The 7 Layers of Privileged Access Management

Click here to load reader

  • date post

    08-Jan-2017
  • Category

    Internet

  • view

    69
  • download

    0

Embed Size (px)

Transcript of The 7 Layers of Privileged Access Management

  • The7LayersofPrivilegeManagement

    -AnirbanBanerjee,[email protected]

  • HELLO!IamAnirbanBanerjee.FounderandCEOofOnionID.

    https://www.linkedin.com/in/anirbanbanerjeephd

  • Current Status

    Challenges

    Solutions

  • Current Status

    4

  • Laptops In house serversMobile devices

    Cloud Servers

    The Landscape is ChangingITLandscape

  • Shift in Capex to Opex Cost savings 25% on avg.

    Employee Mobility Easy access 49% on avg.

    Scaling is easier More efficient 55% on avg.

    Time savings More time to innovate 31% on avg.

    Choice no traditional vendor lock in

    WhyistheCloudPopular

  • SAML&SaaS

    Less than 25% of corporate apps have SSO support Less than 1% of all SaaS apps understand SAML Passwordsareheretostay!

  • MappingUserRoles

    How to map to 3rd party SaaS apps? SAML assertions - weak support. Nomagicbullet

  • What is Privilege

    9

  • PrivilegeManagementisnotjustAccessControl

    PrivilegeManagement

  • PAM- 100%Coverage

    Web Apps Servers and Containers

  • PAM- LayersShrek: Ogres are like onionsDonkey: They Stink?

    Shrek: Yes. No.Donkey: Oh.....they make you cry

    Shrek: No!Donkey: Oh, you leave 'em out in the sun, they get all brown, start sproutin' little white hairs

    Shrek: NO. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers. [sigh]Donkey: Oh, you both have layers.Oh.

    PAM has layers. Onions have layers. We both have layers. Get it?

  • PAM- The7Layers

    2FA on Apps and Servers

    SaaS PAM

    SSH Session Control

    Secret Storage

    Access sharing

    Reporting and Audits

    Server PAM

  • EvolutionofPAM

    PAM 1.0Crawl

    Password Vaulting SSH Key Rotation Video-session Recording

    PAM 2.0Walk

    Rights Management Time based checkout Credential rotation

    PAM 3.0Run

    SaaS PAM Adaptive authentication Automated auditing

  • Challenges

    15

  • q PrivilegedAccessManagement Fullcontroloverwhohasaccesstowhatandwhen. RealtimeandIntuitive

    HardProblems

  • q Vigilance Keeptrackofuseractivity Receivealertsforanomalousbehavior Gaincompletevisibilitythroughdetailedreports

    HardProblems

  • q Secretsmanagement API/MachinetoAPI/Machineauthentication APIkeysincode

    HardProblems

  • q ReportsandAuditing Complianceiscomplex,disparatesystems Continuousauditingisnecessary

    HardProblems

  • Strategies

    20

  • Layer on top of existing services

    Dynamic Privilege Management

    SSO NAC CASB

    Deployment

  • User Fatigue

    2FA=Friction

    Entering 8 Digit Codes

    Carrying Hardware One time Passwords Multiple IDs

  • HappyUsers

    2FAFriction

    Air-Signature

    Touch ID

    Proximity

    Geo Fencing

  • What can an employee see

    What can an employee click

    What can an employee fill

    What can an employee download

    UseCase

  • Command Filtering

    SSH Key Management

    Session Recording

    URL Filtering

    Action Filtering

    View Filtering

    Solution

  • Conclusion

    2FA on Apps and Servers

    SaaS PAM

    SSH Session Control

    Secret Storage

    Access sharing

    Reporting and Audits

    Server PAM

    q FineGrainedControl- SaaSPAMisimportant.

    q Sessionrecordingforcomplianceandsecurity.

    q Secretsmanagement- isanemergingarea.

    q ReportsandAuditing- needcontinuousprocess.

    q Simplify2FAExperience- reducefriction.

  • [email protected]: +1-888-315-4745

    https://www.linkedin.com/in/anirbanbanerjeephd