KuppingerCole Report

WHITEPAPER by Martin Kuppinger | January 2019

Integrating Password and Privilege

Management for Unix and Linux Systems
Unix and Linux build the foundation for most business-critical systems. Thus,
these present target-rich environments for cyber-attackers. Privileged Access
Management (PAM) helps to mitigate such risks. To succeed, organizations must
follow an integrated approach, covering both privilege elevation and centralized
management of shared account credentials.

by Martin Kuppinger
mk@kuppingercole.com
December 2018

Commissioned by BeyondTrust

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Content

1 Introduction ................................................................................................................................. 3
2 Highlights ..................................................................................................................................... 3
3 Privileged Access Management: More than just shared passwords ................................................ 4
4 Requirements for managing Unix and Linux passwords and privileges............................................ 6
5 The need for an integrated approach: One toolset is enough ......................................................... 9
6 The BeyondTrust approach to integrated Unix/Linux Password & Privilege Management ............. 10
7 Action Plan for integrated Password & Privilege Management for Unix and Linux ........................ 14
8 Copyright ................................................................................................................................... 15

Table of Figures

Fig. 1: Privileged Access Management is more than managing shared accounts. ....................................... 5
Fig. 2: BeyondTrust delivers a tightly integrated set of solutions for PAM, spanning a wide set of
capabilities and systems. ................................................................................................................. 13

Related Research

Leadership Compass: Privilege Management – 72330

Architecture Blueprint: Access Governance and Privilege Management - 79045
Executive View: BeyondTrust PowerBroker PAM - 70725
Executive View: BeyondTrust PowerBroker for Unix & Linux - 70363

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 2 of 16
1 Introduction

Privileged Access Management (PAM), while no longer being a young discipline of IAM (Identity and
Access Management) and Information Security, has gained attention in the past years. Organizations
that define internal cybersecurity programs commonly add Privileged Access Management to the top of
the project list. Privileged access to systems, be it servers, cloud services, or even client systems,
imposes a significant risk from both external cyber-attacks and internal attacks. Targeted attacks
frequently make use of privileged accounts, and every long-running, targeted attack is characterized by
attackers trying to gain access to such accounts.
PAM strategies, therefore, must focus on both limiting privileged access, i.e. privilege elevation, and
avoiding the sprawl of passwords. That is, controlling the user and their access methods. These
capabilities must be provided as integrated solutions. There is a pressing need for centralized control of
privileged access, as well as for limiting the excessive number of security tools in place.
For most businesses, some flavors of Unix or Linux build the foundation of business-critical systems.
With internal and external attackers targeting these systems, Privileged Access Management itself
becomes business-critical.
Within Unix and Linux environments, there is the specific challenge of controlling CPEDM (Controlled
Privileged Elevation and Delegation Management), in particular, restricting access via the command line.
This challenge distinguishes these environments from other widely used platforms.
Integrating Shared Account Password Management (SAPM) and CPEDM in these environments is, from
our perspective, a must for covering the most challenging PAM threats. Furthermore, we strongly
recommend evaluating solutions that span both a broad set of capabilities and different operating
system environments. Deciding on integrated toolsets helps to limit the complexity of PAM and puts
focus on the target: effectively and efficiently mitigating the risks of privileged access on business-critical
systems.

2 Highlights

• Explaining the breadth of PAM: Beyond Shared Account Password Management.

