Deep Dive: CA Privileged Access Manager

43
World ® ’1 6 CA PAM for Hybrid Enterprises Deep Dive Shawn W. Hank, Sr. Principal Consultant, Cybersecurity CA Technologies, Inc. SCX29E SECURITY

Transcript of Deep Dive: CA Privileged Access Manager

Page 1: Deep Dive: CA Privileged Access Manager

World®’16

CAPAMforHybridEnterprisesDeepDiveShawnW.Hank,Sr.PrincipalConsultant,CybersecurityCATechnologies,Inc.

SCX29E

SECURITY

Page 2: Deep Dive: CA Privileged Access Manager

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Page 3: Deep Dive: CA Privileged Access Manager

3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Abstract

TheearlierPAMforHybridEnterprises(SXC04E)sessioncoveredabroadsetofCAPAMcapabilitiesasitrelatedtomanagingandcontrollingaccesstocriticalinfrastructureandprivilegedaccountsacrossthehybridenterprise.

Thisdeepdivesessionwillexpandontheearliersessionanddigintotheconfigurationandsetupofsomeofthesefunctionsandfeatures. AttendeeswillbeabletolearnabouttopicssuchasinteractingwiththePAMRESTAPI,AWSsupportfortargetserverdiscoveryandimport,theAWSAPIProxy,VMwareESX/ESXiandNSXfunctionality,PAMServerControlandSingleSignOnintegration,aswellasautodiscoveryoftargetserversandaccounts,andThreatAnalyticsforPAM.

ShawnW.HankCATechnologies,Inc.Sr.PrincipalConsultantCybersecurity

Page 4: Deep Dive: CA Privileged Access Manager

4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Agenda

PAMRESTAPIs – APRIMER

PAM&AWS

THREATANALYTICSfor PAM

PAM&VMWAREESX/ESXI/NSX

PAMasan IDP/RPor SP

PAM&PAMSCINTEGRATION

1

2

3

4

5

6

Page 5: Deep Dive: CA Privileged Access Manager

5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPIAPrimer

§ Reduceconfiguration,maintenance,andadministrationbytakingadvantageofAPIstoconfigurePrivilegedAccess.– Yes,youcanPoint&Click

viatheUI,butwhywouldyouwanttodothat?

Page 6: Deep Dive: CA Privileged Access Manager

6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPIModesofOperation

§ Gets,Posts,Puts,Deletes– Getexistingobject

datafromPAM– Add/Createnew

objects– Modify/Update

existingobjects– Deleteobjectsthat

arenolongerneeded

Page 7: Deep Dive: CA Privileged Access Manager

7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPIAFewIdeas

§ Importalistofusersandgroupsfromarecentacquisition

§ Updatethetargetserversthatwererecentlyrefreshedinthedatacenter

§ Findallpoliciesforaspecificuser

§ Determinewhatgroup(s)aparticulardevicebelongsto.

Page 8: Deep Dive: CA Privileged Access Manager

8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPI– ExampleAPICallsusingPostman

Page 9: Deep Dive: CA Privileged Access Manager

9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPI– ExampleAPICallsusingPAW

Page 10: Deep Dive: CA Privileged Access Manager

10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM’sRESTAPI– ExampleAPICallsusingabrowser

Page 11: Deep Dive: CA Privileged Access Manager

11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPrivilegedAccessManager&AWS

