I helped build a large message switch using something called QnX, which supported some very basic security mechanisms but it definitely wasn't bullet proof by any definition. The way we dealt with that was by treating the whole cluster much the same way that you would treat a single instance. If you had user access to any node it was assumed you had super user access to the whole cluster and all other security was handled at the physical and the application layers. Given that all of this was written in classic 'C' I don't doubt that there were many ways to exploit that system. But the niche application and the very limited way in which it was connected to the internet (it was mostly a replacement for a very large number of telexes) helped us to get away with it.