• The need for PAM for Unix and Linux environments, where most business-critical applications run.
• Restricting elevated entitlements as a specific challenge in command line-heavy environments.
• The need for integrated approaches on Privilege Management, spanning various capabilities and
target system environments.
• BeyondTrust PAM solutions as a holistic approach for PAM in Unix and Linux environments, and
beyond.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 3 of 16
3 Privileged Access Management: More than just shared passwords

PAM began with Shared Account Password Management and password vaults, but it has matured well
beyond these areas. Today, there are other essential elements to consider, such as restricting elevated
access at the system level.
Today, it is a matter of fact that, once a system becomes connected to the Internet—be it directly or
indirectly—that system is a cyber-attack target. Attackers constantly run automated attacks, either to
deposit malware on systems or to identify entry points to networks for more advanced attack scenarios.
Cyber-attackers also can use specialized “computer search engines,” such as Shodan, to uncover attack
targets. Small and medium-sized organizations across all industries are not only themselves potential
victims of blackmailing, ransomware, and other scenarios, but might also serve as stepping stone for
attacks on other organizations.
Attacks are performed by both internal and external attackers. While today’s main attention is on
external cyber-attacks, the reality is that not only has the number of internal attacks remained stable at
a high level, but several of the most prominent and severe incidents of the past few years, particularly
around information leakage, have been perpetrated by internal attackers.
A primary goal of all advanced types of external attacks is the hijacking of internal, privileged accounts.
Malicious insiders generally already have access to such accounts, or can find ways of elevating
privileges of accounts they are entitled to use.
Ultimately, both internal and external attackers share one simple primary target in their attacks: gaining
access to privileged accounts, allowing them to successfully execute their attacks. Assuming that the
attacker has already breached into internal systems, perimeter security is not sufficient. Protection of
these privileged accounts generally demands specialized security controls, most notably privileged
access management.
For the KuppingerCole definition of Privileged Access Management, we distinguish between several key
technologies and toolsets:

• Shared Account Password Management (SAPM): SAPM offers technology to securely manage
privileged credentials including system accounts, service accounts, and application accounts that are
generally shared in nature. At the core of SAPM products is an encrypted and hardened password
vault, or safe, for storing passwords, keys, and other privileged credentials for a controlled, audited,
and policy-driven release and update.
• Privileged Session Management (PSM): PSM offers the technology to establish a privileged session to
target systems, including basic auditing and monitoring of privileged activities. PSM tools also offer
authentication, authorization, and Single Sign-On (SSO) to the target systems.
• Session Recording and Monitoring (SRM): SRM is an extension of PSM tools to offer advanced
auditing, monitoring, and review of privileged activities during a privileged session. SRM capabilities
include keystroke logging, video session recording, screen scraping, OCR translation, and more.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 4 of 16
• Controlled Privilege Elevation and Delegation Management (CPEDM): CPEDM offers technology to
address controlled elevation and policy-based delegation of a users’ privileges to superuser privileges
for administrative purposes.
These capabilities illustrate the breadth that Privileged Access Management must cover to support
businesses in their effort to mitigate both external-originating cyber-risks and those stemming from
internal attacks.

Fig. 1: Privileged Access Management is more than managing shared accounts.

Privileged Access Management goes well-beyond Shared Account Password Management capabilities
that were for years at the center of this discipline. Limiting password sprawl for such accounts is another
essential capability.

Privileged Access Management initiatives must encompass both protecting shared

accounts and limiting privilege elevation.

Users that have access to a system might still be able to do more than they should, based on the access
restrictions a system has in place. If someone has full administrative access, based on their individual
account, they can wreak massive damage on a system and run complex attacks. Even with somewhat
restricted entitlements, the abuse potential can be significant.
PAM strategies must, therefore, focus on both limiting privileged access and avoiding the sprawl of
passwords.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 5 of 16
4 Requirements for managing Unix and Linux passwords and privileges

Unix and Linux environments are somewhat specialized and differentiated from other environments in
their heavy use of command line shells for systems management. Here, it is significantly more complex
to successfully restrict privileged access than in other environments.
For most businesses, Unix or Linux build the foundation of business-critical systems. They house most
critical data stores (such as databases and Big Data environments), enterprise applications, and the
frontends to these applications—be it the web servers or APIs for app-based access. With internal and
external attackers targeting these critical systems, Privileged Access Management itself becomes
business-critical.

In a majority of businesses, at least some business-critical systems run on Unix or

Linux. PAM for Unix and Linux is therefore a business-critical capability.

