Reducing Risks in Root Access for Superusers

Apr 25, 2021 / Kron

Due to the nature of their work in the IT field, superusers may need root access in order to be effective and efficient. Building a team of superusers can be a logical step, especially in large-scale organizations where thousands of servers are managed. Work done with a well-managed system administrator team can be organized, and possible errors can be prevented when the team uses the same root account on all servers.

These administrators eventually use the same root accounts on all servers when you have a team of superusers (for example, the system administrator team), as it is very difficult to create and maintain a large number of root accounts for thousands of servers, and this leads to a situation that is prone to errors.

Forming IT teams in this way is very common among companies of various sizes in every industry, and the idea that sharing passwords is more effective than not sharing may sound illogical. Of course, this situation has risks in itself, and there are many implicit and obvious reasons to challenge this practice.

Availability and efficiency form the basis of this practice, rather than avoiding compliance with security policies or having no understanding of security. Organizations can still benefit from the advantages of this approach, while significantly reducing the risk by using the right solution at the right time.

Root access approaches require complete trust in all team members and can operate smoothly over the years. But what happens when a trusted teammate becomes a disgruntled employee or contractor?

The risk of the password being revealed increases with each additional individual using it. This includes a high risk of lateral movement (intrusion, hacking into an account for lateral sliding, or attacking another account).

Another common application is the creation of a single shared password to gain access to many servers, an approach called availability. Revealing the password in the presence of such a scenario means risking multiple servers.

The most serious risk for organizations using systems of vital importance or hosting private customer data or sensitive information is to muddle accountability. It becomes impossible to find a clear way to distinguish who is doing what and to predict whether something is done by mistake or based on malicious intent when the same accounts are used by many users. This makes useful and appropriate audit practices almost impossible.

One way to solve this problem is through advanced password management. The use of shared passwords, unless there is a software alternative, makes it difficult to change/return passwords, given the possibility that some team members may lose access, or the need to notify these members before changes are made. Implementing and managing a company-wide password policy becomes a very challenging process when there is no automation.

So how can these risks be reduced? Password and session management.

Password management has two challenges. First, we need to be able to track which user uses which superuser account on any server. Secondly, the passwords of superuser accounts on these servers must be changed periodically. A better option is to allow users to connect to these servers without knowing/seeing the superuser account password.

There are two important issues with session management. The first is to identify who can connect, where, when, and to capture the session’s content and activity when users connect. Secondly, the creation of records/logs of individual user sessions that can be easily audited. Software solutions automatically manage the necessary account information on servers on behalf of the user, without disclosing passwords, showing superior session management capabilities.

Issues related to these two aspects fall within the scope of a Privileged Access Management (PAM) strategy.

There are two structural approaches within Privileged Access Management (PAM): the proxy approach (man-in-the-middle) and the agent approach. These approaches are based on the location of the control point. The PAM solution is placed between users and servers on a network, and the entire traffic flow is provided through the proxy server in the proxy approach. Alternatively, the solution is built on individual servers in the "agent approach".

Both approaches have benefits within themselves; the proxy approach is faster to apply to large networks, has a sustainable, easy-to-operate structure, and does not impose resource burden on servers. The agent approach, on the other hand, provides a more reliable control point on the servers, with a more in-depth and detailed control.

Single Connect is one of the richest, holistic, password and session management solutions in the PAM market. One of the most distinguishing features of the Single Connect product family is that it is suitable for both proxy and agent approaches. You can provide maximum protection using either one or both.