Page 12: Deep Dive: CA Privileged Access Manager

12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMandAWS

§ FederationviaSTSandSAML

§ SSOandWebSessionRecording

§ Autodiscovery&autoimportofdevices

§ S3Recording

IaaSsupportforthemarketleadingIaaSprovider

AWSTargetDevice

s

AD/LDAP

RadiusServer

AWSTargetDevice

s

AWSTargetDevice

s

PIV/CACRevocationServer

ADFSServer

AWSManagementConsole

Account1Region1ZoneA

AWSTargetDevice

s

AWSTargetDevice

s

AWSTargetDevice

s

AWSManagementConsole

Account2Region1ZoneC

AWSTargetDevice

s

AWSTargetDevice

s

AWSTargetDevice

s

AWSManagementConsole

Account3Region3ZoneB

AWSTargetDevice

s

AWSTargetDevice

s

AWSTargetDevice

s

AWSManagementConsole

Account4Region4ZoneD

Account5Region1ZoneA

CAPAMAMI

AWSIAMCredentialAPI

Page 13: Deep Dive: CA Privileged Access Manager

13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

AWSAPIProxy

RolesBasedPrivilegedFederatedAccessControl&SingleSign-OnforProgrammaticandManualAWSAPIAccess:

• FullFederatedCredentialProvisioningforaccesstotheAWSPublic,Government,andVPCClouds

SeparationofDutiesfortheAWSAPIConsoleInterface:

• RolesareenforcedbyaCentralxAPIPolicyManagerforallAPIAccess

FullAuditTrailandSessionRecordingAcross:• AllAPIaccessisrecordedandlogged

bythexAPIProxyServerUS East 1

US East 1aUS East 1b

Public 2

DisposableInstances(Future)

Private 1

Private 2

AAP 1

MySQL DBInstance

AAP 2

MySQL DBInstance

Public 1

Amazon S3

Internet

Apps

Splunk

AuditAPIcalls&responses

Page 14: Deep Dive: CA Privileged Access Manager

14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPrivilegedAccessManager&VMwareESX/ESXi/NSX

Page 15: Deep Dive: CA Privileged Access Manager

15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

§ Auto-Discovery&provisioningGuestVMs&GroupsviaAPI

§ RolesBasedPrivilegedAccessControl&Single

§ SeparationofDutiesforvCenterConsole

§ FullAuditTrail&SessionRecording

§ Password&AccessKeyManagement

§ StrongAuthorization &AttributedUse

PAM&VMwareESX/ESXi

ESX/ESXiHypervisor

vCenterConsole

CAPAMOVA

GuestVMorGroup

GuestVMorGroup

GuestVMorGroup

GuestVMorGroup

GuestVMorGroup

GuestVMorGroup

EnterpriseDirectory

CAPAM- Physical

PrivilegedUsers

Page 16: Deep Dive: CA Privileged Access Manager

16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAM– VMwareConfiguration

§ Config– 3rd Party§ VMwarevCenter

(vSphere)

§ SupportmultiplevCenterinstances

§ Local/RADIUS/TACACS/LDAP/ADintegrationforauthenticationtovSphereWeborvCenterClient

Page 17: Deep Dive: CA Privileged Access Manager

17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPrivilegedAccessManagerforVMwareNSXCapabilitySummary

§ VaultingandfulllifecyclemanagementofpasswordsandSSHaccesskeys§ NSX-basedresources,NSXManagerandAPI,otherenterpriseresources

CredentialsManagement

§ TACACS+,AD/LDAP,RADIUS,RSA,SMSMobileToken,SAML,PIV/CAC§ VMwarevSphere®,NSXAPIs,VMware®NSXManager™,otherphysical/virtual

resourcesacrossenterprise

FederatedSSO

§ IntegratedwithNSXManager;ServiceComposerserviceinsertion§ DynamicapplicationofaccesscontrolpoliciesbasedonNSXsecuritypolicies§ EnforcedviaNSXmicro-segmentation

AccessPolicyEnforcement

§ Completelogsandfullsessionrecording§ AllaccesstoNSXresourcesincludingNSXManagerandAPI

AccessPolicyEnforcement

Page 18: Deep Dive: CA Privileged Access Manager

18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMforVMwareNSX– NSXManagerRESTAPIProxy

ThelastmileforfullNSXManageradministrationvisibility§ UsersandscriptstalktotheProxy,nottoNSXManager,withdifferentcredentials,which

mayrotateonapolicyorschedule§ CAPAMvaults– androtates– theNSXManagercredentials§ IntegrateswithApplicationtoApplication(A2A)

