CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management
-
Upload
cloudidsummit -
Category
Technology
-
view
104 -
download
0
description
Transcript of CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management
From Governance to Virtualiza2on: The Expanding Arena of Privileged Iden2ty Management
Russell Miller
Director, Solu0ons Marke0ng
2
Agenda
Copyright © 2013 CA. All rights reserved.
è The Challenge of Privileged Iden22es
è The State of Virtualiza2on Security
è Privileged Iden2ty Governance
è Social Media
è Q&A
Edward Snowden was a privileged user on key NSA systems
“When you’re in posi2ons of privileged access, like a systems administrator for these sort of intelligence community agencies, you’re exposed to a lot more informa2on on a broader scale than the average employee.”
-‐ Edward Snowden
Source: hSp://www.guardian.co.uk/world/2013/jun/09/edward-‐snowden-‐nsa-‐whistleblower-‐surveillance?guni=Network%20front:network-‐front%20full-‐width-‐1%20bento-‐box:Bento%20box:Posi2on1
3 Copyright © 2013 CA. All rights reserved.
Privileged iden00es pose a par0cularly significant threat to network and data security
All-‐Powerful Access
Lack of Accountability Risk
§ Unrestricted “root” or “Administrator” access
§ No segrega2on of du2es
§ Use of shared accounts
§ Poor log integrity and quality
Virtualiza0on magnifies these challenges!
Copyright © 2013 CA. All rights reserved. 4
The Problem With Privileged Iden00es
There are three types of insider threats and two primary principles to apply to mi0gate the risk
§ Deter malicious insiders
§ Trace ac0ons to individuals
§ Limit damage done by a malicious or exploited insider
§ “Stop Stupid!”
Implement Least Privilege
Access
Ensure Accountability
Types of Insider Threats
Exploited Insiders
Malicious Insiders
Careless Insiders
?
Ac0ons to Take
5 Copyright © 2013 CA. All rights reserved.
There are many real-‐world – and public – examples of insiders causing significant damage
Copyright © 2013 CA. All rights reserved. 6
hSp://www.wired.com/threatlevel/2008/07/sf-‐city-‐charged/ hSp://www.theregister.co.uk/2011/02/28/bri2sh_airlines_it_expert_convicted/ hSp://www.darkreading.com/security/news/212903570/it-‐worker-‐indicted-‐for-‐sefng-‐malware-‐bomb-‐at-‐fannie-‐mae.html hSp://www.darkreading.com/authen2ca2on/167901072/security/security-‐management/229100384/a-‐glaring-‐lesson-‐in-‐shared-‐passwords.html hSp://www.infosecurity-‐magazine.com/view/18237/insider-‐data-‐breach-‐costs-‐bank-‐of-‐america-‐over-‐10-‐million-‐says-‐secret-‐service/ hSp://www.eweek.com/security-‐watch/former-‐gucci-‐employee-‐indicted-‐for-‐it-‐rampage.html hSp://www.darkreading.com/security/news/223800029/ex-‐tsa-‐employee-‐indicted-‐for-‐tampering-‐with-‐database-‐of-‐terrorist-‐suspects.html
The stages of an external aPack
§ Basic research
§ Domain queries
§ Port scans
§ Vulnerability scans
§ “Spear Phishing”
§ Social Engineering
§ Zero day vulnerability exploita0on
§ OS & applica0on vulnerability exploita0on
§ Administra0ve access
§ Compromise of new systems
§ Con0nuous export of sensi0ve data
§ Effect service availability
§ Covering of tracks
§ Rootkits
Reconnaissance Ini0al Entry Escala0on of Privileges
Con0nuous Exploita0on
Stages of an External APack
7 Copyright © 2013 CA. All rights reserved.
Tradi0onal perimeter and infrastructure security capabili0es only address part of the problem!
Perimeter security
An0-‐virus
Phishing protec0on
Server hardening
Capture and review server and device audit logs
Reconnaissance Ini0al Entry Escala0on of Privileges
Con0nuous Exploita0on
8 Copyright © 2013 CA. All rights reserved.
Stages of an External APack
Content-‐aware iden0ty & access management bolster an APT defense!
Log and audit privileged user ac0vity
Perimeter security
Least privilege access
An0-‐virus
Phishing protec0on
Employee educa0on
Virtualiza0on security Externalized/ unexpected security
Server hardening
Shared account management
Capture and review server and device audit logs
Data controls & analysis
Advanced authen0ca0on & fraud preven0on
Iden0ty & Access Governance
Capabili0es of CA Security
Reconnaissance Ini0al Entry Escala0on of Privileges
Con0nuous Exploita0on
9 Copyright © 2013 CA. All rights reserved.
Stages of an External APack
Effec0ve Privileged Iden0ty Management requires a comprehensive solu0on
Privileged Iden0ty
Management
Copyright © 2013 CA. All rights reserved. 10
Hypervisor
VM VM VM
Shared Account Management
Fine-‐Grained Access Controls
User Ac2vity Repor2ng /
Session Recording
UNIX Authen2ca2on
Bridging
Virtualiza2on Security
11
Agenda
Copyright © 2013 CA. All rights reserved.