For these environments, Shared Account Password Management is a mandate, with the built-in root
account a critical element. Whoever gains root access, gains access/ownership to the entire system.
Furthermore, use of other types of accounts that are both shared and highly privileged is a common
practice in many of these environments, even though it runs afoul of security best practices.
Complex infrastructures using intermediary systems such as jump hosts, application-level access using a
shared account such as database administrator accounts, and advanced requirements such as long-
running sessions add to the complexity of limiting privileged access in such environments.
When looking at requirements for such environments in more detail, we can identify a set of mandatory
capabilities:
• Adaptive Authentication and MFA support: For access using elevated privileges, an adequate level
of assurance is mandatory. This includes support for various types of (strong) authentication
including MFA (multi-factor authentication) support as well as a policy-based adaptiveness to
contextual factors at runtime.
• Policy-based Access Control: Access must be managed based on policies that, ideally, utilize
concepts such as RBAC (role-based access control). The more dynamic such policies are, (such as
adapting to results of ongoing discovery) the better this will work in practice.
• Passwords and SSH Keys: Passwords are only one part of the challenge –SSH keys are also used
pervasively across Unix and Linux environments, such as for remotely managed servers and providing
easy access to sensitive systems and data. These secrets must be centrally managed to ensure
password security best practices and to reduce risk of exploitation by attackers.
While these are baseline capabilities, there are other features beyond SAPM that we highly recommend.
These include:

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 6 of 16
• Enhanced Session Management and Recording: As stated above, gaining access to a session is one
portion of the challenge – controlling what happens within the session is the other, and perhaps,
bigger one. Session Management features such as real-time monitoring and elevation control, plus
session recording capabilities (e.g. for forensics), are must-have elements in a well-thought-out PAM
infrastructure.
• Application-to-Application Password Management (AAPM): AAPM is another key element,
controlling direct interaction between applications, and thus, the automated use of credentials.
While SAPM focuses on the human user interface and interactive logins, AAPM targets the direct
communication between applications and services and, for example, can restrict the use of plain-text
passwords in scripts and code.
• Privileged User Behavioral Analytics (PUBA): With the increase in long-running, targeted attacks
focusing on highly elevated privileges, identifying such threats is becoming essential. Advanced
analytical solutions support identifying such complex attack scenarios, allowing for rapid and
targeted counter-activities.
In Unix/Linux environments, one of the biggest challenges comes from the heavy use of command line
shells and command line-level scripting. The access via command lines gives the user direct and broad
access to system management capabilities, down to the core of the operating system, the file systems,
and other critical components. While some of this access might become limited via access control
settings, it is extremely difficult, and generally impractical, to set up a granular and effective access
control for such environments.
Controlled Privilege Elevation and Delegation Management (CPEDM) helps to layer on another level of
control by restricting user access to certain functions of the system at a more fine-grain level than
standard system settings can provide. The focus is on restricting access to critical commands, but also to
other functions such as file-system access. This can be done either via whitelisting or blacklisting
commands for sessions, on a per-user basis. Today, relying on additional factors such as group
membership, time of access, the history of access, and more is considered the norm. Policies go well-
beyond just allowing or blocking certain commands per user. When executed correctly, critical access to
systems can be effectively limited, without changing the behavior of systems and the user experience.
This is essential for the acceptance of such tools.
Many administrators are reluctant to implement PAM solutions for fear that the tools might limit their
work efficiency, and may require them to change their working behavior. However, by restricting
capabilities within the familiar environment instead of changing the environment (such as when moving
to a restricted graphical user interfaces or specialized, feature-limited consoles), barriers for adoption
are removed.
Modern PAM solutions provide capabilities that are essential, while being far more powerful than the
traditional baseline, built-in Sudo tool. Capabilities that we recommend deploying in such toolsets
include:
• Fine-grained Privilege Elevation Management: It all starts with the key capabilities in policy-based,
fine-grained controls that can effectively limit privileged access to the target systems.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 7 of 16
• System-level Controls and Monitoring: Part of these are capabilities that allow for the understanding
of both user actions and their impact on the system. Such system-level controls map actions and
impact and should be complemented by monitoring capabilities, identifying changes to defined,
critical entities across policies, system, applications, and data files.
• Policy-based Management: As with the baseline SAPM features, policy-based approaches that rely
on dynamic data and contextual information including external sources are essential for efficient
management. Obviously, such policies must be cross-system, and not per-system, as must all
management features of CPEDM.
• Graphical UIs for Management and Log Analysis: Management of policies and various controls, such
as the analysis of logs and other information, must be available via modern, graphical UIs.
• Privileged Shells: Specialized privileged shells play a role in various use cases, providing even tighter
control and logging for privileged user sessions.
Beyond these capabilities, there are various features that map to related areas of PAM, such as PSM
(Privileged Session Management) and SRM (Session Recording and Monitoring), but also PUBA
(Privileged User Behavior Analytics). These must be tightly integrated.
CPEDM should also go hand in hand with Session Monitoring capabilities that allow for alerting of the
use of certain commands and other system capabilities, and for real-time monitoring of critical sessions.
However, such an approach can only be an add-on, due to the massive human bandwidth involved in
monitoring sessions.