Closingthe“APILoop”totheNSXmanagementplane

Consumer NSXManager

NAP

NSXManagerAPIProxy

Logs A2ARequests ChangePassword

Z-sideRequest/ResponseA-sideRequest/Response

CAPrivilegedAccessManager

Page 19: Deep Dive: CA Privileged Access Manager

19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMforVMwareNSX– AccessRestrictor

DFWRulesaddedandremovedon-demand§ Rulesaddedwhenconnectionsareopenedandremovedwhenclosed§ Removesthehumanelementandpotentialforerror§ Enablesahighly-secure“denyall”environmentwhereexceptionsareforcedthroughCA

PAMandonlyCAPAMmayaccessprotectedresources

Automatic,runtime,ephemeralDistributedFirewallRulesmaintainedbyCAPAM

Client

UserTargetVM

NSXManager

DFWCAPrivilegedAccessManager

Page 20: Deep Dive: CA Privileged Access Manager

20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMforVMwareNSX– DynamicTaggingandGrouping

CAPAMPolicyinlockstepwithNSXSecurityTagsandGroups§ NSXSecurityTagsandGroupssyncedwithCAPAMandtiedtoPolicies§ AsVMsenter/leaveNSXSecurityGroups,CAPAMAccessisprovisioned/removed

SynchronizeCAPAMpolicieswithchangesintheNSXsecurityposture

VMwarevCenterVMNetwork

NSXManager

Sync

CAPrivilegedAccessManager

Page 21: Deep Dive: CA Privileged Access Manager

21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMforVMwareNSX– ServiceComposerIntegration

DeepintegrationwithServiceComposer§ AsVMsenterorleaveNSXSecurityGroups,CAPAMwill:

- Enableordisablesessionrecording- Terminatesessions- ForceCAPAMsessionre-authentication

TriggereventsinCAPAMviaNSXServiceComposerworkflows

User

Session

NSXPartnerEcosystemProduct

NSXManager

VMwarevCenter

Admin

ApplyTag

ApplyTag

Enable/DisableSessionRecording

TerminateSessions

XsuiteRe-Authentication

CAPrivilegedAccessManager

Page 22: Deep Dive: CA Privileged Access Manager

22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPrivilegedAccessManager&SingleSignOn

Page 23: Deep Dive: CA Privileged Access Manager

23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

PAM&SSOwithCASingleSign-OnRP/SPtoanUpstreamIDPusinganon-prem IDP

§ IntegrationwithCASingleSign-OnbyenableCASSOastheidentityprovider

§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess

§ OptionalJust-in-Timeprovisioningfeatures

Page 24: Deep Dive: CA Privileged Access Manager

24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

IdentitySuite- ProvisioningConnectorforCAPAM

Extensiveconnector:– PAMAccounts

(localandremote)– Roles– Groups– Policies– Devices&Device

Groups

Page 25: Deep Dive: CA Privileged Access Manager

25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

AccessRequestforPAM

Page 26: Deep Dive: CA Privileged Access Manager

26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

PAM&SSOwithCAIdentityServiceRP/SPtoanUpstreamIDPusingaSaaS-basedIDP

Page 27: Deep Dive: CA Privileged Access Manager

27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Control&ManageCloudIdentitySprawl

§ Rule-basedprovisioning,de-provisioningandentitlementassignment

§ Automatedidentitylifecyclemanagementaspeoplejoin,moveorleave

§ ExtensibleandAPIdrivenidentitylifecyclemanagement

Enablerule-basedprovisioningandidentitylifecycleautomation

Page 28: Deep Dive: CA Privileged Access Manager

28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMasanRP/SPWithCAIdentityServiceastheUpstreamIDP

Page 29: Deep Dive: CA Privileged Access Manager

29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Page 30: Deep Dive: CA Privileged Access Manager

30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

SingleSign-on

Authentication(SaaS-firstmodel) CAIdentity

Service

Userprovisioning&de-provisioning

SingleSign-onRogueandorphanaccountdetectionandremediation

CASingleSign-On

On-premisesapps

SaaSApps

Peoplesource(optional)

