Upload
duongminh
View
213
Download
0
Embed Size (px)
Citation preview
Privileged Access and Administra1on Best Prac1ces
Discussion Contents
1) Overview of Capabili0es
• Defini0on of Need
2) Preparing your PxM Program • Understanding the Landscape • Scoping Ques0onnaire
3) Market Trends • PxM Overview • Vendor Space
4) Best Prac0ces
5) Cri0cal Success Factors
Copyright © 2015 Clango Page: 2
Definition of need
Current problem: Insider threat § “… 55% of incidents was privilege abuse—which is the defining characteris0c of the internal actor breach. We see individuals abusing the access they have been entrusted with by their organiza0on in virtually every industry.” Verizon § “Globally 89% of respondents felt that their organiza0on was now more at risk from an insider a_ack; 34% felt very or extremely vulnerable.” Vormetric
§ “Found half (52%) of employees see no security risk to their employer in sharing work logins.” Insider Threat Persona Study
Copyright © 2015 Clango Page: 3
Definition of need
2015 Vormetric Insider Threat Report
“When asked about who posed the biggest internal threat to corporate data, a massive 55% of respondents said privileged users,
nine percentage points behind on 46% were contractors and service providers, and then business partners at 43%.” Vormetric
Copyright © 2015 Clango Page: 4
Definition of need
2015 Vormetric Insider Threat Report
“Databases, file servers, and the cloud hold the vast bulk of sensi0ve data assets, but for many (38%) mobile is perceived as a high-‐risk area of concern.” Vormetric
Copyright © 2015 Clango Page: 5
Definition of need
Compliance to Regulations, Standards, Frameworks FFIEC, SOX, HIPAA
Authoriza0on for privileged access should be 0ghtly controlled. PCI DSS Standards:
6.3.1 Remove development, test and custom applica0on accounts, user IDs, and passwords before applica0ons become ac0ve or are released to customers. 10.1 Establish a process for linking all access to system components to each individual user – especially access done with administra0ve privileges. 10.2 Implement automated audit trails for all system components for reconstruc0ng these events… all ac0ons taken by any individual with root or administra0ve privileges
COBIT 5 Framework General IT Controls for privileged accounts which include provisioning, de-‐provisioning and access review
Copyright © 2015 Clango Page: 6
Capabilities Overview
What exactly is a Privileged Account? Root, superuser, administrator, system, or service accounts, emergency account, or plain user accounts with excessive privilege. These accounts may be anonymous, shared, hard-‐coded and seldom changed, a challenge to track or audit. What are risk surrounding Privileged Accounts? Privileged accounts allow unrestricted access with li_le or no tracking; may violate principle of least privilege, and can place business cri0cal systems at risk if lej un-‐managed What is Privileged Account Management? They are tools and techniques for gaining control over the use of privileged accounts. Tools and techniques include password check-‐out mechanism, command filtering, and session monitoring What is PxM? § Privileged Account Management § Privileged Access Management § Privileged Iden0ty Management § Privileged User Management
Copyright © 2015 Clango Page: 7
Privileged Account Management
• Shared Account Password Management • Super User Privilege Management • Privileged Session Management • Applica0on to Applica0on Password Management
SAPM SUPM AAPM PSM
DATA ANALYTICS
Iden0ty and Access Management Lifecycle
Copyright © 2015 Clango Page: 8
SAPM: Shared Account Password Management
• Solu0ons that fall into this category will provide an encrypted and hardened password safe or vault for storing creden0als, keys and other secret informa0on.
• SAPM products will control access to shared accounts, allowing authorized users to access them.
• Ideally, these users will not see the actual passwords.
Copyright © 2015 Clango Page: 9
SUPM: Super User Password Management
• SUPM tools work by allowing certain commands to be run under elevated privileges, or by restric0ng commands that can be executed.
• A common example -‐ the "sudo" command on many UNIX and Linux
systems, or the "run as" command for Microsoj Windows. These commands allow a user to run a command under the privilege level of another user (typically of an administrator or superuser).
• Vendor implementa0on – control versus complexity – Kernel based – Host based – Gateway based
Copyright © 2015 Clango Page: 10
PSM: Privilege Session Management
Session establishment and session recording • Start recording beginning-‐to-‐end of session or when the user starts execu0ng
privileged commands.
Real-‐0me visibility and aler0ng • Session recording and live monitoring of privileged sessions. Managers or
administrators can intervene or even terminate the session if necessary.
Copyright © 2015 Clango Page: 11
AAPM: Applica0on to Applica0on Password Management
• AAPM tools are add-‐ons to SAPM tools, and are used to eliminate hard-‐coded passwords or creden0als stored in configura0on files. Creden0als are pulled from the vault using a proprietary interface provided by the PxM vendor.
• These interfaces are usually in the form of APIs, sojware developer kits (SDKs) and command line interfaces (CLIs), and require applica0ons or scripts to be modified.
