by Benjamin H. Sherman — April 11, 2019

Growing Beyond “I AM ROOT”

Most organizations are still hybrid cloud adopters. They’ve achieved a level of virtualization, but have yet to fully liberate themselves from the OS/server and network hardware access controls that break applications when security measures are introduced. In the meantime, unsanctioned SaaS and PaaS cloud projects proliferate as teams try to keep up with increasing productivity demands in the midst of delayed, or slow, company-wide technology deployments. On top of that, convincing a root administrator they should give up direct/backdoor access to systems in the name of security is always a challenge.

Here are three strategies to secure your hybrid IT infrastructure for least privilege access while simultaneously boosting productivity. Each relies on unifying IDaaS (Identity as a Service) authentication with PAM (Privileged Access Management) controls to give all employees a better way to interact with their infrastructure and SaaS applications.

1. Bridge Access to the Infrastructure

If you ask any admin what the slowest, least secure, or most annoying part of their system access is, they often offer up the following litany: multiple logins/passwords, remote desktop sessions, Linux servers with hacker-desirable SSH and SCP open protocol ports, firewalls, routers, and switches that prevent access, and lost/expired certificates.

With modern IDaaS authentication and PAM controls working in concert, these systems can be reorganized for least-privilege access, at a minimum. At best, they can be replaced with orchestrated microservices, Docker, and network segmentation projects—representing an evolution for those seeking CAPEX to OPEX cost-savings. In the meantime, a PAM solution securing the servers and an IDaaS solution hosting a virtual LDAP – while speaking RADIUS – can ease the pain of multiple privileged access security models, while providing a bridge for replacement technology.

2. Earn the Root Admin’s Trust

Conflicts over policies of least privilege typically occur when the root admin’s direct access to the Internet, cloud, and network are adjusted. Their lost, or stolen, credentials present a massive risk to an organization, but often in the rush to mitigate, productivity can be sacrificed. Combining PAM and IDaaS via Single Sign-on (SSO) is a technical best practice because it separates the admin from their known credentials, but still permits their access. To entice the root administrator’s cooperation, it is best to also offer:

  • Fewer logins and passwords to forget (one login is optimal).
  • Host privileged access in the cloud using modern authentication; thereby removing a VPN tunneling encumbrance. This also delivers improved access to networked hardware.
  • Leveraging these cloud tools, the newly liberated administrator can now work more securely, and from anywhere, with all of their resource access from one dashboard.

PAM and IDaaS together provide better security by gating access between an administrator’s applications and their credentials. Most cyberattacks targeting privileged users are foiled with that gated step (typically a contextual multi-factor challenge), forcing the admin to prove their identity with something they have on-hand. Together with a behavior-based audit of all escalated/authorized activities, all of the compliance checkmarks fall into place. Best of all, the most secure technical solution is also the most convenient!

Figure 1: PAM plus IDaaS with SSO offers self-service password reset, cloud redundancy, multi-factor, and VPN-less access. Combined, the solutions leverage trusted IdP connections to deliver modern authentication and application access for all users—privileged and non-privileged alike.

3. Balance Security and Simplicity

Striking the appropriate balance between greater security controls in cloud adoption eases administrative access to these exceptionally powerful resources. This makes the hybrid cloud era more secure AND determines the success or failure of an organization’s transformation from “Status Quo Vulnerable” to “Modern Authenticated.”

  • PAM/IDaaS tools protect the administrator’s credentials, even if the admin were to be violently threatened to divulge their secrets. Backdoors, service URLs, and having to remember passwords are all rendered unnecessary by an all-access SSO web portal for all of the admin’s servers and command-prompts. An admin doesn’t even have to remember their portal password if they have a desktop cert installed. Who would mind when their value as a hostage becomes diminished?
  • The cloud brings reliability and redundancy, which is exactly what an admin battling an outage requires. If they ever choose to leave the organization or head off for a remote beach vacation, they can rest easy knowing that their critical applications are securely accessed from or revoked via one delegatable place. By bundling self-service password reset with their SSO, most lockouts and help-desk calls are eliminated, so the admin is not even disturbed in the first place. Even the CIO can intuitively find the “right switch to flip.”
Figure 2: Provisioning and deprovisioning binds a combined PAM and IDaaS system together because the PAM watches use. And when insecure behaviors are blocked, or sessions are terminated, actions can be fed-back to lock or terminate sessions tied to that IDaaS user—not just for the privileged system, but for that user’s sessions across all other systems as well.

A clever IT transformation specialist will couple PAM and IDaaS solutions to incent root admins to find that perfect balance between better security and improved convenience for themselves. If the “I am root” user likes it; the rest of us might just be able to enjoy the benefits too.

Want deeper insights into how to keep privileged accounts safe while also simplifying your access management? Join Dave Shackleford – Principal Security Consultant at Voodoo, Shaun Pressley – Senior SE at BeyondTrust, and myself for our webinar on May 2nd 10 am PT! You can register here.


emt Distribution Europe BV is official Distributor of BeyondTrust in Europe

for more information visit