End-to-End Unix System Account Provisioning and Access Management in a Heterogeneous Environment

»Printable Version

Abstract

A variety of vendor and open-source solutions have been developed over the years to address UNIX account management and access control, including those based on NIS and NIS+. Unfortunately, the shortcomings and decline of Sun’s Network Information Service (NIS) and NIS+ have left a vacuum in this space which has proven difficult to fill without custom solutions.

The Centrify Suite (DirectAudit, DirectAuthorize, and DirectControl) offers a solid solution that provides account, password, and access management features for UNIX systems. It also provides advanced audit capabilities that are critical to customers with regulatory compliance requirements. By
integrating the tools of the Centrify Suite with the capabilities of Sun Identity Manager, Hub City Media has developed a solution for true end-to-end identity account lifecycle management.

This white paper describes Hub City Media’s solution and how it comprehensively addresses customer needs for UNIX system account management.

UNIX Account Management Problem

Production UNIX system environments become exponentially more difficult to manage as the number of UNIX hosts increases. This problem is compounded if the systems in question must be configured and managed to meet compliance standards and audit controls driven by HIPAA, PCI or other regulatory programs. User account information, stored in /etc/passwd, /etc/groups, /etc/shadow, and /etc/netgroups, is critical to the security of the system and therefore the network. However, synchronizing these various ‘/etc’ configuration files manually is inherently error-prone, which leads to inconsistencies that will compromise system and network security.

Successful automated systems for UNIX account management have included Sun Microsystems NIS and the more secure but less popular NIS+ as well as the MIT-developed Kerberos protocol. Kerberos has also been integrated into Microsoft’s Active Directory, which is the only system for managing a multi-machine Windows PC network.

Today, NIS and NIS+ are no longer officially supported and have been replaced by systems leveraging LDAP or Kerberos, or both. The server infrastructure for running a combined LDAP/Kerberos solution is relatively simple. However, maintaining appropriate and consistent access controls in multi-vendor UNIX environments is difficult.

Out-of-the-box UNIX systems do provide support for LDAP and Kerberos authentication and authorization, but because each vendor implements these services slightly differently, robust security is often compromised by the need to offer generic functionality. Maintaining the highest consistent levels
of security requires modifications to each UNIX system’s Pluggable Authentication Modules (PAM). This is difficult work and requires knowledge of C systems programming. Taking this approach also requires that each PAM module be compiled for each operating system and processor combination, installed on each platform, and internally maintained by the customer.

What is Required for UNIX Account Management?

A complete identity and access management system for UNIX accounts should meet the following core requirements:
1. Account Lifecycle Management - an automated mechanism for creating, deleting, enabling, disabling and modifying UNIX accounts. Ideally this mechanism will be driven by data updates from an authoritative source such as a human resources system or other system of
record. The account information would be written to a central repository vs. distributed across all of the managed machines.

2. Password Management - support for sophisticated password management features such as checking for password complexity, forced periodic password changes, password history, self- service password change, and password reset based on security questions.

3. Host Access Control – user access can be limited to specific managed UNIX machines or systems.

4. UNIX Command Management – the ability to restrict what commands a user can execute on accessible systems and at what privilege level. This is more commonly implemented using the UNIX sudo command or other commercial packages.

5. Auditability - across all access, changes to access rights, and password activity. Ideally, critical systems would offer the ability to reconstruct administrative login sessions.

Unfortunately, none of the systems described previously satisfies all of these core requirements, and all have additional drawbacks. NIS and NIS+ are currently not supported by any system vendor and are being abandoned by the user community. LDAP/ Kerberos systems are complex to implement and maintain, requiring that an additional single- purpose repository be created and managed.

The Centrify Suite

Centrify provides a suite of products designed to address these shortcomings and meet the majority of the requirements detailed above. The suite includes three products: DirectControl, DirectAuthorize, and DirectControl.

Centrify DirectControl enables a secure network environment by linking UNIX systems (including Web applications, databases and ERP systems) with Microsoft Active Directory. Centrify supports more than 18 UNIX and Linux operating systems in multiple versions and provide support for 32- and 64-bit compiled versions where applicable. While an agent must be installed on each UNIX or Linux system, there is no software to install on the Active Directory Server. The solution also does not require any schema changes to the Active Directory Server.

In addition, DirectControl consolidates access control and extends single sign-on capabilities across the network. UNIX and Linux systems are full members of the Active Directory domain, so if an administrator successfully logs into the Windows desktop, Kerberos credentials are granted and the admin can log into a UNIX system without supplying user name and password.

Password management is fully integrated into the UNIX environment and can leverage Active Directory policy uniformly across all systems using DirectControl. Furthermore, Centrify’s Zone technology gives administrators the ability to group related systems and control a user’s access to those systems by assigning them to the zone, thus delivering full-featured host access control.

