclusion: Secure Management of Access is Essential SECTION 4: ABOUT THE AUTHOR ABOUT CA 11 Back Cover Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. Executive Summary Challenge Today’s organizations are faced with a multitude of challenges, many of which relate to the management of user identities and access rights to protected information resources. Challenges include reducing the costs of security management, protecting critical corporate assets and ensuring regulatory compliance. These problems are particularly pressing when applied to the security of critical servers, many of which house confidential databases, files and applications. Unauthorized access to these resources can wreak havoc with reputation and brand equity, as well as potentially leaving the organization at risk of significant legal action. Opportunity Security of host systems is generally provided by the native operating system on each host. However, native operating systems do not provide the level of security, as well as auditability, that is required not only for protection of critical assets, but also for compliance with relevant governmental or industry regulations. These native services do not protect resources with the level of granularity and accountability that is required. The result is heightened risk and exposure for critical assets, as well as more difficult compliance efforts. Organizations require a solution that compensates the inadequacies of native operating system security by providing: • Segregation of duties to ensure appropriate administrative access • Granular audit data that traces actions back to the true user ID • Centralized access security management across various platform types Benefits A dedicated host access management solution greatly strengthens the security of mission-critical servers. Such a solution can improve security, simplify and reduce the cost of server administration, and provide significantly improved audit capability needed to address regulatory compliance and security best practice requirements. This paper discusses the business need for host system security, and the requirements that a host access management solution should meet. WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 1 SECTION 1 The Business Needs for Management of Access IT executives face a multitude of difficult responsibilities and challenges, ranging from protecting critical sensitive assets, to providing an effective and convenient experience for users of their website, and ensuring regulatory compliance. These challenges can place complex, and even conflicting demands on executives that often require comprehensive technology solutions. One of the most pressing problems for IT executives is ensuring the security of the servers that host the organization’s sensitive electronic assets, such as customer databases, hospital patient records or proprietary information. But, protecting these assets is difficult because the native operating system capabilities do not provide adequate protection against inadvertent or intentional attack, nor do they provide reliable auditing of the entire server environment. This problem is intensified when any critical systems or information are exposed to term-based contractors, hosted by service providers, or when the hosting systems for external customers contain confidential data and critical applications. Let’s look at the most important business challenges in managing the security of host systems: 1. Excessive Superuser Privileges and Inadequate Role Separation One of the most exploited and costly vulnerabilities on many systems is the superuser account (“Root” in UNIX and “Administrator” in Windows). Superusers can generally do whatever they want to, without restriction and often without adequate audit and tracking. Because of the unlimited power of this account, no file, device or command is off-limits. Even the auditing services on the system are not immune from this account, and the integrity of system audit logs is therefore vulnerable to inadvertent or malicious actions. The potential for damage, either inadvertent or intentional, is therefore very significant for users of this account. This issue is amplified when the superuser is not role-based and a common password and user ID is shared among administrators and developers. This creates a serious accountability problem because it is difficult, if not impossible, to determine specifically which person performed a particular destructive act, since there is no authentication of superusers as individuals. While the superuser account is the most blatant vulnerability, most large systems often have other accounts that have a wide range of system capabilities and a number of individual users who share those accounts without adequate differentiation among them. Instead of allowing “catch-all” accounts, a more secure approach would be for each user to have exactly the privileges he or she needs for precisely as long as needed—a model known as “least privilege.” This requires, though, a higher level of granularity of identification and access entitlements than is offered by native operating systems. 2 WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 2. High Cost of Redundant Server Administration The cost of administering large-scale server systems is high. As the variety of these systems increases within a given environment, the cost rises significantly. Managing a mixed environment with AIX, HP-UX, Solaris, Linux, and other UNIX, and Windows systems means that each system will have slightly (or completely) different ways of accomplishing a given task or enforcing a security policy. This leads to higher administrative costs, inconsistent policy execution, as well as reduced flexibility of assigning administrative resources to the various systems in the environment. If a common model of managing server access control could be implemented across all systems in the environment, the ease of administration would be greatly improved, thereby reducing the overall costs of managing the entire group of systems. This capability could also make up the gap in functionality between strong security platforms and weaker ones, thereby bringing all systems up to a common, high level of security. 