Authentication(Hybridmodel)

SingleSign-on

SaaS-First&HybridDeploymentModelsLeverageexistingon-premisesIAMinvestments

Page 31: Deep Dive: CA Privileged Access Manager

31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMasanIDPThreatAnalyticsIntegration,butwillworkforanyServiceProvider

Page 32: Deep Dive: CA Privileged Access Manager

32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMasanIDPThreatAnalyticsIntegration,butwillworkforanyServiceProvider

Page 33: Deep Dive: CA Privileged Access Manager

33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPAMasanIDP– ConfigureSPApplyallnecessarySAMLSSOAttributesasrequiredbythetarget

Page 34: Deep Dive: CA Privileged Access Manager

34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAPrivilegedAccessManager&PAMServerControl

Page 35: Deep Dive: CA Privileged Access Manager

35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

TheCASolutionPortfolioIdentitySuite,IdentityService,PAM&PAMSC

§Ac

cessre

quests

§Ce

rtificatio

Riskana

lytic

s

§ Strongauthentication,includingMFA§ Credentialmanagement§ Policy-based,leastprivilegeaccesscontrol§ Commandfiltering§ Sessionrecording,auditing,attribution§ Applicationpasswordmanagement§ Comprehensive,hybridenterpriseprotection§ Self-contained,hardenedappliance

§

§ In-depthprotectionforcriticalservers§ Highly-granularaccesscontrols§ Segregateddutiesofsuper-users§ Controlledaccesstosystemresourcessuchas

files,folders,processesandregistries§ SecuredTaskDelegation(sudo)§ EnforceTrustedComputingBase

IDENTITY-BASEDSECURITY HOST-BASEDSECURITY

DEFENSEINDEPTH

CAPrivilegedAccessManager CAPrivilegedAccessManagerServerControl

CAID

ENTITYSUITE

Page 36: Deep Dive: CA Privileged Access Manager

36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ThreatAnalyticsforPAM:Super-ChargingPAM!Domain-specificanalyticstodefendagainstrealworldattacks

Compromisedidentity

High-riskinsideractivity&threat

Insightandincidentresponsesupport

Automaticallytriggermitigations§ Alerting§ Reportingandinsightintosystemuseandrisk

Authorizeduseractionsthatposeseriousrisks:§ Contractors§ Partners§ Policyviolators§ Disgruntledanddepartingemployees

Identitiescompromisedbyattacksthatinclude:§ Phishing§ Weakpasswords§ Malware§ Compromiseddevices§ Man-in-the-middle

Blindspotsinhowsystemsareused.NeedquickresponsestoincidentsandSOCinquiries:§ IdentifyusersandriskyactivityassociatedwithIP,devices,dataassets

Detect

Mitigate

Breachprevention Operationalinsights Improvedcompliance

§ Automatedsessionrecording§ Re-authentication

Results

Page 37: Deep Dive: CA Privileged Access Manager

37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

OverseasContractorUseCaseInsiderThreatDetectionandMitigation

Continuousmonitoringandanalysisofaccessenables:

§ Monitoringaccessforallusers,includingBangalore-basedcontractorsauthorizedtouseshareddatabaseandserveraccounts

§ Identifyinghighlyunusualsessionactivitiesofindividualoverseasdeveloperthatinclude:- Unusualsessionactivitiesandlengthsbasedonindividualandotherenterpriseusers

- Accesstolargenumberofsensitivesystems,manyforthefirsttime

- RemoteDesktopProtocolaccesstoahigh-riskPCIserver

Thisbehaviorposeshighriskandisnotconsistentwithpastactionsoftheuserortheenterprise.