Copyright © 2015 Clango Page: 12
Preparing your PxM Program
Understanding the Landscape
SaaS
PaaS
IaaS
Copyright © 2015 Clango Page: 13
Market Trends
Emerging COTS Market ~ 20 vendors Niche players -‐ Best-‐of-‐breed -‐ full suite Capabili0es are rapidly expanding Variances in TCO and technical extensibility Requires focused analysis Define Use Cases 1st – Vendor Selec0on 2nd
Copyright © 2015 Clango Page: 14
COTS Solu0on Scorecard
Usability
Top,5,Vendor,Solutions
SAPM SUPM PSM AAPM IntegrationAPI,
ExtensibilityScalability,&,Performance
AdministrationMarket,Position
Sustainability
Functional,Capabilities Business,PerformanceTechnical,Capabilities
CA35.4 30.52 21.21 33.32 63.98 65.84 75.52 59.85 48 62.64
CyberArk56.64 61.04 63.63 74.97 82.26 74.07 84.96 68.4 72 70.47
Dell28.32 53.41 49.49 58.31 63.98 41.15 66.08 59.85 56 54.81
NetIQ49.56 53.41 56.56 66.64 73.12 65.84 75.52 51.3 32 70.47
ManageEngine56.64 61.04 56.56 66.64 63.98 57.61 66.08 68.4 40 39.15
0"20"40"60"80"
100"SAPM"
SUPM"
PSM"
AAPM"
Integra4on"
API"Extensibility"
Scalability"&"Performance"
Administra4on"
Market"Posi4on"
Sustainability"
Top$5$$Solu)ons$per$Weighted$Scores$
CA"
CyberArk"
Dell"
NetIQ"
ManageEngine"
• Tailor criteria to meet your unique needs • Apply weight to designate priority • Emerging space; vendors are rapidly expanding/strengthening their capabili0es
Copyright © 2015 Clango Page: 15
Cri0cal Success Factors
1) Solicit adequate representa0on across Compliance, IT, Opera0ons, Security 2) Understand linkage to upstream/downstream IDLM and SIEM processes
and solu0ons 3) Ar0culate desired PxM outcomes 4) Perform solu0on evalua0on/RFP ajer defining Use Case Scenarios 5) Promote project objec0ves: Effec0ve communica0on is key 6) Rou0nely align PxM milestones within context of Informa0on Security and
IAM Program Roadmaps 7) Involve Admins early
Bo5om Line: Evolving PxM in context of broader Informa>on Security program will yield sustainable control objec>ves
Copyright © 2015 Clango Page: 16
Best Prac0ces Founda0onal 1. Ensure exis0ng access privileges are properly aligned with current job roles 2. Enforce principle of least privilege – fine-‐grained access 3. Ensure the segrega0on of du0es 4. Do not share user creden0als 5. Know why the privileged account exists. 6. Know who is accountable for its existence. 7. Document who approved it and why.
8. Periodic review of the privileged accounts 9. Do not reuse sojware accounts 10. Eliminate hard coded passwords
Copyright © 2015 Clango Page: 17
Best Prac0ces – PxM Technology
1. Discovery and profiling for PxM accounts prior to building the architecture ~ categorize
2. The PxM system a. Protect the keys to the creden0al vault b. Must be configured for high availability and failover (loca0on, access, etc.) c. Ensure no single point of failure
3. Premise of PxM – password management a. Password change process should be protected against race condi0ons b. Time limit access -‐ can be configured to change every 24 hours c. Should not be changed when in use by users or programs
4. Make use of session monitoring with full playback
5. Integrate with repor0ng and analy0cs to gain greater insights
Copyright © 2015 Clango Page: 18
Resources
http://media.scmagazine.com/documents/117/verizon_dbr_29210.pdf http://enterprise-encryption.vormetric.com/rs/vormetric/images/
CW_GlobalReport_2015_Insider_threat_Vormetric_Single_Pages_010915.pdf http://www.isdecisions.com/insider-threat/statistics.htm http://www.gartner.com http://www.sans.org/reading-room/whitepapers/incident/protecting-insider-attacks-33168 http://www.ciosummits.com/media/pdf/solution_spotlight/
Privileged_Identity_Management.pdf
Copyright © 2015 Clango Page: 19
Consul1ng organiza1on specializing in Iden1ty and Access Governance
About Clango
Services -‐ IAM Ra0onaliza0on -‐ Strategy & Planning -‐ Solu0on Evalua0on -‐ Architecture -‐ Integra0on -‐ Func0onal Enhancements
Capability Exper0se Access Governance Role Lifecycle Management Cer0fica0ons
Authen0ca0on Services Federa0on/SSO/TFA Adap0ve Authen0ca0on Privileged Access Administra0on
Iden0ty Lifecycle Management User & Account Provisioning
Profile -‐ 14+ years of IAM specializa0on -‐ Vendor-‐Neutral Analysis -‐ Proven Methodologies -‐ Enabled 100’s of IAM deployments
interna0onally -‐ Technology specific deep exper0se in
partner products
Solu0on Coverage
RSA NetIQ Oracle
ForgeRock CyberArk
Technology enhancements Iden0ty Func0onal Enhancements
Copyright © 2015 Clango Page: 20
Commercial 7701 France Avenue, Suite 400 Edina, MN 55435
Federal 2107 Wilson Blvd, Suite 100 Arlington, VA 22201
[email protected] www.clango.com