Mitigating Risks of Root Access for Superusers


January 2023

By: Ali Gomulu

Depending on the nature of their work, IT superusers have or need root access to be efficient and productive. Creating a team of superusers makes sense, especially for large organizations, with thousands of servers under management. With a well-managed sysadmin team, their work can be streamlined, and mistakes can be reduced when the team shares the same root accounts on all servers.

When you have a team of superusers (e.g., sysadmin team), and because creating and maintaining multiple root level accounts of thousands of servers is very cumbersome and prone to errors/mistakes, these admins end up sharing the same root accounts on all the servers.

While it may seem counterintuitive that sharing passwords is more effective than not doing so, setting IT teams up in this way is very common across companies of all sizes across all sectors. It is not without risk; in fact, there are many hidden and even obvious reasons to challenge this practice.

Convenience and productivity, rather than an unwillingness to follow security policies or a lack of understanding of security, is behind this practice, and with the right solution in place, organizations can enjoy the benefits while reducing the risks dramatically.

Root access approaches require implicit trust in all team members and can work smoothly for years. But what happens when a trusted teammate becomes a disgruntled employee or contractor?

For every person who shares a password, the risk of that password being compromised grows. This includes the increased risk of lateral movement (hacking into one system to attack another).

Another common theme is setting the same shared password to access multiple servers, again in the name of convenience. Once a password is compromised, the risk is not limited to the single server in this scenario.

A serious risk, especially for organizations who run mission-critical systems, or hold private customer data or sensitive information, is obfuscated accountability. When the same accounts are being used by multiple users, there is no real way to discern who did what and to know if something was done accidentally or maliciously. This posture also makes useful and compliant audit trails almost impossible.

One way to go about solving this is through advanced password management; without a software solution, using shared passwords makes changing/rotating passwords very difficult, as some team members might lose access, or they need to be notified before changes. Enforcing and managing a company-wide password policy is a huge task without automation.

So, how can these risks be mitigated? Password management and session management.

There are two challenges with password management; First, we need to be able to keep track of which user has used which superuser account on any given server. Second, the passwords of the superuser accounts on these servers should be changed periodically. Even better: allow users to connect to these servers without them knowing/seeing the superuser account password.

In session management, there are also two main components; First, determine who can connect, where and when they can connect, and the capture of the session initiated when they do connect. The second is the creation of easily auditable records/logs of individual users’ sessions. With advanced session management, the software solution automatically manages the required account credentials of the servers on behalf of the user without exposing the passwords.

Frameworks addressing these two concepts are part of a Privileged Access Management (PAM) strategy.  

Within the PAM space, there are two architectural approaches to this: the proxy approach (man-in-the-middle) and the agent approach. These approaches are based on where the point of control is. With the proxy approach, the solution is placed between the users and the servers in a network, and all traffic is funneled through the proxy. With the “agent approach,” the solution is installed on individual servers.

There are a few trade-offs with these scenarios; The proxy approach is faster to deploy in large networks, it is easier to maintain and operate, and it adds no resource overhead on servers. The agent approach provides more in-depth/granular control on servers and provides a more reliable point of control.

Ironsphere offers one of the most feature-rich and complete password and session management solution in the PAM market. One of the biggest differentiators of the Ironsphere platform is that it allows for both the proxy approach and the agent approach. Implement one or the other, or implement both for maximum protection.

Feel free to contact us for a demo and discussion about the art of managing passwords and sessions intelligently.

Similar Blogs

At The Crossroads of Risk Management and Privileged Access Management, Hyper-Automation Matters

At The Crossroads of Risk Management and Privileged Access Management, Hyper-Automation Matters

There are few things in business that come with no risk. In fact, the future truly belongs to the bold, and those enterprises who push themselves to innovate more and accelerate digital transformation across their offerings are winning. The greatest risk of all today may be doing nothing, hoping that the status quo will be enough to keep existing customers and win new customers.

read more