CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
-
Upload
cloudidsummit -
Category
Technology
-
view
240 -
download
1
description
Transcript of CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
© 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Managing the Keys to the Kingdom Next-‐Gen Role-‐based Access Control and Privilege
2 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Business has more dynamic demands on IT
• Time and scale – need it now, on-‐demand
• Form factor and location – On-‐prem, virtualized, cloud
• Manual and domain-‐specific configuration (startup/teardown)
• Compliance and best practices – assurance & accountability
• Fragmented identity – infrastructure, administrators, users
• “silos” of access policies and diffuse controls
Business Challenges for IT
3 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Regulatory Compliance is Not an Option NIST 800-‐53 sets the baseline security policies which most other regulations reference for identity and access management specific controls:
• Identity & Authentication (IA) • Uniquely identify and authenticate users • Employ multifactor authentication
• Access Control (AC) • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management
• Audit & Accountability (AU) • Capture in sufficient detail to establish what occurred, the source,
and the outcome • Configuration Management (CM)
• Develop/maintain a baseline configuration • Automate enforcement for access restrictions and audit the
actions • Systems & Communications (SC)
• Boundary Protection • Transmission Integrity and Confidentiality • Cryptographic Key Establishment and Management including
PKI Certificates
4 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Unified identity, access, privilege policy controls • Consistency across deployments
• Distributed enforcement
• Ensure availability, No single point of failure
• Unified visibility • Accountability • Triage and remediation
• Automation
• Speed and consistency of deployment
• Accuracy, compliance, best practices
Dynamic Real-‐time IT is Required
5 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Active Directory
• Active Directory provides the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-‐Domain, multi-‐Forest configurations
• Kerberos-‐based authentication and authorization infrastructure provides SSO
• Security administration is centralized and delegated • Centralized account & group management natively supports separation of duties
• Group Policy enforcement of security settings
• User accounts are centralized in one system • Simplifying authentication and password policy enforcement
• Automation simplifies deployment and integration
Active Directory Provides the IdM Foundation
Engineering WebFarm Accounting Operations
6 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
IT Support Requires Separation of Duties
• Separation of Duties is especially important in managing privileges for a multi-‐tier support organization with vendor support
• Elevated rights are required to support these systems
• Front line has minimal rights, escalating to the next tier with elevated privileges.
• Security Operations Center
• SOC staff provide 7x24 monitoring of all administrative activities
• SOC staff have limited rights to alert and escalate on security violations
Tier 1
Tier 2
Tier 3
Vendor
Security Operations
Center
Escalation Process to the next Tier
Monitoring
Least Rights -> More Rights
7 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• While the most powerful accounts must be protected from misuse, Admins and DBAs require the privileges of these accounts to perform their duties
• System Administrators need root or local admin rights to manage their systems
• Help Desk need minimal access and privilege rights to identify issues and escalate
• Database Admins need oracle account privileges to perform their duties
• Web Admins need root privileges to start/stop the web server and manage the webroot docs
• Cloud Server Admins need access and privileges across dynamic server environments
Let’s see how this works across 4 different real world customer scenarios
Role-‐based Privileged Access
8 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer wanted to establish an environment where no one has access to any system at steady state, access and privileges are granted upon approved requests
• All system accounts such as root and local admins are locked down
• Users will login with their AD account only if granted permission
• Default access rights for all systems is set to deny login
• Access and privileges are granted for approved requests only, automated by their IdM workflow system leveraging Active Directory groups
• The solution established a centralized access and privilege management system
• Granting access based on AD group membership
• Granting specific rights based on user Role
Use Case – Request based Access and Privilege
9 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Centralized role-‐based policy management • Create Roles based on job duties
• Grant specific access and elevated privilege rights
• Eliminate users’ need to use privileged accounts
• Secure the system by granularly controlling how the user accesses the system and what he can do
• Availability controls when a Role and it’s Rights can be used
• Scoped to specific systems or groups of systems
• Linux rights granted to Roles • PAM Access – controls users access to system interfaces and
applications
• Privilege Commands – dynamically grants privileges
• Restricted Shell -‐ controls allowed commands in the shell
• Windows rights granted to Roles • Session Rights – Ability to elevate privileges for a session (with session
switching)
• Application Rights – Ability to run an application with privilege
• Service Rights – Ability to elevate privilege when accessing network services (ex. MMC from one machine to a SQL server)
