Real-world Identity and Access Management for Unix systems

[MUSIC PLAYING] Hi, I'm Todd Peterson. I'm a member of the Identity and Access Management Team here at Dell Software. And today we're going to talk about real-world identity and access management for Unix systems. So let's turn to the Dell XPS One Touch Screen and get started. As any of you who use Unix systems know, every box is natively an island unto itself. That means that each box requires authentication, authorization, administration, and audit performed for each box each time a user has to log on or each time you need to manage a user's account. Here on the screen, we have nine Unix boxes. So that means that without any help, there are nine separate directories, 9 separate identities for the person logging on, nine separate passwords, nine accounts to provision, nine accounts to deprovision, and nine places to audit. It's very complex, especially as you're getting into hundreds or thousands of Unix boxes. That's a big problem. Another problem with Unix systems is the root account. The root account is the administrative account that allows administrators to do the work necessary to manage the box, to reset a password, to install a patch, whatever. The root account is all or nothing. And the root account exists independent of users on each box. So it's anonymous. And it's often shared among a number of users. So let's talk about some ways that you can reduce that complexity and make it much more simple to manage Unix boxes and to secure Unix boxes. So as I mentioned earlier, every box-- we have nine different kinds of authentication, authorization, administration, and audit happening on the screen. That's nine times the work, nine times the things that have to happen. It takes nine times as long. You also have in your environment Active Directory, which is a single unified directory for the entire Window environment. So it has one time for authentication, one time for authorization, et cetera. Imagine if you could eliminate all nine of those Unix directories and those Unix tasks and instead unify them with the already existing single identity and single point of authentication, authorization, administration, and audit that exists in Active Directory. All of a sudden, your security would increase dramatically. Your efficiency would increase, and everyone would be operating much better. Another challenge that we have in Unix systems is the root account. It's the administrative account that has all power, allows an administrator to do the things necessary to keep the system alive and to do the day-to-day maintenance of the system. The problem with root is it's all or nothing. You can do anything or you can do nothing with root. And the root account is anonymous and shared among a number of administrators. Luckily, most Unix and Linux systems ship with a little utility called sudo. Sudo is a delegation tool that allows you to only give out as much of the root permission as necessary to do the job. So you delegate portions of root to individual administrators. But sudo isn't perfect, it has a couple limitations. Just like with identity, root is used on every box and sudo is installed to help with every box. So on box one, you have a copy of sudo. That includes its policy file, and that includes the management of the policy itself delegated in the account. Same thing on number two. Same thing on number three and so on and so on. There's no centralized reporting. You have no way to know who has rights to what on which box. There's no centralized management. You have no way to easily keep those policies consistent across all the boxes. But sudo does a great job of removing the need to have everybody share the root account. So a couple of options that we have to overcome these challenges in Unix systems. As I mentioned earlier, if you can unify authentication, authorization, administration, and auditing in Active Directory, you're able to eliminate a lot of that tedious and error prone work that happens for identity administration. Also, if you can maximize sudo. Imagine if you could centrally managed sudo across all of those servers. What if you could then report on sudo, report on the policy of sudo, report on the use of sudo, and ensure that the policy is consistent across all the systems. Then you also have the need to possibly, at times, issue the full root credential to other people. Maybe should lock those in a privileged safe and only issue them if somebody needs them. Then you would have an end-to-end privileged account management offering for your Unix systems. This would allow you to manage everything consistently, including the user accounts and the privileged accounts, as well as to manage them concisely. You do actions once and only once across the entire thing. The end result of this is that you have maximized security, maximum compliance, and maximum efficiency. To learn more about how you can unify the identity and access management of your Unix, Linux, and Mac systems, visit us at software.dell.com/identitymanagement. Thanks for watching.