Privileged Account ManagementJason Fehrenbach, Product Manager

Customer Use Cases - Introduction• A US-based Natural Gas and Electric company serving multiple

states

• Project Requirements

– Only grant access to shared administrative accounts with pre-approval based on established policy

– Need to provide ‘firecall’ functionality

– Needed to delegate administrative access for Separation of Duty (SoD)

– Required logging of Windows administrator activity

– Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management

Customer Use Cases - Introduction• A global leader in payment processing

• Project Requirements

– Needed to centralize accounts and get control over passwords and user lifecycles

– Needed to replace NIS and provide centralized authentication

– Needed to restrict and audit what users could do but at the same time provide for users to carry on with their day-to-day jobs

– Needed to provide controls around shared administrative passwords

– Needed to rotate administrative account passwords regularly

– Needed to correlate and audit administrative activity with the actual end user

Delegation

PAM Sub-Categories

Use Case – Utility Company

• Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management

Use Case - Payment Processing

• Needed to centralize accounts and get control over passwords and user lifecycles

• Needed to replace NIS and provide centralized authentication

PRIVILEGES

Privilege Sessions

AD Bridge

Shared Passwords

PLATFORMS

Operating Systems

Delegation

Use Case – Utility Company

• Only grant access to shared administrative accounts with pre-approval based on established policy

• Need to provide ‘firecall’ functionality

Use Case - Payment Processing

• Needed to provide controls around shared administrative accounts

• Needed to rotate administrative account passwords regularly

PRIVILEGES PLATFORMS

Privilege Sessions

Shared Passwords

Operating Systems

Network Devices

Databases

Applications

AD Bridge

PAM Sub-Categories

Delegation

PRIVILEGES

Privilege Sessions

Shared Passwords

AD Bridge

PAM Sub-Categories

Delegation

PRIVILEGES

Privilege Sessions

Shared Passwords

AD Bridge

PAM Sub-Categories

PROTOCOLS

RDPVNC

PRIVILEGES

327046905250

SSHTELNET

HTTP

HTTPS

Delegation

Shared Passwords

Privilege Sessions

AD Bridge

Use Case – Utility Company

• Required logging of Windows administrator activity

PAM Sub-Categories

PLATFORMS

Operating Systems

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

Use Case – Utility Company

• Needed to provide find-grained delegation of administrative (root) access for Separation of Duty (Sod)

Use Case - Payment Processing

• Needed to restrict and audit what users could but at the same time provide for users to carry on with their day-to-day jobs

• Needed to correlate and audit administrative activity with the actual end-user

PAM Sub-Categories

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

How do I allow users to perform elevated tasks on Unix without losing control of the root password?

• Pair a password vault with a delegation solution

Common delegation solutions

• Native OS solutions (RBAC implementations)• The open source Sudo project• The Commercial Unix Security space

Unix Delegation: Problem Statement

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

What did we discover?

Result? Companies would:• Purchase a PAM sol’n only for their

highest risk machines• Hate having to re-train admins &

help desk staff on a new syntax• “Bend” sudo in crazy ways

Commercial 3rd partysolutions

~3,000 customers

Native OS options

sudoLinux: 7.5M serversUnix: 2.8M serversMac: 2.0M servers

No focuson this

segment!

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

Sudo v1.7 and earlier

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge • How do I easily provide access control reports?

• How do I deal with sudoers?• How to manage it, distribute it, etc

• How do I enable central keystroke logging?

• How do I know what is going on across lots of systems?

• How do I provide more fine-grain control in the policy?

Field Feedback: Common Pain and Trends

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

Sudo v1.8 and the new plug-in API

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

Example architecture using plug-in API

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge • Sudo Reporting• Access Control Report• Event Activity• Commands run• Policy changes

• Deployment• Preflight and sudo plug-in installation

• Policy Management• Editor, Versioning, Rollback

• Keystroke Logging• Search, Playback

• Separation of Duty

Example pain points that the plug-in API can assist with

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

• http://www.sudo.ws/sudo/sudo-rbac.html (April 12, 2012)

• New security policy format• Designed for the needs of the enterprise

• Include an API to support analysis and reporting tools

• Support grouping of commands and options in logical units

• Facility management of sudoers by multiple stake-holders

• Time based policy rules

• Data source plug-ins

SUDO v2.0: Design Phase

PRIVILEGES

Privilege Sessions

Shared Passwords

Delegation

AD Bridge

SUDO v2.0: Design Phase

19

©2011 Quest Software, Inc. All rights reserved..

Simplify Account Management

Manage Access to Business Critical Information

Audit User

Activity

Privileged Account

Management

AccessGovernance

Access Governance

Privileged Account

Management

Complete Identity & Access Management

Understand &Control

Administrator Activity

Identity Administration

User Activity

Monitoring

Thank You