/
FINAL WORD
Four hidden
costs and
cybersecurity
risks of sudo
Morey Haber, CTO at BeyondTrust,
explains the four specific risks or costs
that organisations should consider before
deciding if sudo (an open source package
designed to provide privileged access
included in many Linux distributions) is
right for the organisation.
I
t is always a philosophical debate as to whether to use open
source software in a regulated environment. In the case of
‘sudo’ – a package designed to provide privileged access
included in many Linux distributions – the debate is whether it meets
the requirements of an organisation and to what level it can be relied
upon to deliver compliance information to auditors. While every
organisation is different, there are four specific risks or costs that you
should consider before deciding if sudo is right for your organisation.
Administrative Costs
With sudo, you need to run a third-party automation management
system (like CFEngine or Puppet) and third-party authentication
modules on the box. Furthermore, if you plan to externalise the box
at all, you are going to have to replace sudo with the new vendors’
version of sudo.
So, you essentially end up maintaining sudo, a third-party
management system, a third-party automation system and
additionally, may have to replace it all if you want to authenticate
against something external to the box. Another complexity with
sudo is that everything is local, meaning it can be extremely time-
94
INTELLIGENTCIO
www.intelligentcio.com