Embed Size (px)
DESCRIPTION
Mr. Moustakis' presentation for IDC IT Security Roadshow 2013
Citation preview
1
Secure and Contained Access for Everybody, at Anytime
Anastasios Moustakis, Senior Solution Architect
Uni Systems Copyright 2013
Agenda
• The Challenging Environment of Secure Access
• Security Trends, User & IT Requirements
• Uni Systems Secure Access Solution Overview
• Implementation Approach
• Success Stories
Mobile workers by 20151.3 Billion
Mobile Worker Population – IDC, Jan 2012
The top 3 groups driving support for non-standard devices are in management
Consumerization of IT Study. April 2011, IDC
43%
42%
27%
C-Suite
VPs & Directors
Managers
Family PC | Work PC | Personal Laptop | Tablet | Smartphone
“How many different computing devices do you use on a daily basis?”
1 2 3 4 5+
42%
34%
16%
6%2%
“How many days a week on average do you work outside the
office?”
21%
52%
15%
12%
0
1-2
3-4
5
Global BYOD Index - Survey of Corporate Employees February 2011, Citrix Systems
How Users Feel Today
User Needs
Freedom to access all their apps and data
from any of their devices
For Enterprise IT, any device access, presents big challenges
IT Needs
to meet security and compliance requirements
But the needs of users and IT
must be balanced
“Privileged Insiders” are granted more trust
Highly Trusted Business Users
Highly Trusted IT Users: Systems, Database, Network
Administrators
Well Controlled
Mobile/Any device
Not So Much?
Who are “Privileged Insiders”
• Redefining the Perimeter • New Trust Model Needed• Spearfishing Attacks Targeting Privileged Users• Increasingly Stringent Compliance
and Audit Requirements
“The biggest issue facing information security professionals is that our traditionaltrust model is broken.” Forrester Research
The Changing Security Landscape
14
30 % of large enterprise customers experienced a malicious insider breach
Average days to resolve
Source: Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies (Ponemon Institute, 2011)
Frequency & Cost of Insider Breaches
• Increasing Compliance, Audit Requirements and Security Mandates• Changing Trust Model • 3rd Party and Employees - No differentiation• Remote or Internal and Mobility- Disappearing perimeter – “Remote” an obsolete
term • User and Asset / System Policy - Policy does not intersect• Movement to Centralized Computing • Operational Efficiency and Reduced Cost • Virtualized Servers/Desktops, Cloud - Landscape Change
Challenges for Secure Access
Traditional Solutions have Limitations
VPNs + Jump Box
Firewalls
Routers
Active Directory
NAC
Virtual Desktop
SIEM/Log Mgmt
User Acce
ss
Control Priv
ileged
Password M
gmt.
Privile
ged
Session Recording
Issues
Hard to audit, difficult to manage
Complicated ACLs, NW Layer Only
End-user focused
Risks are amplified
No inside access control, containment
Reactive, lacks data for privileged “insider”
NW focus, not user/app level access control
Containment
Uni Systems answer: “Zero Trust” via Layered Protection
Attributed Use of Shared Privileged Account
White List/Least Privilege Access
Leapfrog Prevention
Command FilteringWhitelist/Blacklist
Session Monitoring/Recording
Complete Activity LoggingPolicy Violation Logging with DVR-Like Playback and Skip
Positively IDThe User
Tamper-proof Log
Vault
Server A:ID: abc123PW: xyz$21
Server B:ID: cde234PW:eie10$
18
• Provision of a System that will offer:• Configurable,• Secure, • Recordable, and• Fully Controllable
• Secure Local & Remote or Mobile Access for:• Privileged Users, (internal or 3rd party)• Employees and• Business Partners
Solution Scope
• Enforce fine-grained Access Control on different type of users
• Configurable multi-level authentication with time-based access rights
• Protect applications and expose only the presentation layer
• Contain privileged users to authorized resources and prevent leapfrogging
19
Solution Essential Capabilities (1/2)
• Protect data and prevent leakage
• Generate a detailed Audit Trail for proof of compliance and investigations
• Record access sessions – video & CLI recording
• Protect privileged user and application passwords
• Eliminate the use of shared passwords for administrative accounts
20
Solution Essential Capabilities (2/2)
21
Solution Architecture
Application / Session and
DesktopAccess
Video-like and CLI Logging and Recording
SSO, Password and Shared Account
Management
User Repository
(A.D.)
Sessions
Token Infrastructure(Hard, SMS)
Password Vault
Internal Protected Systems
User, Session-based access control & DLP
Leapfrog prevention
Server, Storage, Network, Security Devices,
Report & Workflow
db
Workflow & Report Engine
Gateway Access
Control (SSL, Proxy (ICA))
Portal Web Interface
Internal/External/Mobile User Device
Endpoint Management
(MDM, USB Boot, Isolated Browser) Desktop, Thin client, Laptop,
Mobile Device, Smartphone
ICA Client
USB Boot Desktop
Token
USB Secure Web Browser
Certificate
Sandboxed Apps
Any Device
1
2
45
7
3
6
8
10
11
9
Trusted and Protected ZoneSecure Access Component ZoneUser Zone
22
Vendors
Application / Session and
DesktopAccess
Video-like and CLI Logging and Recording
SSO, Password and Shared Account
Management
User Repository
(A.D.)
Sessions
Token Infrastructure(Hard, SMS)
Password Vault
Internal Protected Systems
User, Session-based access control & DLP
Leapfrog prevention
Server, Storage, Network, Security Devices,
Report & Workflow
db
Workflow & Report Engine
Gateway Access
Control (SSL, Proxy (ICA))
Portal Web Interface
Internal/External/Mobile User Device
Endpoint Management
(MDM, USB Boot, Isolated Browser) Desktop, Thin client, Laptop,
Mobile Device, Smartphone
ICA Client
USB Boot Desktop
Token
USB Secure Web Browser
Certificate
Sandboxed Apps
Any Device
• Systems Integration Project• Modular Architecture• Based on:
• Type of users – 3rd party privileged users, Business partners, Internal Administrators
• Type and Number of internal protected systems• Type and Number of Services required (Applications, Desktops, Resources)• Type and Number of Endpoint Device usage• Integration points with existing systems (Workflow, Helpdesk, etc)
Implementation Approach (1/2)
• Specific Methodology:• Analysis Phase:
• Infrastructure Assessment and Readiness Evaluation• Proof of Concept• User Requirements – Application, Services, Resources, Policies
• Design Phase: Infrastructure Design, Policies• Build & Test Phase• Roll-out Phase
Implementation Approach (2/2)
Secure Access Solution with Uni SystemsThe proven expertise and practical guidance needed for success
Assess
Devices
Apps - Services
Mobility - BYOD
Security
Design
Documented solution design
Hardware and infrastructure
Operations and support
Test and QA
Deploy
Training
Independent analysis/verification
Pilot
Success Stories : TOP Telecom Provider
26
“With the Uni Systems Secure Remote Access Solution we have an all-in-one solution for these higher risk users which gives us the peace of mind that we are meeting our objectives to safeguard our network and the sensitive information it contains.” Security Expert at Telecom Provider
Results: • Control over privileged users and critical infrastructure and assets• Tight control over who gets access to what, when and for how long• Contain users to authorized systems only• Audit quality logging for compliance
Problem: • Consolidate & grant secure access to
3rd Party Administrators• Different method of access• Points of Vulnerability• Absence of uniform management
Answer: • Centralize access control across critical
users with distinct missions• Ensure contained and auditable access• Meet federal compliance requirements• Workflow driven operation
Success Stories : Top Financial Institute
“What is so special about you --- ‘containment, containment, containment.’”VP Security officer, Top Financial Institution
Problem: Provide secure access to hundreds of remote developers, administrators and auditors– no containment of users to authorized resources– IT resource intensive, cumbersome and ineffective access controls – no audit trail or ability to match controls to specific users
Results: A unified, easy to manage solution– hundreds of business critical 3rd parties now granted secure, controlled access– increased operational efficiency with a single solution– provided an audit trail for internal security requirements and external compliance mandates
Uni Systems empowering Secure Access of the future
With the mobility and agility users need today
Thank you!
www.unisystems.com
