By Rajat Bhargava Posted April 25, 2016
What’s one of the most significant security steps that you can take in IT? Ensure that you have per user logins to your Linux systems. There are a few contributing factors that make this so important. First, often your Linux systems are housing your production infrastructure such as your applications and data. Next, Linux systems are being hosted in the cloud more than ever. Finally, infrastructure providers, such as AWS and Google Compute Engine, are increasing the number of Linux systems within an organization. The challenge then becomes how to manage user access to those Linux systems.
Getting the Ball Rolling
When organizations are first starting out, there is a tendency to leverage shared accounts. Even AWS is guilty of this; the default account on their servers is ec2-user. This often is used as a shared account by developers and operations personnel. Unless an organization steps up and changes that paradigm, things can get out of control, resulting in shared accounts existing across a wide swath of servers and users. For organizations that want to ensure that they are stepping up their security and utilizing per user logins, there are really three major options to accomplish this task. Let’s take a closer look at these options for per user logins to Linux.
Stepping Up Your Security Game
Manual user management
IT admins can manually create accounts on their Linux systems. By creating an account per user, they are ensuring that there aren’t any shared accounts. Of course, if you have a large number of servers or users, this can become a painful process.
Configuration management solutions
As the IT infrastructure grows, configuration management solutions are often leveraged to help automate the user account management process. Despite the fact that this works well, it’s a labor-intensive solution since it requires IT to write code. Tools such as Chef and Puppet are popular choices, but they force admins to write code, too. If there is any complexity in user permissions, then the code becomes more intricate.
A central user management platform, Directory-as-a-Service creates and manages user accounts on servers (Linux and Windows), endpoint devices (all three major platforms), and applications. While users can be granted granular access, IT can leverage the groups functionality to set up abstractions for access and differing levels. DaaS is a cloud-based directory service so servers can be connected regardless of location or provider.
DaaS: Protecting the Whole User Management Field
IT shouldn’t let shared accounts into their environment. They pose a significant security risk that can really burn an organization. This is especially true for servers. Each server should have unique user access. There are a number of different approaches to solve this problem. Depending upon the size of the organization and the scope of the problem, this issue could be solved manually or with a system such as Directory-as-a-Service.
If you would like to learn more about server user management techniques, feel free to drop us a note. We’d be happy to discuss it with you further. Also, please feel free to try our Directory-as-a-Service platform for free.