Symark Tackles Tough Access Control Problems
April 1, 2008 Alex Woodie
Cyber criminals lurking from East European Internet cafes get most of the attention from security-wary companies these days. But historically the majority of security breaches are perpetrated by internal users, such as systems administrators with powerful user profiles that give them open access to the servers they manage. Symark International is one of the software vendors helping companies control internal access to popular servers. This week the company launched its newest product: PowerADvantage.
Symark International was founded in 1985 as a mainframe utility software company. In the 1990s, the Agoura Hills, California, company moved to client-server computing, and today the company primarily develops security tools aimed at helpin streamline the management of user IDs and passwords across Windows, Unix, Linux, IBM System i, and mainframe servers.
Symark sold three main products prior to this week’s launch of PowerADvantage, including PowerBroker, PowerKeeper, and PowerPassword. The company’s most popular offering, PowerBroker, is used by some of the largest financial services companies to allow administrators to check out powerful Unix and Linux user profiles only when they need them. PowerKeeper offers similar capabilities as PowerBroker, but also supports Windows, i5/OS, and mainframe servers, includes more detailed logs and reports, is FIPS certified to work at federal agencies, and is delivered as a hardened Windows Server-based appliance instead of software. PowerPassword, meanwhile, gives administrators control over user profiles and passwords of end-users for Unix and Linux systems.
With the launch of PowerADvantage, Symark is providing closer links between the log on process for Unix and Linux systems and Microsoft‘s Active Directory and its Group Policy security capability. Microsoft Active Directory is by far the dominant directory services product today, with an 85 percent share of the market, according to Ellen Libenson, vice president of product marketing for Symark.
“Over the years we have come to see that Active Directory seems to be the product of choice for administering systems on the network, but of course it only works with Windows,” Libenson says. “It’s a great product, and we thought that, if we could just bring that functionality to the Unix and Linux world, where that functionality isn’t available, that it would be great not only for Linux and Unix users, but for the organization as a whole, because it will simplify security administration.”
PowerADvantage implements an agent on Unix and Linux machines that communicates with Active Directory’s domain controllers, according to Symark. When users attempt to log on to a Unix or Linux machine, they enter their Unix or Linux user IDs and passwords, and the PowerADvantage software validates this information against their Active Directory user IDs and passwords before granting or denying access.
While Microsoft does support Unix and Linux with Active Directory through its Services for Unix offering, it offers only limited connectivity, according to Jeff Nielsen, senior product manager with Symark. “The drawback with Services for Unix over the years is that it supports only a one-to-one mapping between Windows and Unix accounts,” he says. “It’s pretty typical in a Unix environment that your user name, or UID, may vary from host to host.”
With PowerADvantage, an organization can connect multiple UIDs to Active Directory, eliminating the need to go through a cleanup process, or a “rationalization,” before extending Active Directory to Unix and Linux machines, Nielsen says.
Support for Microsoft’s Group Policy feature is another benefit of Power Advantage, Nielson says. “In a lot of our big customers, they have tens of master hosts spread across the world. As part of our Group Policy support, we now automatically distribute and synchronize that policy across all the master hosts to make sure the policy is always consistent across all the machines,” he says.
Data center politics have evolved considerably from the Microsoft-hating of years past, Symark officials say, thanks to improvement in Windows and pragmatism. “Five to 10 years ago, it was ‘over my dead body am I going to let my Unix machine be managed from something from Microsoft,'” Nielsen says. “However, the whole world of regulations and compliance needs has really started to change that. And now that businesses are required to have good identity management and good centralized control, it has really overridden technical people’s fears of other platforms that they don’t manage.”
While Unix and Linux system admins have evolved considerably from their past suspiciousness of technology from the so-called “evil empire,” that doesn’t mean participants in today’s heterogeneous data center should be one big trusting family. Good security practice mandates a certain level of paranoia on the part of management, especially over administrators that hold the “keys to the kingdom.”
The way Libenson sees it, administrators should be happy to alleviate any suspicion over their actions by ceding control of privileged user profiles to a program that tracks all activity. “There are a lot of insider threats, a lot of potential weaknesses there,” she says. “It’s just a matter of time before somebody wigs out at a company and does something to sabotage them or commit fraud to benefit themselves. We see it happen all the time.”
PowerADvantage is available now. Pricing starts at $290 for a server license and $45 for each Unix or Linux server or workstation license. Pricing for the Windows-based PowerKeeper appliance (which supports i5/OS) starts at $25,000, which includes a license for accessing up to 100 devices. For more information, visit www.symark.com.