Securing Your Foundation
Why you need host-based access control
Companies depend on servers to store their most sensitive and critical information assets, from customer records to internal financial information. These same systems also support critical applications such as databases, sales applications and email systems. Any disruption of business processes or loss of data can negatively impact the bottom line or, equally damaging, lead to significant legal exposure and loss of customer and partner trust.
Unfortunately, many open system servers suffer from potentially crippling security flaws. Chief among them is unauthorized access and 'holes' in the underlying operating systems. These threats stem from the permission power of the super-user which can grant a vulnerable user account full access to all applications, data and audit logs. Insiders that gain direct access to the systems often use these privileged accounts to execute malicious attacks.
Since insider threats pose a serious and ongoing risk to organizations of all sizes, it’s no surprise that the demand for robust security solutions that allow fine-grain access controls has exploded—and options abound, not all of them stellar. This blog outlines a handful of the common solution types today’s organizations are deploying to try to shrink insider threats and lock down access, why those solutions by themselves so often fail, and our recommended weapon of choice.
Combatting Insider Threats Demands More Comprehensive Control
The quest to fortify access controls has yielded several go-to options for many organizations strapped for time and manpower. While none are inherently bad, when used alone they often fail to provide the necessary coverage and controls needed to thwart access risks.
Sudo-Based Solutions
Sudo (which stands for “substitute user do”) is a command-line utility that enables the temporary delegation of a higher privilege (from the root account, for example) to users with lower privilege.
How it works. Sudo allows controls who can perform root-like functions, also known as delegation of privileges. The sudo utility's policy is stored in the local system's file.
Potential risks. One of the major limitations with sudo tools is that they do not support the ability to apply file-based access controls. Sudo relies on flat file configurations, and if the root is compromised, sudo can do little to prevent access to sensitive resources. Another shortcoming is that once a privileged command is executed, all subsequent actions are audited under the privileged account ID and not the original user, thereby complicating any attempt to identify the real user who executed the command. A third problematic point of sudo is the potential for lateral attacks where the rogue user breaks out of the allowed application to gain access to unauthorized applications.
Restricted Shells and Shell Wrappers
After successfully authenticating to a UNIX/Linux system, users are granted access to an operating environment known as a shell. Common shells include C shell, Korn shell, Bourne shell, and Bash. To enhance security controls, many UNIX/Linux systems employ restricted shells.
How it works. A restricted shell acts as an intermediary between the user and the operating system. By intercepting and validating all user commands, it enforces a principle of least privilege. This prevents users from executing unauthorized actions, such as running privileged commands or accessing sensitive data.
Potential risks. The validation of the commands submitted is usually enforced through a blacklist or regex-based input validation and may potentially be susceptible to bypass. These solutions are also highly susceptible to breakout attacks. As security controls are only enforced through the provided shell, it may be possible to access restricted resources using services listening on the host that also authenticate the privileged identity.
Proxy-Based Access Controls
Proxy-based access controls provide a centralized point of control for managing privileged access to systems.
How it works. Unlike shell wrappers, which operate directly on the target system, proxies intercept user requests and enforce access controls before commands are executed on the target host. The proxy receives commands from the user and makes decisions on whether the user is allowed to perform that command on the server. Any allowed commands are submitted to the server.
Potential risks. Despite their potential benefits, proxy-based solutions share a common vulnerability with shell wrappers: if an attacker gains any level of code execution or file system access, they can potentially escalate privileges to administrative level. The proxy itself acts as a gateway to the system, and if compromised, it can expose the entire system to risk. Proxy-based solutions rely heavily on network controls to make sure there is no direct access to the protected systems, but if these are bypassed and hosts are accessed directly, the security rules are no longer enforced.
Host-Based Access Controls: Your Secret Weapon
Host-based access controls offer tight integrations into operating systems, so teams can define custom policies that fit the needs of their environment and its users, and enable granular controls at every action, thus eliminating options and opportunities for any would-be threat.
Kernal Interceptors
The kernel interceptor is considered the gold standard for UNIX/Linux security. The security product loads a module into the operating system kernel, which enables the product to make authorization decisions for every function call occurring in the operating system.
How it works. This mechanism provides a more granular level of control compared to restricted shell-based or SUDO approaches. By integrating directly into the operating system kernel, kernel interceptors can intercept and analyze every system call, enabling fine-grained access control and monitoring.
Key advantages. Kernel interceptors can regulate access to system resources at a fundamental level, ensuring that users and processes have only the necessary privileges. By monitoring system calls, kernel interceptors can detect and prevent potential security threats, such as unauthorized access attempts or privilege escalation. Kernel interceptors offer robust forensic capabilities, capturing a detailed record of system activity, including user interactions and process behavior.
Unlike restricted shells or proxy-based solutions, kernel interceptors can limit the privileges of individual processes, even when they do not directly interact with a shell. This is particularly useful for services that require elevated privileges but should be restricted to specific tasks.
What to look for in your solution. Leading access control solutions will leverage kernel interception technology to provide the fine-grain access control today’s teams need. At the top of the list, Symantec Privileged Access Management (PAM) acts as a dynamic extension of the system’s operating system. Its server control agents make no modification of the operating system, and the OS security is still intact while enforcing access to resources based on system permissions and system access control lists (ACLs). Moreover, these agents enhance OS security by addressing the known gaps through server control agents while layering in additional measures to enable the separation of duties, protection of network services, and more.
Now’s The Time to Secure Your Environment.
With insider threats hovering near the top of the list of CISO concerns, it’s clear that more can be done to gain tighter, granular control on who has access to what and when. Threats aren’t slowing down anytime soon—and neither should you. To learn more about harnessing host-based access controls in your own organization, read our solution brief, Extending Zero Trust to the Kernel.
We encourage you to share your thoughts on your favorite social platform.