Tech Talk: Privileged Account Management Maturity Model

World®’16

TechTalk:HowDoYouMeasureUp?AMaturityModelforPrivilegedAccessManagementShawnW.Hank– Sr.PrincipalConsultant,CybersecurityCATechnologies

SCT41T

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Assecurityandriskprofessionalsincreasinglyfocusontheneedforprivilegedaccessmanagementwithintheirorganizations,anumberofquestionsarise.Arecriticalfunctionsbeingaddressed?Aretheappropriateprocessesandmanagementoversightinplace?Howcantheoverallprivilegedaccessmanagementprogrambeimproved?Whatareasneedmorefocustoimproveprogrameffectiveness?

Inthissession,we’lldiscussaprivilegedaccessmanagementmaturitymodel– focusedonkeytechnology,process,andmanagementactivitiesandcapabilities– thatsecurityteamscanusetobaselinetheirprivilegedaccessmanagementprogramandidentifyareasforimprovementandfuturerefinement.

ShawnW.HankCATechnologies,Inc.Sr.PrincipalConsultantCybersecurity


Theriskandpotentialforsecuritybreachesexistanywherethereareprivilegedaccounts.

PrivilegedAccountsareeverywhere; ergopotentialvectorsofcompromiseexisteverywhere.

YourPrivilegedAccountsArevaluableTargets!

Andtheyareacriticalcomponentofyouroverallsecurityposture.

PrivilegedAccountsGrowinNumbersEveryday.

TheyexistinalllayersofanyorganizationsITstack:

- Infrastructure- FrontEnd- Middleware- Backend

ExistingModelsofManagingPrivilegedAccountsFallShort.

EveryMajorBreachHasInvolvedAPrivilegedAccount

PrivilegedAccountManagementFacts


PAMMaturity– Level0/1


PAMFocusAreas– Level1

§ Examples– root,oradba,sapadmin,ciscoenable,Windowslocaladmin,

namedadminaccounts,SaaS/IaaS/PaaSadminaccounts

§ Why– Ifyoucontrolaccesstotheaccountsaswellastheirpasswords,

youcancontrolprivilegedactionsandwhocanmakethem

§ Hint– Publicdiscussionsaboutmonitoringandauditareabigdeterrentof

unwantedbehavior

PrivilegedUsers/SharedAccounts


PAMMaturity– Level1/2


PAMFocusAreas– Level2

§ Examples– SIEM,NetworkMonitoring,ChangeManagement,SessionRecording,

Analytics

§ Why– Proactivevs.Reactive

§ Hint– Automatedremediationisfasterthanhumanaction.ThinkSecOpsor

DevSecOps

ActivityMonitoring


PAMFocusAreas– Level2/3

§ Examples– COTSapplications,application&middlewareServers,DevOps

(CIand/orOrchestration)Systems,ScheduledTasks,BatchJobs,Scripts

§ Why– Ourexperiencetellsusthereare5to7timesasmanyapplication

accountsastherearehuman,interactiveaccounts.Thethreatislargerinthiscontext.

§ Hint– Startsmallandbuildovertime,incorporatingwithSDLC

Service&ApplicationAccounts


PAMFocusAreas– Level3/4

§ Examples– CAIdentitySuite,CAIdentityService,OracleIAM,SailPoint,

IBMSecurityIdentityManager

§ Why– PAMsolutionsshouldnotprovisionaccounts.

– IntegrationwithIDMtoolsallowsforprogrammaticprovisioningandremovalofaccountsandcredentialsaswellascertificationandaccreditationwhenneeded.

IdentityManagementIntegration


PAMFocusAreasLevel3/4

§ Examples– CAPAMSC,SymantecCSP,DellUPM,PowerBroker,ViewFinity

§ Why– PAMfocushasbeenprimarilyontheserversideoftheequation.

– Mostprivilegedaccountscompromiseshappenedonclientendpointsystems(i.e.,managedandunmanagedlaptops,etc.)

– MovingthePAMfunctionclosertotheuserenvironment(akaendpoint)isalogicalprogression.