3. System Vulnerabilities and Application Penetration Points Unauthorized access comes in many forms. One of the highly damaging forms is exploiting system vulnerabilities and ill-protected executables through malware like Trojan Horses, or Stack Overflow attacks. This type of attack can often produce catastrophic damages quickly, or might remain relatively undetectable for long periods of time. Anti-virus and intrusion detection solutions are required, but cannot stop all these attacks. Rather, proactive and preventive quarantine capability is required to block such attacks before they can attach themselves to the vulnerable servers. 4. Difficult Compliance The essence of effective compliance with virtually all security-related regulations involves the creation of strong internal security controls, segregation of duties and an effective way of providing comprehensive auditing capabilities. One of the most important types of security control relates to ensuring that access to protected resources (of all kinds) is allowed only for authorized users, and only for specific, authorized actions. The native operating system security capabilities do not provide the level of security required for the strong internal controls needed to demonstrate compliance with most regulations or internal security policies. Equally important, though, is the ability to actually prove compliance through complete auditing of all security-related events, including not only user events (such as authentications and authorizations), but also administrator events. These events would include such things as starting/stopping critical system services, changes in access rights for any user, administrator login/logout and the like. IT auditors (either internal or external) are very unlikely to attest to the compliance of any IT infrastructure that cannot provide these basic but critical access management and auditing capabilities. WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 3 5. Lack of Individual Accountability A cornerstone of any compliance program, either external or internal, is strong accountability for all users and their actions in relation to protected assets. This implies that all actions performed on any asset, including administrative actions, must be able to be clearly associated with a single individual. While this problem has been discussed above in relation to the superuser account, it is a problem common to other users as well. The lack of robust rolebased access control supported by native operating systems often means that multiple users are grouped together into shared accounts, with access entitlements that are typically the “Union” of all the required access rights of each individual user. As a result, each user in the shared group has more rights than they actually need, resulting in increased risk of security breaches of many kinds. And, because these users share the credentials for the account, the ability to actually identify the “culprit” is greatly diminished. 6. Vulnerable Audit Logs With the problems in the superuser accounts described above, it becomes essential that audit logs be totally protected from all users and administrators, except the select few. It’s bad enough when security holes exist to allow individuals to circumvent regular access controls. But, when those same people can modify, or even erase, the system audit logs that contain a history of those actions, the potential for undiscovered fraud or attack becomes profound. In effect, a good security infrastructure treats audit logs as the “crown jewels” that have extra protection, and access restricted to only the most highly trusted administrators. SECTION 2 Management of Access: The Requirements The problems highlighted above can be profound for most enterprises. When using only the native system capabilities, these enterprises face increased administrative cost, significant security problems, as well as much more difficult regulatory compliance. And, as we have seen from the far-too-common news reports, breaches in security have the potential to cause catastrophic damage to an organization’s reputation and brand equity. In some cases, these security breaches can constitute a crippling blow. Given the importance of maintaining strong security across all host servers, other options should be considered. The most effective approach is the adoption of a strong host access management solution—one whose sole purpose is to protect systems, applications, resources and critical information. Only with such a specialized solution will organizations be able to achieve the level of security of their assets that is required not only for system integrity and data privacy, but also for accountability and regulatory compliance. What type of solution is most appropriate for these challenges? One which runs on all critical systems, is non-intrusive, controls access for all users and administrators, and allows for flexible creation of access control policies based on specific business and technology needs. Figure A is a graphic depicting the basic mechanism of how an access management solution can control access to these sensitive resources. 