è The Challenge of Privileged Iden22es
è The State of Virtualiza2on Security
è Privileged Iden2ty Governance
è Social Media
è Q&A
Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion
A recent incident demonstrates the real-‐world poten0al for damage in a virtual environment
– Wiped out 88 virtual servers on 15 VMware hosts: email, order tracking, financial, & other services
– Shionogi’s opera2ons frozen for days § unable to ship product § unable to issue checks § unable to send email
All of this was accomplished from a McDonald’s
12 Copyright © 2013 CA. All rights reserved.
Virtualiza0on has many clear benefits, but also many o[en-‐ignored risks
Capital and opera2onal cost savings
Great availability / recovery
Ease of disaster recovery
Hardware independence
Improved service levels
New class of privileged iden22es on the hypervisor
Greater impact of aSack or misconfigura2on
New compliance requirements
Dynamic environment leads to oversights
Easy copying of virtual machines
Virtual Sprawl
Posi0ves Nega0ves/Risks
What happens when an organiza0on goes virtual?
Copyright © 2013 CA. All rights reserved. 13
New class of privileged iden00es on the hypervisor
14 Copyright © 2013 CA. All rights reserved.
Greater impact of aPack or misconfigura0on
15 Copyright © 2013 CA. All rights reserved.
New compliance requirements
NIST SP 800-‐125: Guide to Security for Full Virtualiza0on Technologies
Payment Card Industry (PCI) PCI-‐DSS 2.0, Virtualiza0on Guidelines
16 Copyright © 2013 CA. All rights reserved.
Dynamic environment can lead to oversights
17 Copyright © 2013 CA. All rights reserved.
Copying a virtual machine image is equivalent to stealing a server from a datacenter
18 Copyright © 2013 CA. All rights reserved.
Virtual Sprawl
19 Copyright © 2013 CA. All rights reserved.
Securing virtual environments requires “the fundamentals” as well as a game-‐changing capability
Least Privilege Access
Infrastructure Hardening
Shared Account Management
User Ac0vity Repor0ng
Virtualiza0on-‐Aware Automa0on of Security Controls
New!
Security fundamentals that now need to be applied to the hypervisor
20 Copyright © 2013 CA. All rights reserved.
21
Agenda
Copyright © 2013 CA. All rights reserved.
è The Challenge of Privileged Iden22es
è The State of Virtualiza2on Security
è Privileged Iden2ty Governance
è Social Media
è Q&A
The need for Privileged Iden0ty Governance
Orphaned Accounts
Reduce Audit Burden Gain Visibility into Privileged Account Usage
Privilege Creep
22 Copyright © 2013 CA. All rights reserved.
Address these needs by combining governance, management and monitoring capabili0es
Priv. Iden0ty Governance Privileged Iden0ty Mgmt. User Ac0vity Repor0ng
§ User Mgmt. § Workflow § Cer2fica2on
§ Fine-‐grained access controls
§ Shared account management
§ Video recording § Analy2cs and
searchability
ID Gov.
23 Copyright © 2013 CA. All rights reserved.
What Privileged Iden0ty Governance can tell you
How can they get access?
How to control access
What was accessed and when?
What can people access?
24 Copyright © 2013 CA. All rights reserved.
Iden0ty Governance and Role Management
Iden0ty Governance
Role Management
Monitor access rights with reports/dashboards
Discover and propose poten2al roles based on access paSerns and organiza2onal characteris2cs
Establish centralized segrega2on of du2es and other business and regulatory iden2ty policies
Discover business structure and turn millions of access rights into 100’s of roles
Adapt model as business changes
Automate en2tlements cer2fica2on for users, roles and resources
25 Copyright © 2013 CA. All rights reserved.
Use analy0cs to iden0fy privileged users
26 Copyright © 2013 CA. All rights reserved.
Iden00es Systems
Users IDs should be correlated to iden0fy mul0ple IDs belonging to the same person – and cleaned up!
Russ.Miller MILLERR RMIL04 RBM102
Name: Russell Miller Employee ID: rmiller123 Loca2on: Boston Etc.
1 Audit Privilege Quality
2 Detect Excep2ons
3 Unique ID correla2on
4 Clean-‐up
27 Copyright © 2013 CA. All rights reserved.
Cer0fica0on should include usage informa0on to iden0fy suspicious ac0vi0es
28 Copyright © 2013 CA. All rights reserved.
How you can get there!
Collect Account & En0tlement Info
Analyze IDs &
En0tlements
Administer & Control Accounts
Audit & Cer0fy
Accounts
Steps to Govern Privileged Iden00es
29 Copyright © 2013 CA. All rights reserved.
System Accounts
Service Accounts
Shared Accounts
Named Accounts
The business value of Privileged Iden0ty Governance
Prevent breaches due to improper Admin ac2ons or data exposure Reduce the burden of audit and compliance efforts Improve efficiency of iden2ty compliance & processes Gain visibility into administrator access and actual usage
2
3
1
4
30 Copyright © 2013 CA. All rights reserved.
31
Agenda
Copyright © 2013 CA. All rights reserved.
è The Challenge of Privileged Iden22es
è The State of Virtualiza2on Security
è Privileged Iden2ty Governance
è Social Media
è Q&A
Social media accounts are privileged iden00es!
32 Copyright © 2013 CA. All rights reserved.
Insider Threat External Threat
33
Confusion between personal and corporate TwiPer accounts – controls are needed!
Copyright © 2013 CA. All rights reserved.
34
Agenda
Copyright © 2013 CA. All rights reserved.
è The Challenge of Privileged Iden22es
è The State of Virtualiza2on Security
è Privileged Iden2ty Governance
è Social Media
è Q&A
Ques0ons?
35 Copyright © 2013 CA. All rights reserved.
Appendix
Legal No0ce
Copyright © 2013 CA. All rights reserved. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respec2ve companies. No unauthorized use, copying or distribu2on permiSed.
37 Copyright © 2013 CA. All rights reserved.