Solution – Role-‐based Access & Privileges
Role Definition
Backup Operator Role
Availability • Maintenance window only
PAM Access • ssh login
Privileged Commands • tar command as root
Restricted Environment • Only specific commands
AD Users & Groups
Backup
Resources HR Computers
IDM Manages AD Groups
10 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to establish a process to grant contractors the rights they needed on specific systems without giving Admin rights across all Windows Servers
• Contractor needs access to several systems in lab and production
• Normally IT would individually approve admin actions on request
• Or depending on the work, the contractor may have been granted a second privileged account for admin duties (typically called a “dash A” account, eg. david.mcneely-‐a)
• Privileged Windows rights needs to be granted to specific systems and not the entire server farm
• The solution established a centralized access and privilege management system
• Granting access to specific Windows Servers based on AD group membership
• Granting specific Windows rights based on user Role
• Simplifying user access with desktop privilege elevation interface for remote servers
Use Case – Contractor Privileges for Windows
11 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Solution – Privilege Elevation for Windows
• Least access principles require that privileges only be available “as required”
• i.e. don’t logon in as Superman if you only need to be Clark Kent…
• User determines when he is going to elevate privilege
• User can open a desktop session for select role(s) for duration of session
• User can select role(s) through a system tray application for adding/removing roles to session
• User can select roles(s) for a specific application at launch time
12 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to be able to monitor DBA access to the database servers and attribute specific actions to the appropriate DBA
• DBAs login to systems with their own accounts
• They switch (su) to the Oracle account in order to do work on the database
• The logs show that the Oracle user is accessing the database tables making it challenging to determine which user is responsible for individual actions
• The Auditors also cannot see all actions which user is performing within the database application based on the current logging system
• The solution provides user activity auditing that captures all user access • All login sessions and activity are recorded just as a video camera captures all activity at
Point of Sale terminals
• User activity along with session metadata is forwarded to SIEM solution for further analysis and alerting where auditors can then review the session recordings
Use Case – Auditing DBA Access
13 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Address regulatory and audit requirements while reducing threat of insider attacks
• Detailed capture of user activity – real-‐time surveillance of privileged systems
• Establishes accountability and advances compliance reporting
• Record and playback which users accessed which systems, what commands they executed, with what privilege, and exact changes made to key files and configurations
• Automatically doc vendor procedures and mitigate personnel transitions or hand-‐offs
Solution – Unified Session and Activity Auditing
Collect Store and Archive
SIEM Integration Search and Replay
Session metadata and video capture
Capture
14 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to grant authorized user access to AWS Servers, but did not want to manage an independent IdM system for these servers • Users must authenticate to the company Active Directory before accessing any AWS Server
• Internal IT manages this AD where the Cloud Server team does not have management rights
• AWS Servers configured to require Kerberos-‐based login, refusing userid/password logins
• They do not want to manage SSH keys, users gain access based on Kerberos tickets
• Root accounts are configured with a randomized password that no one knows
• Privileges are granted dynamically based on user role at login
• The solution integrated these cloud servers into their existing AD environment to enable authorized users the rights to login with their existing AD account • Servers join to a new AD Forest which has a one-‐way trust with the internal AD
• Authorized users are required to VPN to the company network in order to login
• Cloud Servers require Kerberos ticket based authentication in order to gain access • Privileges are granted based on AD group memberships
Use Case – Strong Auth to AWS Servers
15 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Active Directory deployed in a federated configuration enforces centralized access policies on these dynamic environments
• Taking control over security credentials and system policies
• Supporting Separation of Duties between Hosting provider and the Enterprise
• Enterprise-‐centric and automated security framework
• Role-‐based access and privilege control • Single sign-‐on for applications • Audit all user activity for on-‐premise and cloud systems
Internal Network
DMZ Fred Joan
AD & Windows Administration
Solution – Extending AD to Cloud Servers
One-way Trust with Internal AD
16 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Summary
Leverage your existing AD environment in order to manage the access and privileges across your on-‐premise or cloud server environment
• Uniquely identify and authenticate users • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management • Capture session details to establish what occurred, the source, and the outcome • Automate enforcement for access restrictions and audit the actions • Establish centralized trust to ensure Kerberos is used for transmission integrity and
confidentiality
© 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Thank You DAV ID .MCNEELY@CENTR I FY . COM