Providing a familiar user experience is essential for the acceptance of security

measures.

Session Recording is another complementary capability. However, while Session Recording cannot block
fraudulent behavior, it can record it for later analysis. That puts the combination of Shared Account
Password Management and Controlled Privilege Elevation at the center of PAM initiatives for Unix and
Linux environments.
Putting advanced solutions in place allows for supporting a variety of use cases far beyond baseline Sudo
capabilities, including:

• Policy-based, cross-system management, auditing, and analysis of privilege elevation and use of
elevated privileges
• Efficient access control spanning a wide range of servers running Unix or Linux, instead of spending
massive resources on inefficient management of a few selected, business-critical servers
• Simplified fulfillment of compliance regulations based on better reporting
• Advanced, adaptive authentication and MFA support
• Fine-grained control of privileged elevation and analysis of the concrete impact on systems at the
system-level and file-level
• Command execution and session execution without relying on direct use of SSH

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 8 of 16
5 The need for an integrated approach: One toolset is enough

While PAM is derived from a number of different roots, it has become a unified discipline. Efficient
control of privileged access to heterogeneous IT environments requires integrated toolsets instead of a
multitude of disparate, non-integrated tools.
With PAM consisting of a number of distinct capabilities, there are both integrated toolsets and point-
solutions available.
There are two dimensions to cover with PAM:
• Capabilities: As illustrated above, PAM spans a broad range of capabilities. While it will be difficult to
identify a solution that covers all capabilities within a single, integrated offering, central capabilities
must be integrated to mitigate the efforts of managing the PAM environment itself.
• Systems: Critical systems include Unix and Linux, but also Windows and other operating systems.
Beyond that, they include network components, database systems, and other environments. Running
centralized solutions that cover a broad range of target environments will help to mitigate some of
the complexity of running a holistic PAM environment.
By integrating Shared Account Password Management (SAPM) and CPEDM, you can take on the most
challenging PAM threats. Together, these components enable you to gain:
• Fine-grained privilege control on the targeted endpoint, for example, the Unix or Linux server. SAPM
only controls access to the session, but not what happens within the session.
• Endpoint session monitoring, which provides a deeper level of control and insight, including system-
level controls – without CPEDM, you remain restricted to proxy-level monitoring and recording.
• Cross-system management of technical/functional user accounts.
• Stronger security controls by limiting the attack surface and increasing both depth and breadth of
controls.
• Compliance improvements by deeper recording and auditing capabilities, while relying on centralized
analytical capabilities.
• Increased administrative efficiency, using centralized UIs and policies for all PAM-related capabilities.
From a technical integration perspective, this requires moving from a set of isolated tools towards well-
integrated solutions, building on consistent approaches at various levels such as:
• Management User Interface: Administrators must be able to use central, common UIs for
administering different capabilities, but also accessing logs, monitoring sessions, etc.
• End User Interface: The same holds true for the UI for end users – integrated, consistent UIs for the
various capabilities increase convenience and reduce friction.
• Policy Management: Following a policy-based approach, both management and concepts for such
policies must be consistent.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 9 of 16
• Auditing & Analytics: For both security analytics and regulatory compliance, tight integration of
auditing and analytics is essential.
• Platform & Deployment Integration: Finally, relying on a consistent approach for architecture,
platform, and deployment increases efficiency for both roll-out and ongoing operations.