§ ThreatAnalyticsforPrivilegedAccessManagerautomaticallytriggerssessionrecordingforreview

§ Admingeneratesincidentreportforcomplianceofficer/SOC

Result:Successfuldetectionandmitigationofinsiderthreat

ThreatAnalyticsforPAM

Activitycontinuouslymonitoredinbackground

Sessionrecordingautomaticallyinitiated

IncidentreportforcomplianceofficerorSOC

Overseascontractors

High-risksessionbehaviorisdetected

PCI

PrivilegedAccessManager

Page 38: Deep Dive: CA Privileged Access Manager

38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

IncidentResponseUseCasePAMAdminclosesthedooronattackers

EnterpriseSOCinvestigationofahighpriorityincident&wantstoknow:“WhatinformationcanthePAMAdminprovidetoassist?”

UsingtheIPaddressprovidedbytheSOC– thePAMadmincansearchBAforPAMandquickly:- IdentifyallusersassociatedwithIPaddress- Inspectaccessandactivitiesofthemostsuspicioususer- ProvideIRteamwithidentityofthesuspicioususer- NavigatetoInsightpagetogetalldormantaccountstoprovidetoIRteamalso

ThreatAnalytics’abilitytocorrelateaccessactivity,IPaddresses,sessions,andriskprovideimmediate valuetoinvestigations.

§ Tomitigatefutureattacks-- PAMadminaddssuspiciousIPaddressthreatintelligencetoBAforPAM.Futureactivityisthenautomaticallydetectedandanalyzed.

§ PAMadminconfiguresBAforPAMtosendautomatedalertstoSIEMwhenanyactivityrelatedtoasuspiciousIPisdetected

Result:BAforPAMprovidesimmediatevaluetoincidentresponseeffortsandclosesthedooronfutureattacks.

PAMThreatAnalyticsforPAM

Activitycontinuouslymonitored

ThreatintelligenceusedbyBAtoproactivelyaddressfuturethreats

IRTeam

Immediateinsightregardingusers,activity,risk,etc.

AutomatedAlertstoSIEM/SOC

!

ThreatIntelusedbyAnalytics

Canyouhelp….attackfrom

193.105.219.210?!

Page 39: Deep Dive: CA Privileged Access Manager

39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

AnalyticsandIntelligentControls

ThreatAnalyticsforPAM

§ Offersanadd-onthatsuperchargesexistingPrivilegedAccessManagercapabilities

§ Enablesautomateddetection,mitigationandalertingforcriticalthreats

§ Easydeployment: Deploysassingle,virtualmachine—nospecialskillsorsignificanteffortrequired

§ Quicktoprovidevalue: Immediately deliverscompellinguserexperiencewithhuman-understandableriskandinsights

Solutionsummary

§ Automaticallyestablishesnormaloperatingprofilesforusersandenterprisebasedonobservedbehavior

§ Useshistoricandreal-timeactivitytoassesscontextandanalyzerisk

§ Providesmeaningfulinsightregardinguserandsystemactivities

§ Triggerriskmitigationsandcontrolsincludingtriggeringsessionrecording

AdvancedAnalytics&AutomatedMitigation

Page 40: Deep Dive: CA Privileged Access Manager

40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

PAMforHybridEnterprisesDeepDiveAsyoucansee,thereisalotmoretoPAMthatmeetstheeye!

Fromfunctioningasit’sownPrivilegedUserIDP,toproxyingAPIcallsinordertoauditapplications,todetectingandmitigatingactivitiesviaThreatAnalytics,CAPAMprovidesahostofcapabilitiesthatextendthestandardPrivilegedUserandPrivilegedIdentityfunctions.

Ifyou’dliketohavefurtherdiscussions,simplycontactyourCAAccountteamandwecansetupasessiontodigintoanyofthesetopicsatgreaterdepths.

Summary

Page 41: Deep Dive: CA Privileged Access Manager

41 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

RecommendedSessions

SESSION# TITLE DATE/TIME

SCX15E MeetthePAMTeamQ&A 11/14/2016at11:00am

SCT41T PAMMaturityModel 11/16/2016at1:45pm

SCT05T ThreatAnalyticsforPAM 11/17/2016at4:30pm

Page 42: Deep Dive: CA Privileged Access Manager

42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!

42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Page 43: Deep Dive: CA Privileged Access Manager

43 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Wewanttohearfromyou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.

Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired