SecureONE Precision PAM capabilities to provide unique protection for Linux environments
by Brian Hanrahan, on Feb 17, 2021
This is the first of many blogs that I’ll be posting as the Director of Product Management for Remediant. Today, I’m delighted to announce some new Linux features available to Remediant SecureONE customers. More on this great news below.
First, a little background: I’ve been in the game of privileged access management (PAM) for 15 years +/- in varying capacities. Over that time, I’ve come to see the reality that PAM has had limited effectiveness in protecting environments from breaches because vendors have focused on authentication (“better mouse trap” syndrome) and compliance far more than the 24 X 7 “Just-In-Case” privileged access attackers keep using. (There’s a simple path to addressing this challenge.) So, I joined a bunch of true believers at Remediant - we all believe PAM can be more effective, much easier and much faster. We believed the key was to be laser focused on removing standing privilege, blocking lateral movement and making it easier to deploy and use.
I’ve spent a lot of time lately evangelizing the value of Zero Standing Privilege along with Just-In-Time (JIT) privileged access in containing breaches. This is fundamentally what Remediant SecureONE is designed to solve. SecureONE blocks ransomware, and other identity-based attacks from spreading by replacing 24x7 “Just-In-Case” access with precisely applied Just-In-Time access.
Since our inception, Remediant has helped companies thwart ongoing attacks and won over many others by illustrating attack pathways before an attacker has the opportunity to use them. In most cases, these organizations are Windows shops.
Naturally, it’s understandable that security professionals think of this as a “Windows problem,” given that it’s where most attacks originate. However, that perspective also ignores some nasty realities when Linux is in play. An attacker’s objective is rarely the Windows laptop or desktop they arrive on - they’re just stopping by before moving “laterally” to their real objectives. And, today, many of those objectives reside on Linux systems.
With our latest 2.7.1 release this year, and its focus on Linux support, it seemed like a good opportunity to reintroduce SecureONE for Linux and why it’s been so attractive to our customers.
How’s your Linux PAM?
There’s massive variability in Linux use and maturity in organizations today. SecureONE was purpose-built to be a flexible and lightweight precision privileged access management solution, meeting a customer’s needs wherever they are on their journey with privileged access, delivering immediate, measurable benefits.
Early on in your journey - why SecureONE?
Customers early on their journey to Linux privileged access management will benefit from a quick, non-disruptive deployment - measured in hours, not days or weeks. There are no agents, complex policies or troublesome prerequisites that get in the way. Once SecureONE is deployed, simple and effective discovery, visibility and control over user accounts with privileged access is possible within hours. SecureONE will rapidly identify all the local or Active Directory (AD) domain users and groups that have privileged access via Sudo - even unpacking nested AD group memberships.
The results can be somewhat astonishing. It may take time to digest these (sometimes frightening) insights before it’s possible to take action, so Remediant was designed to make it easy for you to stop further unauthorized changes. SecureONE gives you the breathing space and tools to sort out which access stays and which needs to go; and, which access is for humans, and which is for automations and applications.
And, as new systems are built, they’re configured consistently with the right access for each user and group.
Deeply invested in Linux workload automation - why SecureONE?
Like most Linux users, you’ve invested in DevSecOps mastery - everything is driven by code and automated. Machines building machines and the applications running on them.
You may be scaling your Linux workloads in the cloud by tens, hundreds or thousands of nodes and following similar practices at a smaller scale on-premises on VMs using code.
The good news is your investment in automation greatly reduces the exposure of privileged credentials to humans, with code using the credentials to do the work. The integrity of your automation workflow is critical to your data security.
In an advanced Linux practice, adding software, configuration and provisioning time to your Linux images has a compounding effect on your agility and operational costs. We designed Remediant SecureONE to minimize drag, requiring no agents or special configuration.
SecureONE manages privileged access on all major Linux distributions “off the shelf” after a simple registration call to our REST API. You’ll have continuous visibility and precise control over privileged access no matter how quickly you scale up or down.
What makes SecureONE ideal for Linux?
If we stopped there it would be a great Linux product - better than most because you gain control over privileged access quickly without agents, complex policy or complicated infrastructure.
Here’s what Linux users get in 2021:
- Pure Linux without disruptive changes: Your Linux team will be thrilled to have a PAM solution that’s present only when it’s needed and allows them to work naturally with their own tools:
- Enroll & unenroll Linux systems as a part of your provisioning and de-provisioning processes
- Major Linux variants are supported with minimal requirements:
- RHEL, AWS Linux, Ubuntu, Centos, Oracle
- Again, no agents and no special configurations!
- Directory authentication without complications: SecureONE brings directory-based authentication to Linux quickly and simply:
- SecureONE provides agentless directory bridging
- Control Linux privileged access from Active Directory (AD) without joining Linux systems to the domain
- There are no AD schema changes
- There is no software on AD controllers
- SecureONE is also compatible with common Active Directory bridging solutions
- SecureONE provides agentless directory bridging
- Granular privileged access management using native Sudo: We made it easier to manage, and eliminated the just-in-case, all-the-time access that gave attackers a leg up:
- Use Sudo as it was created - no special commands or new binaries that break code
- Scan, inventory and lock down Sudoers’ access centrally in SecureONE
- Gain deep visibility in Sudoer permissions
- Manage access for Linux local and directory users and groups
- Maintain desired privileged access continuously with scan and protect: Quantify your privileged access risk across Windows, Mac and Linux hour to hour, and watch it steadily shrink toward Zero Standing Privilege:
- Detect and remove unauthorized Sudo access before it’s abused
If you’re like most organizations we meet, you may be greatly underestimating how easily an attacker will move through your organization using Just-In-Case, All-The-Time access. You may also think solving this problem is out of your reach with limited budgets. There’s a simpler way, and it radically improves your risk posture. We’ll be happy to show you.
We’ve got some great features rolling out in SecureONE in 2021. Watch this space to learn more about precision Privileged Access Management from Remediant.