FineGrainedControls


PrivilegedAccessManagementMaturityModelLevel0 Level1

AdHoc/ ManualLevel 2Baseline

Level3Managed

Level4Advanced

PrivilegedUser/SharedAccounts

Notmanagingorrotatingcredentials

ManualControlsFor PrivilegedAccounts

BasicVaultStructuredControlsAccountInventorySDLCIntegration

CredentialVaultw/RBACCentralPasswordPolicies

AccountDiscoveryMFA

Password-less(SAML/OAUTH/TGS)Cloud/SaaS/SDN &HSMIntegration

Service&Application Accounts

Noknowledge ofApplicationaccounts

AdHocApplicationAccountManagementHardCodedPasswords

ManualApplicationAccountManagement

CentralizedA2A Mgmt.NoHardcodedCreds.RESTAPIIntegration

GovernedA2ADevOpsIntegration

Monitoring&ThreatDetection

Nomonitoring ofaccountusage

AdHocAudit&ControlsActivityMonitoring Decentralized logging

SIEMIntegrationAccountAttribution

SNMPAlertingSessionRecording

Meta-DataServiceDesk Workflow&AnalyticsIntegration

IdentityManagementIntegration

Manual provision,nocertificationoraccreditation

ManualProcessForPrivilegedAccess

AutomatedPrivilegedIdentity

Mgmt.

IntegratedPrivilegedAccessRequestsBasicGovernance

FullyDelegatedAdministration

GovernedPrivilegedAccessw/SoD

Fine-grainedControls/SoD Nonexistent OpenSource

ToolsandScriptsDecentralizedTools(Silos)

CommandFilteringRestrictedShell

LeapFrogPrevention

CentrallyManagedKernelInterceptorwithCred VaultIntegration


Doyouhavearecordofcredentialaccess?- The5W's:Who,What,When,Where,Why?

QuestionstoConsider

Howisprivilegedaccountaccessgranted?

DoyouhaveaninventoryofPrivilegedAccounts?- Interactive&Programmatic?

AreprivilegedaccountsincludedintheSDLCprocess?- for3rd PartyDevelopersandContractors?

Howdoyougrantemergencyaccesstoprivilegedaccounts?

Howtoyoutracktheusageofprivilegedaccounts?

Ifyes,howoftenareyourotatingprivilegedaccountcredentials?

Doyouhaveapolicyandprocessforrotatingprivilegedaccountcredentials?

Doyourequireachangeticketforprivilegedaccountuse?

DoyouhaveSoDforprivilegedaccounts?- HowisSoDenforced?

Whatisthecurrentcertificationprocessforprivilegedaccounts?

Howarenewprivilegedaccountscreated?- Whatdoestheworkflowlooklike?

Whatisyourapproachformanagingprivilegedaccountsthatliveinthecloud?- IaaS,PaaS,Saas?

IsMulti-FactorAuthenticationarequirementtoaccessprivilegedaccounts?

Isprivilegedaccountaccessmonitoredforsuspiciousactivity?

Arefine-grainedcontrolsinplacetorestrictthescopeofprivilegedaccounts?- Howisthismanaged?


PAMFocusAreas– Level3/4ADVANCED

Review

Redefine

Optimize


PrivilegedAccountManagementMaturityModelWhetheryouhaven'tstarted,havejustbegun,orareinthethroesofaPrivilegedAccessManagementproject,thereareseveralitemstoconsider.Itisourhopethattheframeworkwehaveprovidedherewillstartadiscussionandassistyouasyoumoveforward.

Letusknowhowwecanhelp!

Summary


RecommendedSessions

SESSION# TITLE DATE/TIME

SCT39T PAMforHybridEnterprises 11/17/2016at1:45pm

SCT36T Real-timeIdentityAnalytics 11/16/2016at3:00pm

SCT43T ThreatAnalyticsforPAM 11/17/2016at4:30pm


Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!



Security

FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw

Tech Talk: Privileged Account Management Maturity Model

Technology

Transcript of Tech Talk: Privileged Account Management Maturity Model