6 The BeyondTrust approach to integrated Unix/Linux Password & Privilege Management

BeyondTrust provides a comprehensive solution to Privileged Access Management, including in-depth

capabilities for managing Unix and Linux environments. They support both the breadth and depth
required for today’s requirements of PAM.
BeyondTrust is a global vendor of Privileged Access Management solutions, headquartered in Atlanta,
Georgia, USA. Originally founded in 1985 as Symark, an Identity and Access Management vendor
specializing in Unix solutions, in 2009 it acquired another software company specializing in Windows
IAM solutions and adopted its name. Since then, the company has made several strategic acquisitions,
including eEye Digital Security, Likewise, and Blackbird Group. This has allowed them to expand their
portfolio and consolidate their products into an integrated risk intelligence suite, the BeyondTrust
Platform. With the recent acquisition by Bomgar, BeyondTrust covers all major areas of PAM in depth,
maintaining a strong footprint in Unix and Linux PAM. The brand name of BeyondTrust will remain
unchanged.
The BeyondTrust PAM Platform is an integrated family of products for privileged access, entitlement,
and password and credential management for Unix/Linux, Windows, Mac systems and network devices.
The platform encompasses the management and visibility of system administrator privileges on server
systems (Unix/Linux, Mac, Windows) as well as endpoint systems and network devices (Mac, Windows).
Within that platform, BeyondTrust Privilege Management for Unix & Linux is one of the specialized
components for protecting Unix and Linux systems, coming with tight platform integration, and thus,
fulfilling the need for an integrated approach for overall PAM while delivering in-depth capabilities for
specific use cases.
BeyondTrust offers three Unix/Linux product variants within its PAM platform, these include:
a) BeyondTrust Privilege Management for Unix & Linux, Advanced Edition: This offers
comprehensive PAM capabilities across Unix and Linux environments. In addition to all the PAM
capabilities offered in the Basic and Essentials variants, the Advanced Edition offers system level
controls and auditing. BeyondTrust Privilege Management for Unix & Linux also includes
features for fine-grained authorization to elevate privileges as well as detailed file and policy
integrity monitoring, which audits and reports on changes to critical policy, system, application,
and data files, as well as capabilities that support default user shells to control privileges and
audit user activities. BeyondTrust Privilege Management for Unix & Linux, also offers the PUBA
(Privileged User Behavior Analytics) as a PTA (Privileged Threat Analytics) module to correlate
user behavior against asset vulnerability data and security intelligence from popular SIEM
solutions.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 10 of 16
 b) BeyondTrust Privilege Management for Unix & Linux, Essentials Edition: This option offers a
restrained version of the Advanced edition that meets the basic PAM requirements of
organizations. In addition to all the capabilities offered as part of Basic, Essentials offers remote
system and application control which enables users to invoke privileged sessions remotely and
run specific commands. Essentials also includes contextual support for privilege elevation such
as Dynamic Access Policy management and a GUI-based policy editor to configure and manage
role-based privilege elevation.
c) BeyondTrust Privilege Management for Unix & Linux, Basic Edition: For environments that
can’t replace Sudo, BeyondTrust offers Privilege Management for Unix & Linux, Basic Edition.
This product includes a centralized repository with change management functionality for the
storage of multiple Sudoer configurations for all individual hosts, as well as the ability to define
user/host roles across the enterprise with enhanced policy groupings. It is focused on delivering
advanced auditing and governance capabilities, such as centralized log collection of privileged
activities, including storing and indexing of keystrokes, session recordings, and other privileged
events. The product version also supports graphical log review and session playback capabilities.
A GUI-based administration console offers web-based administration to discover, deploy, and
upgrade managed systems. This product is suitable for organizations that have an auditing and
compliance requirement to record and correlate privileged activities across their IT
environment.
BeyondTrust Privilege Management for Unix & Linux can manage more than a hundred flavors of Unix
and Linux. It centralizes server logs, and also provides privileged session keystroke recording—indexing
these sessions and associated logs for quick discovery during audits.
BeyondTrust Privilege Management for Unix & Linux comes with six core capabilities:
1. Auditing and governance of logs and session recordings
2. Privileged Behavior Analytics for identifying anomalies in user behavior
3. Fine-grained least privilege enforcement on Unix and Linux systems (the CPEDM core capabilities)
4. Dynamic access policy that utilizes factors to inform privilege elevation decisions
5. Auditing and reporting on changes to policy, system, application, and data files
6. Remote system and application control capabilities
The goal is to enable organizations to control access to their critical Unix/Linux resources and deliver
monitoring capabilities. BeyondTrust Privilege Management for Unix & Linux collects a variety of data
about what users do on the managed systems, including keystroke logging and recording of complete
systems, as well as related events. These events are securely stored. They then can be used for
forensics, for real-time session control, and for the Privileged Behavior Analytics solution. This allows the
correlation of collected information against vulnerability data and security intelligence from external
sources. Thus, critical behavior that occurs (e.g., in the context of certain known attack vectors) can be
identified.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 11 of 16
 The BeyondTrust family of products comes with tight integration and a broad set of
capabilities, supporting a variety of platforms and delivering in-depth control for Unix
and Linux environments.