4 WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT FIGURE A INTERACTION WITH THE OPERATING SYSTEM A host access management solution intercepts user requests, compares the request against defined access policies and enforces whether or not the user can perform the requested action. In this scenario, a request for access to a protected resource comes into the operating system. Because all access request calls are vectored into the host access management solution, it gets the access request first. Based on the user’s role(s) and the access policies defined by the administrator, the access management service determines whether access should be granted to this resource. If so, the request is allowed to proceed and access is obtained. If not, the request is denied and control is returned to the requester of the access. Now let’s look in more detail at the important capabilities and characteristics that should be examined when evaluating whether this type of solution will enable your organization to meet these challenges. The most important capabilities (and benefits) of a host access management solution include: 1. System Level Superuser Containment The lack of granularity in the enforcement of superuser access rights is one of the most profound problems in host-system security. In addition, the inability to distinguish between each administrator who uses the superuser account further complicates the security problem, and makes effective auditing very problematic. Any administrator who has more entitlements than they need is an active security risk. What is needed is the ability to associate specific access rights to each superuser, based on the actual needs of their job function. In this way, each user conforms to the model of “least privilege” authorization that can help prevent unexpected security problems. In addition, each superuser needs to have an individual identity and needs to be authenticated using that identity. This eliminates the problem of many, essentially anonymous administrators, all sharing the same account with excessive access rights. WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 5 Consider the following illustration. In this case, there are multiple types of administrators, each of which needs access to distinct resources. In this case, though, only the Auditor really needs to access the audit logs, and only the Systems Administrator needs to access the System Configuration Folder. With only native operating system security in place, administrators are likely to share over-privileged superuser account access which increases the risk of security breaches and weakens accountability. A host access management solution intercepts requests for access to these resources and grants only the privileges necessary for each administrator to perform their respective job function. FIGURE B SEGREGATION OF DUTIES Ensure each administrator accesses only the resources necessary for their job function and audit these actions. Also, note that all administrators are individually identified, regardless of how many superuser access rights they actually possess. This enables full auditing of all administrator actions to be traced to a single individual, thereby aiding compliance and making after-the-fact forensic analysis much easier. 2. Flexible Resource Controls Native operating systems provide very coarse grain access control to each protected file. The enforced actions of “read,” “write” or “execute” categories do not provide the level of flexibility that most enterprises require. Access to organizational assets is typically determined by a user’s role, or set of roles, and access and the accompanying security rules is defined at a granular level to fit job requirement and company security policies. Forcing these real-world access control requirements into the restrictive model required by the native operating system will not meet the needs of most organizations, except possibly those with the simplest access control standards. 6 WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT The requirement is for role-based access control that enforces flexible and easy-to-create policies based on a user’s role, organizational unit or other attributes. This allows the access control policies to adequately mirror the structure of the organization and the job responsibilities of each user. In addition, flexible methods must be provided to specify the target files that are being protected, including wildcards, regular expressions and the like. This should also include file specifications for files that have not been created yet, in order to provide for future expansion of the set of resources. 3. Process Controls On UNIX systems, web servers, database servers, and other critical systems, services operate as daemons and are constantly active processes that are either waiting for, or responding to, requests for service from users or other processes on the system. It is essential that some of these services be available at all times, if the overall operation and security of the environment is to be maintained. But, maintaining process availability can become a challenge when there are individuals (either authorized or unauthorized) who attempt to impede operations by shutting down or suspending these services. Also, any user running as Root may shut down one of these services, regardless of whether it was intentional or not. It is important that additional controls on system services be available, over and above the weak ones supported by the native operating system. These controls should allow the trusted administrator to define policies for which other administrators can suspend each critical system service, as well as the conditions under which that operation might be allowable. For example, this capability may need to be restricted only to certain times of the day, or only when access is made from certain locations, and the like. 4. Secure Architecture In any access management solution, the most critical requirement is that the security component itself is totally secure. Obviously, if the access control component can be breached, then any resource that it protects is also vulnerable. This becomes especially important and difficult when extending the security offered by the operating system, because the controls must be implemented within the context of the operating system. An access management solution must gain control of all access requests before the operating system performs its security checks. This can be done by vectoring requests first to the access control