When to Trust in TACACS+: 3 Use Cases
These days, everybody is looking for a cyber security silver bullet. Organizations want something flashy, new, and most importantly, capable of besting any threat or malicious actor that may cross its path. TACACS+ is none of those things. In truth, that perfect cyber security cure-all may never materialize. Instead, the most successful security postures use a combination of reliable, proven – and yes, sometimes even low profile – tools. This describes TACACS+ to a “T.” Despite that, TACACS+ is a solution many organizations continue to overlook.
At a glance, TACACS+ is a secure network access protocol that executes authentication, authorization, and accounting (AAA) services. Cisco originally developed TACACS and then released it as an open standard in 1993. It can run on separate servers or, potentially, on hardware already at work in a given environment. For example, organizations can add a Device Administration license to an existing Cisco ISE server deployment.
It may not be flashy, but there is definitely value to be gained from making TACACS+ part of the corporate security posture. Let’s consider a trio of use cases.
Use Case #1: Managing account access and roles
In our first scenario, think of an admin deploying a new switch into the corporate environment. His or her initial inclination might be to secure that switch using local credentials, maybe even his or her own local credentials. However, this can present a few problems. If that admin leaves the company, that password could vanish alongside him or her. There’s also the general unease that sharing passwords should inspire inside any security-focused organization.
A better, more secure approach would be to use TACACS+ to authenticate access. This lets admins assign role-defined access based on group membership. So, in that initial scenario, one admin would still deploy the switch. However, he or she would secure it with TACACS+, allowing any member of their team with admin privileges for that switch to log in and access it. Unlike shared passwords, this also effectively seals out team members who shouldn’t have access to the switch in the first place.
Organizations can define their device management policies to give different levels of administrative access to different user roles, such as restricting the privilege level and command sets that an admin is allowed to execute at the CLI.
Use Case #2: General account maintenance
Next, let’s think more generally about account maintenance. Duties like adding or subtracting permissions, spinning up or deleting user accounts. These are routine tasks, but they take time to complete. Time is, of course, always at a premium.
With TACACS+, organizations can centralize their user database, making routine account maintenance easier on admins. Under this arrangement, they can control all of their accounts (users, management, etc.) from one location. In order to delete a user’s account after he or she leaves the organization, admins need only to access the central database and remove it entirely. This saves time and eliminates any concern that an ex-employee may still have access to some corner of the corporate network.
Use Case #3: Administrator accountability
For our final scenario, let’s focus on one of those three A’s mentioned above: accounting. In this case, accounting has nothing to do with the finance department. Instead, it concerns tracking the actions taken by any given account.
Let’s circle back to that newly installed switch. If an admin tasked with performing some maintenance work were to login with a local username and password, it’s difficult to know what steps were taken or tasks performed. If the organization were running TACACS+, however, it would be able to see clearly who was making a change, the commands he or she used, etc. Whatever that admin does while logged in through TACACS+, the protocol can track, adding accounting and accountability, two things auditors (and admins) love. For example, supervisors can reference the accounting logs to see exactly what changes were made, when and by whom.
Next Steps: Make TACACS+ part of your security strategy
TACACS+ may not be flashy, but it still has a role to play in keeping organizational data secure. If you’d like to learn more about this technology and its use cases or how else you can refine your security posture, reach out to us anytime at: https://www.arrayasolutions.com/contact-us/. From there, we’ll connect you to our team of cyber security experts. They can work with you to assess, and create a plan to enhance, your cyber security strategy.
Let us know what you think of this post! Leave us a comment on this or any of our entries by way of social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay up to date on our industry insights and unique IT learning opportunities.