Securing Privileged Accounts with Hitachi ID Privileged Access Manager
Tech Talk: Privileged Account Management Maturity Model
-
Upload
ca-technologies -
Category
Technology
-
view
225 -
download
0
Transcript of Tech Talk: Privileged Account Management Maturity Model
World®’16
TechTalk:HowDoYouMeasureUp?AMaturityModelforPrivilegedAccessManagementShawnW.Hank– Sr.PrincipalConsultant,CybersecurityCATechnologies
SCT41T
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Assecurityandriskprofessionalsincreasinglyfocusontheneedforprivilegedaccessmanagementwithintheirorganizations,anumberofquestionsarise.Arecriticalfunctionsbeingaddressed?Aretheappropriateprocessesandmanagementoversightinplace?Howcantheoverallprivilegedaccessmanagementprogrambeimproved?Whatareasneedmorefocustoimproveprogrameffectiveness?
Inthissession,we’lldiscussaprivilegedaccessmanagementmaturitymodel– focusedonkeytechnology,process,andmanagementactivitiesandcapabilities– thatsecurityteamscanusetobaselinetheirprivilegedaccessmanagementprogramandidentifyareasforimprovementandfuturerefinement.
ShawnW.HankCATechnologies,Inc.Sr.PrincipalConsultantCybersecurity
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Theriskandpotentialforsecuritybreachesexistanywherethereareprivilegedaccounts.
PrivilegedAccountsareeverywhere; ergopotentialvectorsofcompromiseexisteverywhere.
YourPrivilegedAccountsArevaluableTargets!
Andtheyareacriticalcomponentofyouroverallsecurityposture.
PrivilegedAccountsGrowinNumbersEveryday.
TheyexistinalllayersofanyorganizationsITstack:
- Infrastructure- FrontEnd- Middleware- Backend
ExistingModelsofManagingPrivilegedAccountsFallShort.
EveryMajorBreachHasInvolvedAPrivilegedAccount
PrivilegedAccountManagementFacts
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreas– Level1
§ Examples– root,oradba,sapadmin,ciscoenable,Windowslocaladmin,
namedadminaccounts,SaaS/IaaS/PaaSadminaccounts
§ Why– Ifyoucontrolaccesstotheaccountsaswellastheirpasswords,
youcancontrolprivilegedactionsandwhocanmakethem
§ Hint– Publicdiscussionsaboutmonitoringandauditareabigdeterrentof
unwantedbehavior
PrivilegedUsers/SharedAccounts
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreas– Level2
§ Examples– SIEM,NetworkMonitoring,ChangeManagement,SessionRecording,
Analytics
§ Why– Proactivevs.Reactive
§ Hint– Automatedremediationisfasterthanhumanaction.ThinkSecOpsor
DevSecOps
ActivityMonitoring
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreas– Level2/3
§ Examples– COTSapplications,application&middlewareServers,DevOps
(CIand/orOrchestration)Systems,ScheduledTasks,BatchJobs,Scripts
§ Why– Ourexperiencetellsusthereare5to7timesasmanyapplication
accountsastherearehuman,interactiveaccounts.Thethreatislargerinthiscontext.
§ Hint– Startsmallandbuildovertime,incorporatingwithSDLC
Service&ApplicationAccounts
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreas– Level3/4
§ Examples– CAIdentitySuite,CAIdentityService,OracleIAM,SailPoint,
IBMSecurityIdentityManager
§ Why– PAMsolutionsshouldnotprovisionaccounts.
– IntegrationwithIDMtoolsallowsforprogrammaticprovisioningandremovalofaccountsandcredentialsaswellascertificationandaccreditationwhenneeded.
IdentityManagementIntegration
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreasLevel3/4
§ Examples– CAPAMSC,SymantecCSP,DellUPM,PowerBroker,ViewFinity
§ Why– PAMfocushasbeenprimarilyontheserversideoftheequation.
– Mostprivilegedaccountscompromiseshappenedonclientendpointsystems(i.e.,managedandunmanagedlaptops,etc.)