Finally, DirectControl supports multiple linking. Multiple UNIX accounts can be linked to a user’s Active Directory account even if the UNIX login id, uid, or gid do not match across systems. This feature eliminates any need to consolidate login IDs prior to deploying DirectControl.

Centrify DirectAuthorize provides centralized role-based privilege management for Centrify Zones. DirectAuthorize allows an organization to restrict both access to machines and what commands a user can execute by role. DirectAuthorize enables detailed control over user access
across multiple systems without resorting to platform-specific operating system features.

Centrify DirectAudit provides reporting and troubleshooting tools, and it helps protect against internal threats via live monitoring and user session replay. DirectAudit stores all user activity in a central SQL database for flexible retrieval and analysis. This detailed data supports compliance with organizational security standards such SOX, PCI and HIPAA The Centrify Suite provides most of the features required of a comprehensive UNIX account management system, including account and password management, host access control, fine grained control over privileged command execution and auditability.

However, Centrify does not provide automated or manual account lifecycle management. To address this need, Hub City Media has created an adapter for Sun Identity Manager designed specifically to provision/deprovision accounts for the Centrify Suite.

Sun Identity Manager

Sun Identity Manager, part of the Sun Identity Management suite of products, can automate the provisioning and de-provisioning of user accounts in multiple systems across an enterprise. It manages account information using a data-sparse approach – managing account data in place within the remote system vs. copying and synchronizing from a central database. By connecting to remote systems (or resources) using an agentless software connector called a resource adapter, Sun Identity Manager is able to create a single authoritative directory without replicating all the relevant data. No software is installed to the target resource, and data changes are made directly to the remote system.

Some resource adapter implementations can automatically detect changes on the target resource and push provisioning events into Sun Identity Manager. This powerful feature, known as ActiveSync, can be used to detect new accounts (in an HR system, for example), modify access for users who switch departments, or terminate access for users who leave the organization.

Sun Identity Manager also offers a robust workflow system which can be used to implement business processes relevant to account management. For example, accounts and modifications to accounts can require manager approval or involve any number of steps to fully provision, modify or terminate.
All account action is fully auditable and logged to the Sun Identity Manager repository for compliance and reporting purposes.

Sun Identity Manager can provide the full account lifecycle management required for a complete UNIX account management solution, providing the elements missing from Centrify’s solution. The Hub City Media Adapter is the bridge required to integrate Centrify Suite and Sun Identity Manager.

The Hub City Media Centrify Adapter

Hub City Media recognized early on that together, Centrify Suite and Sun Identity Manager can provide customers the full set of capabilities required to manage user accounts across multiple UNIX systems and heterogeneous system environments.

The missing component was a resource adapter to enable Centrify’s APIs to manage entries in Active Directory. Hub City Media’s engineering team thus created an adapter that makes managing Centrify’s AD entries a simple configurable task. The adapter can create new accounts, add users to custom Centrify Zones for host access control, and provide complete password management features such as password change and reset.

The adapter is delivered as a standard Java JAR file along with custom Xpress form definition files that can be installed into Sun Identity Manager. Once installed, the adapter can be configured to point to the Active Directory instance where user accounts and Centrify-specific entries are contained and managed.

While the adapter manages user entries effectively, the current version of the adapter does not manage the creation, deletion, or modification of Zone information. It will manage users in Zones but it will not actually manage the Zone info. Similarly, it does not manage the commands that can be executed by a user or Zone users. However, it can assign the user to a Zone or group designed to restrict the commands a user can execute on a system or group of systems. Some configuration tasks are managed under Centrify, but Hub City Media Centrify Adapter manages all aspects of the user
account and audits all account actions.

Deployment Scenario

The figure below describes a hypothetical system environment for Acme Widgets, a company that designs and codes application libraries for use by Java developers. Acme Widgets has an engineering group that creates the products, a sales organization that sells their custom Java libraries direct to customers, and an operations group that tracks orders, accounts payable and receivables. These groups have a number of internal systems they use to run their business. All teams have Windows desktop systems. The engineering group has a number of systems used in the construction and testing of their products. The sales team has a customer relationship management system (CRM) used for tracking customer accounts, leads and prospective customers. The operations group has financial systems used to track the company’s general ledger, and they are responsible for running the company mail system.

In addition to internal systems. the sales team has an external e-commerce site supported by the engineering group. While Acme Widgets is private and does not have SOX compliance obligations, they are subject to Payment Card Industry (PCI) audits for their Web store.

Most of Acme Widgets’s internal desktop systems and their mail system, running on MS Exchange, are connected and managed via Microsoft Active Directory. A dedicated team of administrators manages user accounts in Active Directory and conducts desktop and other system support.