However, just knowing in retrospect what went wrong is not enough. BeyondTrust Privilege
Management for Unix & Linux delivers fine-grained, policy-based controls and dynamic access policies
that can control access based on factors such as the location or the vulnerability status of the
application or asset targeted for privilege elevation. Based on the policies and additional capabilities,
access to systems can be restricted to certain accounts and/or functions. This goes hand-in-hand with
remote control capabilities, which not only provide standard, open remote access (that is a standard
capability in Unix and Linux environments), but also allow for providing remote access that is restricted
to certain commands and sessions. This is based on policy rules and allows admins to perform a
restricted set of privileged activities without logging in as root or other highly privileged accounts.
Unlike Sudo, BeyondTrust Privilege Management for Unix & Linux operates at the system level, not the
command level. This gives unmatched visibility and control over all system processes, including the
execution of scripts. In addition, full root-level sessions can still be controlled to block the execution of
specific binaries and to limit access to sensitive areas of the file system.
As part of the overall BeyondTrust platform, which builds on a central architecture and consistent,
integrated management tools across the various tools, BeyondTrust Privilege Management for Unix &
Linux must not be considered a separate solution for Unix and Linux, but an integral part of the overall
BeyondTrust PAM platform. Thus, it integrates neatly with Password Safe, another flagship product of
BeyondTust, that provides SAPM capabilities and beyond. This integration approach is also reflected in
the organization’s roadmap, that focuses on unifying the BeyondTrust Servers Management Console,
but also the underlying BeyondTrust AD Bridge.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 12 of 16
Fig. 2: BeyondTrust delivers a tightly integrated set of solutions for PAM, spanning a wide set of capabilities and systems.