component. If the access is allowed according to the defined policies, then control can be dispatched to the operating system to process the request. If the request is not allowed by the access policies, the request will be rejected and appropriate audit entries can be written. This architecture is secure because it supersedes the security checks done by the operating system, and therefore vulnerabilities in the operating system cannot be exploited to jeopardize the integrity of the access control component itself. However, this should not require the changing of any actual kernel binary files, or the rebuilding of the operating system. Such an approach would only increase the risk of additional vulnerabilities. Lastly, any access control solution should ensure the integrity of its own components. For example, it should perform a self-check upon startup, to ensure that no changes have been made to either the executable code itself, or to the database that it uses. WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 7 5. Login and Password Controls Native operating systems are relatively weak in terms of supporting and enforcing policies that determine the conditions under which logins from specific individuals will be allowed. As a result, there is increased risk of security breaches, as well as reduced flexibility of administration in relation to the management of users and their accounts. Here are some important features of an access control solution that, when taken as a whole, will greatly increase security, as well as make administration easier and less costly: • Time and location constraints on account login • Inactive account suspension (based on configurable time limits) • Failed login account lockout • Account encapsulation (a given user can only access a single application, and cannot exit to a shell) • Outbound network request blocking • Automatic account suspension, termination, and re-enablement, all based on configurable parameters A related capability to login controls relates to the ability to create policies for the creation, format and management of user passwords. The problem of weak or unchanging passwords is well known. But, there are other password management capabilities that are also important, including: • Password and directory attribute comparisons • Flexible password format rules (number and position of each type of character) • Prevention of repeatable characters and account names • Configuration password history to prevent reuse 6. Broad Authentication Support Passwords are, by far, the most common method of user authentication, despite their many well-documented problems. Any access management solution must support a broad range of authentication methods, ranging from token cards to certificates to several forms of biometrics. In addition, it should be possible to associate stronger authentication methods with particular, highly-sensitive files or applications. This would mean, for example, that only users who have been authenticated through a fingerprint reader can gain access to a particular critical financial application. Lastly, authentication methods should be able to be combined for added security, so that both a password and a token card might be required for a certain application. 7. Program Pathing Some databases and system files are supposed to be modifiable only by specific users and programs. As an example, there may be a certain file that you want to provide access to a set of users only through an approved “reader application” of that file, and not through any other program or through UNIX “vi” or “cat” commands. The ability to restrict access to a certain file only through a particular application is called “program pathing”, because it essentially defines the approved “path” that one may take to access the file. Native system services don’t provide this level of granularity of access control, thereby providing only weak security around use of 8 WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT this particular file. A separate access management solution can provide this capability, thereby strengthening the control over user access to the file. 8. Monitoring of Critical Files There are often system files or databases that do not change often, and any change needs to be clearly identified at the time at which it occurs. Otherwise, it is possible that an attacker or even a clumsy superuser could change the critical file and potentially cause significant damage to the server. Unfortunately, operating systems do not provide the capability to passively monitor the state of these files so that an alert can be generated at anytime their contents change. A separate access management solution, however, can provide this capability, and can thereby help to ensure that critical system files remain intact and that any attempt to modify their contents is immediately identified and logged. 9. Cross-Platform Enterprise Access Management In an enterprise environment, usually there are mixtures of different operating systems, each one of which may have its own security model. This creates a management and security policy enforcement nightmare. An effective access management solution should remove the differences of the OS security models, and elevate the security to a much higher level of protection. This not only unifies the security management, but also greatly simplifies the tasks of propagating, monitoring and configuring security policies to different hosts. FIGURE C ELEVATING ACCESS SECURITY ACROSS PLATFORMS Neutralize differences between native operating systems and raise access security to the level required by regulatory compliance. WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 9 Figure C illustrates the problem of inconsistent security capabilities across mixed platforms. The pillars in this graphic represent distinct operating system types. The green bars are a conceptual view of the native security capability provided by each operating system. Each platform provides different levels of access security, leading to potential security vulnerabilities as well as difficult and expensive administration of security across these platforms. A host access management solution provides additional security capabilities across all platforms (the blue bars). This results in consistent, elevated security across the entire environment, yielding easier administration, greater security and a much more effective approach to meeting regulatory compliance. In addition, centralized security management of all systems from one location can also be achieved. Audit logs can be collected into a centralized and consolidated log file, which makes correlation and analysis of security events much easier. 