provided by: 
Originally published at Internet.comOne of the most common security challenges Linux and UNIX IT administrators face is how to effectively manage the root or "super-user" account. In an age of regulatory compliance and data privacy laws-and as more and more organizations elect to run mission-critical applications on UNIX and Linux systems-controlling and auditing privileged account access is more crucial than ever.
Without proper controls, anyone with access to the root account has the virtual "keys the kingdom" without justification based on their job classification, specific duties or role within the IT department. This violates the security best-practices doctrine of least privilege and can expose proprietary systems and information to malicious activity and sabotage. While most IT staffers are trustworthy, consider that study after study reveals that insiders are often at the center of security breaches and incidents of data theft:
Related Articles Is the Mac Really More Secure than Windows?
Web 2.0 Security: Application Scanners
Spam Bust: The Lessons of Yesmail
Pirated Vista, Office 2007 Already on The 'Net
FREE IT Management Newsletters
These findings demonstrate that in determining who should have access to critical systems and data, it is vital that IT managers and staff understand the importance of systems and policies in place to create an enterprise-wide security environment based on role and scope.
Freeware challenges
While most IT decision makers would agree that protecting the root account is a best practice worth following, there is often a debate about just how to accomplish this. One of the fundamental questions that must be thoroughly addressed is whether to deploy commercial solutions or rely on freeware.
Perhaps the most widely used open-source program for delegating responsibilities within Linux and UNIX environments is sudo. The basic intention of sudo is to provide administrators with a way to allow users to access certain programs that require the root password without giving them complete root privileges. While sudo does contain a handful of positive attributes, IT managers familiar with the program understand that its drawbacks make it an incomplete, insufficient solution.
One challenge with sudo is that it is a "quick and dirty" approach that invariably grants more privileges than are required to do the job, resulting in an unnecessarily high risk of accident or attack. Some tasks still do require root privilege, and hackers are crafty enough to exploit this by looking for ways to subvert suid root processes while still retaining root's context.
In addition, in a smaller environment-for example, ten or twenty servers-sudo may be able to handle an organization's access control needs. However, larger enterprises often have hundreds of servers running dozens of different versions of Linux and UNIX operating systems. The larger and more complex an IT environment, the greater the number of administrators who need to be granted access and who require privileged access, thus increasing the likelihood of mistakes and deliberate attacks. Sudo is not practical nor does it scale well in very large heterogeneous deployments.
Another drawback associated with sudo is that vulnerabilities often go undiscovered and unreported. Users must rely on open forums for solutions to noted problems-if they are discovered at all.
With sudo continuing to fall out of favor with administrators at large-scale IT environments, organizations are turning to commercial identity and access management solutions as more effective means of addressing insider threat to satisfy compliance regulations and follow best security practices without alienating the IT department.
IAM the solution
Related Articles Is the Mac Really More Secure than Windows?
Web 2.0 Security: Application Scanners
Spam Bust: The Lessons of Yesmail
Pirated Vista, Office 2007 Already on The 'Net
FREE IT Management Newsletters
Identity and access management (IAM) refers to a comprehensive set of solutions used to identify users within an organization and control their access to systems and information by aligning their designated user rights, identity and role to the correct intellectual property and digital assets. As iterated previously, because privileged accounts carry elevated capabilities, they must be more closely monitored for misuse. Deploying commercial IAM solutions accomplishes this far more effectively than sudo or other freeware application.
Organizations can benefit greatly from an IAM system that ensures only authorized users are able to access proprietary systems and information. An effective IAM solution will also make certain that those authorized to perform various duties with elevated privileges and access will be confined to what their role designates. Their activities will be recorded and an indelible audit trail will be created. In addition to helping guarantee the integrity of data in financial systems, this is invaluable for forensics and troubleshooting purposes, and it often serves as a deterrent to malicious or unethical behavior. Role-based access can and should be granularly defined to meet compliance and data privacy requirements.
If an organization works within the framework of these best-practices approaches, an IAM solution will allow for an easier implementation and enforcement of security policy related to privileged accounts. These technologies serve as a centrally controlled application for ppassword management for the hundreds-or even thousands-of systems typically running within a Windows/UNIX/Linux network. By making it easier to authenticate users and automate access restriction, organizations will be one step closer to a secure infrastructure and to complying with industry and federal regulations.
Author: Ellen Libenson
Read article at Internet.com site