BeyondTrust Servers Management Console, in combination with BeyondInsight, delivers a unified user
experience when managing the various policies and other capabilities, across different servers and other
platforms. It is the one, single console for the essential tasks across features such as SAPM, CPEDM, SRM
and PSM. BeyondTrust is continuously expanding the capabilities of this platform, beyond what we
commonly find integrated in PAM solutions.

The BeyondTrust product family offers a simple and straightforward deployment for the central
components. Obviously, there is a need for deploying components local to the Unix and Linux servers
for the in-depth capabilities supported by BeyondTrust Privilege Management for Unix & Linux.
However, the central components are neatly integrated with the entire BeyondTrust family of products.

BeyondTrust is a stable, long-standing player in the Privilege Management market. The BeyondTrust
PAM platform is a mature, feature-rich family of integrated solutions that includes SAPM features of
BeyondTrust Password Safe, BeyondTrust Privilege Management for Unix & Linux, and more. Overall,
the BeyondTrust PAM platform is definitely amongst the leading-edge products in this market segment,
being mature, feature-rich, and with new innovations regularly deployed.

In essence, BeyondTrust delivers a holistic, integrated approach for PAM.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 13 of 16
7 Action Plan for integrated Password & Privilege Management for Unix and Linux

There are a number of key actions to take when proceeding with an integrated approach to PAM for
Unix and Linux environments and beyond, which are listed in this section.
While a significant portion of organizations already have some privileged access security controls in
place, many others still lack adequate PAM deployments. They either don’t have PAM in place at all, or
rely on incomplete, outdated, or wildly mixed environments.
In the age of ever-increasing cyber-risks, having a well-thought-out PAM implementation is a mandate
for each and every organization. This holds true, in particular, for business-critical platforms, which
frequently run on Unix or Linux. Instead of relying on multiple point-solutions, integrated approaches
that span a broad set of capabilities and support heterogeneous platforms have become the state-of-
the-art. These platforms deliver the insight and level of control required for managing such
environments.

The state-of-the-art for PAM are integrated approaches, spanning capabilities and
platforms.

To successefully implement an integrated PAM approach with Password Management and Privilege
Management for Unix and Linux, we recommend closely looking at five main actions:
1. Define a cyber-risk strategy and action plan and prioritize actions and projects based on their
impact on cyber-risk mitigation.
2. Understand the specific requirements for protecting Unix and Linux environments, with focus on
both Controlled Privilege Elevation and Delegation Management (CPEDM) for privileged users
and Shared Account Password Management (SAPM) for privileged accounts.
3. Understand further solution requirements that span both dimensions, capabilities, and target
systems, focusing on an integrated PAM approach.
4. Focus on the capabilities that have an immediate and real-time effect on risk mitigation in
deployment, i.e. limiting privilege elevation and password sprawl.
5. Keep the specific requirements of Unix and Linux administrators and operators in mind regarding
their reluctance when it comes to changes in their work behavior. Balance the improvements in
security with the need for efficient usability.
To accomplish these actions, we recommend evaluating the integrated platform of PAM solutions from
BeyondTrust.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 14 of 16
8 Copyright

© 2018 Kuppinger Cole Analysts AG. All rights reserved. Reproduction and distribution of this publication in any form is forbidden
unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole’s
initial view. Through gathering more information and performing deep analysis, positions presented in this document will be
subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or
adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security
and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such.
KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion
expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks
of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Whitepaper
Integrating Password and Privilege Management for Unix and Linux Systems
Report No.: 79076
Page 15 of 16
The Future of Information Security – Today

KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in

relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand
vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions
essential to your business.

KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on

Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise,
thought leadership, outstanding practical relevance, and a vendor-neutral view on the information
security market segments, covering all relevant aspects like: Identity and Access Management (IAM),
Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well
as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting,
Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com

Kuppinger Cole Analysts AG Phone +49 (211) 23 70 77 – 0

Wilhelmstr. 20 - 22 Fax +49 (211) 23 70 77 – 11
65185 Wiesbaden | Germany www.kuppingercole.com