A separate team of UNIX administrators creates, deletes, and updates accounts on the UNIX systems by managing the /etc/passwd files on each machine. This includes the UNIX systems that support the online store. Users do not have a single or even a reduced sign-on between their Windows desktops and the UNIX systems they utilize. Both the CRM system and the ERP system are run on UNIX servers and require a UNIX system account as well as a database account for users to have full access to the application. Sales and operations staff are having trouble keeping track of their passwords in UNIX, the database and windows. The passwords expire at different intervals and users must log into each system to update them. Manual management of user accounts and the fact that administrators have full root access is hindering PCI audit compliance. There is currently no foolproof way to audit the actions of the system administrators on any system.

Acme Widgets desires a consolidated way to manage all users across internal and external systems. The company would like a single point of account creation, deletion and modification and must segregate access between engineering, sales, and operations. XYZ would like to simplify password management and be able to strictly control and reconstruct access to their Web store for PCI compliance. Simplifying the administration of their UNIX infrastructure would also provide benefits to the company, freeing engineering resources used to maintain the UNIX infrastructure to work full-time in engineering where they contribute to revenue generation.

An ideal solution to Acme Widgets’s challenges would be to use Centrify to integrate all UNIX system authentication and authorization with Active Directory. Using Centrify, administrators could set up separate administrative Zones for sales/operations, engineering, and Web store systems, allowing users to be provisioned to Zones by role.

Because all systems would use Active Directory as a single point of control, all passwords for all systems could be managed through MS Active Directory and subject to one set of policy. This includes the databases that are connected to the ERP and CRM systems.

To complete this solution, the CRM system and ERP system would require additional account setup that can’t be supported by authentication alone. There would be some database modifications to complete before a user account could be fully functional. Also, Acme Widgets would like to provide
self-service password management for their users so they reset forgotten passwords without administrator assistance. In addition, they would like to make some account access requests, especially in the CRM and ERP systems, subject to manager approval. Finally, they would like to give administrators a secure auditable tool to manage all system account information. Using Hub City Media’s Centrify Adapter, Acme Widgets, can consolidate the authentication and authorization of Centrify with the provisioning and password management features of Sun Identity Manager. These integrated products create a complete end-to-end solution for Acme Widgets.

By combining the solutions, Acme Widgets achieves account management, host access control, advanced password management, and full auditing of user access and administrative access to the Web infrastructure.

All user account creation, deletion, and modification are completely controlled by Sun Identity Manager. Using the Hub City Media Centrify Adapter, accounts are properly provisioned to Active Directory, with Centrify attributes, and users are assigned to their organization-specific Centrify Zones. Centrify Zones provide host access control and restrict the users access to appropriate systems and commands. CRM and ERP accounts are fully provisioned for user access with a combination of the Hub City Media Centrify Adapter and scripted adapters to perform the additional provisioning tasks.
Centrify’s DirectAuthorize allows the required UNIX and database accounts to use the same AD credential for authentication and authorization. Furthermore, the additional approvals for access to certain CRM and ERP functions are performed via Sun Identity Manager workflows. When users leave the company, a single system de-provisions all accounts and access rights, eliminating orphaned accounts and other manual omissions.

Acme Widgets users can now user Sun Identity Manager’s password management features either through the windows login prompt to change their passwords in AD thus changing passwords for all systems. And because Centrify leverages Active Directory Kerberos single sign on capabilities, users
can login directly from their Windows machines to the UNIX systems without re-entering their user names and passwords. Users and administrators can reset forgotten passwords from the Sun Identity Manager’s Web interface or using Hub City Media’s Password Reset for Windows, which adds a “forgot password” button on the Windows login screen. When the user clicks on this button, Hub City Media’s Password Reset for Windows will prompt a user to answer pre- configured security questions in Sun Identity Manager to reset their own password. Hub City Media’s Password Reset for Windows is a custom Graphical Identification and Authentication (GINA) DLL module which extends the windows login via a standard programmatic interface. It communicates securely to Sun Identity Manager, which stores the user’s security questions and performs the actual password reset via workflow.

Finally, to support PCI audit requirements, Centrify’s DirectAudit product will be used to capture all login and command events from the Web store systems. These events will be logged to a MS SQL database to create full reports on any administrative user activity for those systems. This includes complete reconstruction of any user’s login session. This level of access and session audit will help Acme Widgets pass its PCI audits.

Summary

Many companies have heterogeneous networks of computers that have expanded over time. User provisioning and maintenance can quickly become unwieldy as system administrators develop manual processes to control additions and changes. Solutions in the past have been somewhat segmented, leveraging now-obsolete NIS/NIS+ or Active Directory tools.

Thanks to Hub City Media’s Centrify Adapter, Sun’s Identity Management system and the Centrify Suite can work together to provide an end-to-end solution for account, access, and password management in complex system environments. This pre-tested, pre-integrated solution delivers the sophisticated identity management controls required by many regulatory frameworks. These controls include enabling full account lifecycle management, fine-grained role-base host access controls, password management, and powerful access auditing. These features satisfy the need to secure and manage today’s heterogeneous networks.