10. Audit Controls Reliable audit trails are an essential component of any security solution. Administrators need to track changes to system configuration, and effective incident response depends on reliable audit data. If the need to analyze criminal action arises, audit data that can be shown to be secure and complete will be far more powerful in court as evidence. In addition, highly-secure audit logs can dramatically ease the problem of proving compliance with relevant governmental or industry regulations. Native operating systems do not provide the level of security or assurance for the audit logs that is required for forensic analysis or regulatory compliance. In effect, it is not possible to ensure that the information in log files is either accurate or complete. Anyone who obtains Root access can delete or modify any of the log files of the operating system to cover their tracks. An effective access management solution should provide capabilities to improve the accuracy, security and accountability of the audit logs. More specifically, it can: • Restrict access of audit logs to only the most trusted administrators • Create audit entries for any administrative action related to the security of any asset, including the audit log itself • Restrict the ability to change the access policies of the audit log, and audit any attempts to do so • Provide configurable alarms for any administrator action, including the ability to identify actions that succeed, fail, or both. These configurable actions should be based on the sensitivity of the resource involved. Alarms should also be supported for a range of devices (pagers, email, etc), and a range of definable severity levels. • Audit only events related to specific resources, or for specific individuals • Provide detailed real-time traces of any defined administrator action • Provide self-protection against any attacks or attempts to shut down the auditing service • Consolidate audit logs from distributed systems onto one central system for secure archival and easier correlation and analysis of log information 10 WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT SECTION 3 Conclusion: Secure Management of Access is Essential Effective security management starts with user identity and access – knowing who users are, and the policies that control their access to critical assets. One of the most important collections of assets that needs to be protected is host systems, and the files, applications, and databases that reside on them. What makes this problem so compelling is that the access control capabilities provided by native operating systems are inadequate to meet the stringent security requirements that the importance of these assets dictate. In addition to providing increased security for critical assets, another significant problem involves the lack of granularity over the large set of access entitlements granted to superusers. Excessive entitlements for administrators, as well as a lack of accountability and inability to specifically relate administrator actions to a single individual, constitute two of the most important host system vulnerabilities. If superusers have more access rights than they actually need, and if the actions of each such superuser cannot be unambiguously associated with a single administrator, then overall security is greatly reduced. In addition, the audit logs cannot be trusted to be both accurate and secure, thereby greatly increasing the difficulty of achieving regulatory compliance. The solution to these pressing problems is a comprehensive host system access management solution, especially in an organizational environment that has a wide range of operating system ‘flavors’ and configurations. Such a solution can protect critical systems and assets from either inadvertent or malicious compromise, and can greatly reduce the risk caused by excessive entitlements granted to all super users. It promotes a higher level of protection to sensitive data and mission-critical services, while easing the management across various platforms and enforcing consistent security policies and user activity tracking. It also makes compliance with relevant governmental or industry regulations, as well as internal organizational security governance standards, much easier and more cost-effective. SECTION 4 About the Author Sumner Blount has been associated with the development and marketing of software products for over 25 years. He has managed the large computer operating system development group at Digital Equipment and Prime Computer, and managed the Distributed Computing Product Management Group at Digital. More recently, he has held a number of Product Management positions, including Product Manager for the SiteMinder product family at Netegrity. He is currently the Director of Security Solutions at CA. Sumner Blount CA Security Management WHITE PAPER: IDENTITY AND ACCESS MANAGEMENT 11 CA, one of the world’s largest information technology (IT) management software companies, unifies and simplifies complex IT management across the enterprise for greater business results. With our Enterprise IT Management vision, solutions and expertise, we help customers effectively govern, manage and secure IT. WP05IAMACE MP297380607