– MovingthePAMfunctionclosertotheuserenvironment(akaendpoint)isalogicalprogression.
FineGrainedControls
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PrivilegedAccessManagementMaturityModelLevel0 Level1
AdHoc/ ManualLevel 2Baseline
Level3Managed
Level4Advanced
PrivilegedUser/SharedAccounts
Notmanagingorrotatingcredentials
ManualControlsFor PrivilegedAccounts
BasicVaultStructuredControlsAccountInventorySDLCIntegration
CredentialVaultw/RBACCentralPasswordPolicies
AccountDiscoveryMFA
Password-less(SAML/OAUTH/TGS)Cloud/SaaS/SDN &HSMIntegration
Service&Application Accounts
Noknowledge ofApplicationaccounts
AdHocApplicationAccountManagementHardCodedPasswords
ManualApplicationAccountManagement
CentralizedA2A Mgmt.NoHardcodedCreds.RESTAPIIntegration
GovernedA2ADevOpsIntegration
Monitoring&ThreatDetection
Nomonitoring ofaccountusage
AdHocAudit&ControlsActivityMonitoring Decentralized logging
SIEMIntegrationAccountAttribution
SNMPAlertingSessionRecording
Meta-DataServiceDesk Workflow&AnalyticsIntegration
IdentityManagementIntegration
Manual provision,nocertificationoraccreditation
ManualProcessForPrivilegedAccess
AutomatedPrivilegedIdentity
Mgmt.
IntegratedPrivilegedAccessRequestsBasicGovernance
FullyDelegatedAdministration
GovernedPrivilegedAccessw/SoD
Fine-grainedControls/SoD Nonexistent OpenSource
ToolsandScriptsDecentralizedTools(Silos)
CommandFilteringRestrictedShell
LeapFrogPrevention
CentrallyManagedKernelInterceptorwithCred VaultIntegration
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Doyouhavearecordofcredentialaccess?- The5W's:Who,What,When,Where,Why?
QuestionstoConsider
Howisprivilegedaccountaccessgranted?
DoyouhaveaninventoryofPrivilegedAccounts?- Interactive&Programmatic?
AreprivilegedaccountsincludedintheSDLCprocess?- for3rd PartyDevelopersandContractors?
Howdoyougrantemergencyaccesstoprivilegedaccounts?
Howtoyoutracktheusageofprivilegedaccounts?
Ifyes,howoftenareyourotatingprivilegedaccountcredentials?
Doyouhaveapolicyandprocessforrotatingprivilegedaccountcredentials?
Doyourequireachangeticketforprivilegedaccountuse?
DoyouhaveSoDforprivilegedaccounts?- HowisSoDenforced?
Whatisthecurrentcertificationprocessforprivilegedaccounts?
Howarenewprivilegedaccountscreated?- Whatdoestheworkflowlooklike?
Whatisyourapproachformanagingprivilegedaccountsthatliveinthecloud?- IaaS,PaaS,Saas?
IsMulti-FactorAuthenticationarequirementtoaccessprivilegedaccounts?
Isprivilegedaccountaccessmonitoredforsuspiciousactivity?
Arefine-grainedcontrolsinplacetorestrictthescopeofprivilegedaccounts?- Howisthismanaged?
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMFocusAreas– Level3/4ADVANCED
Review
Redefine
Optimize
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PrivilegedAccountManagementMaturityModelWhetheryouhaven'tstarted,havejustbegun,orareinthethroesofaPrivilegedAccessManagementproject,thereareseveralitemstoconsider.Itisourhopethattheframeworkwehaveprovidedherewillstartadiscussionandassistyouasyoumoveforward.
Letusknowhowwecanhelp!
Summary
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCT39T PAMforHybridEnterprises 11/17/2016at1:45pm
SCT36T Real-timeIdentityAnalytics 11/16/2016at3:00pm
SCT43T ThreatAnalyticsforPAM 11/17/2016at4:30pm
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD