Datos Cualitativos

This subsection will outline the important aspects of the system architecture.

Systems Integration

The CA ControlMinder product is comprised of several agents that need to be installed on the servers and integrate natively with the operating system. This integration is nec- essary to enforce and audit the fine-grained policies. The software provides agents for all major operating systems, including Windows, Linux, and other UNIX-like systems. How- ever, the CA ControlMinder Management Server, which is the main component, requires a Microsoft Windows Server operating system. From there, all the agents on the different end-points are controlled.

Furthermore, the software can utilize an existing directory service with users and groups. It primarily supports Active Directory and the LDAP server of Sun ONE, but it is also possible to use the UNIX Authentication Bridge (UNAB), which maps UNIX attributes to non-standard active directory attributes. The downside of this approach is that it is less integrated and may lack some features. Hence, the best results can be expected in a heterogeneous network that consists of Windows and UNIX servers.

Shared Account Management

CA ControlMinder stores critical application and system passwords in a protected data store. Once a user requires access to an account that is part of the shared account manage- ment (SAM), he needs to check-out the particular password first. This can be achieved by using a web-based user interface that enforces policies to make sure only authorized users can use a shared account.

Another SAM feature is that CA ControlMinder generates temporary one-time passwords that are changed on the end-point system (e.g., a server or database). For that, the admin- istrators can define password policies that need to be taken into account for automatically generated passwords. It is also possible to define time intervals in which new passwords should be created.

The communication between CA ControlMinder and the end-point system is based on established protocols, like JDBC for databases, SSH for UNIX-like systems, and Windows Management Instrumentation (WMI) for the communication between Windows systems. Furthermore, the product supports the auditing and reporting of privileged accesses. For that purpose, the product can track every activity on an end-point system and correlate the various native logs that are created by the operating system and applications. The collected data is centrally saved and securely managed, so that only authorized users are allowed to access or modify the data. Moreover, the auditing daemons and logs are protected from attacks, shutdowns and tampering, which ensures integrity and availability. Additionally,

5.1 CA ControlMinder

sessions can be recorded and viewed in a playback.

In order to ensure accountability, the SAM component provides an “exclusive check-out” that ensures that only one user has access to a shared account at a given time. Because of the check-out feature, the tracked actions can be assigned to the original user, which initi- ated the check-out. It also ensures that only authorized users can enhance their privileges (e.g., by limiting the use of the su command) and that the audit logs include the original account of the user that used the surrogate account.

The situation where an administrator is logged in with a shared account can be seen in Figure 5.1. The screenshot shows that user andje01 is logged in as oracle operator but the sewhoami command reveals that the actions are performed by andje01.

Figure 5.1: Screenshot of PuTTY Demonstrating Non-Repudiation in CA ControlMinder To achieve that, the CA ControlMinder inspects all relevant system calls and enforces the appropriate authorization policies. This level of control cannot be bypassed by anyone, not even by the superuser (e.g., root on UNIX-like systems or Administrator on Windows). The additional layer that CA ControlMinder adds to the operating system provides an enhanced and fine-grained access control on Windows and UNIX-like systems. This can be seen in Figure 5.2 which shows that even though user andje01 has elevated the privileges to those of root, he cannot perform all actions. Thereby, it is also possible to regulate the access based on environment attributes, like the time of day or network attributes. Furthermore, it offers the ability to assign specific administration rights to personal accounts, which usually are reserved for superusers only. This policy-based approach can be compared to

the one in Chapter 6 which is based on XACML.

Figure 5.2: Screenshot of PuTTY Demonstrating Fine-Grained Access Control in CA ControlMinder

To protected from shoulder-surfing attacks, CA ControlMinder offers an automatic login feature that requests a password and utilizes it to log in the user to the target system as the privileged user.

For accesses to privileged accounts that are not part of the user’s role, the SAM component offers a four-eye-principle workflow that ensures that a person can use a specific privileged user but only for a short period of time. In order to use the account, the user has to submit a request via the web-baser user interface. A superior then decides whether he wants to grant or deny the request. Since this workflow requires the intervention of a second person and adds a delay, a problem arises in an emergency case. Hence, there is a feature called “break glass check-out” which allows the immediate access to a privileged account. In this case, the superior receives a notification message that informs about the emergency access. Another aspect of shared account management is the communication between applica- tions that use passwords to perform actions. CA ControlMinder manages the passwords of accounts like the Windows services and the Windows scheduled tasks. The shared ac- count management can also be integrated into the run-as mechanism of Windows, which enables an application to retrieve the password from the secured data store.

A specific case of application-to-application communication is the interaction between an application (e.g., a web application) and a database. CA ControlMinder can intercept ODBC and JDBC connections and replace them with ones that include the current cre- dentials of a privileged account. For that purpose, the administrators need to install an agent on the end-point system.

A further case are scripts and batch files that include hard-coded passwords. These can be replaced with calls to the Shared Account Management agent that checks out the password on behalf of the script.