The 7 Layers of Privileged Access Management
27
Transcript of The 7 Layers of Privileged Access Management
HELLO!IamAnirbanBanerjee.FounderandCEOofOnionID.
https://www.linkedin.com/in/anirbanbanerjeephd
Current Status
Challenges
Solutions
Current Status
4
Laptops In house servers
Mobile devices
Cloud Servers
The Landscape is ChangingITLandscape
• Shift in Capex to Opex• Cost savings – 25% on avg.
• Employee Mobility• Easy access – 49% on avg.
• Scaling is easier• More efficient – 55% on avg.
• Time savings• More time to innovate – 31% on avg.
• Choice – no traditional vendor lock in
WhyistheCloudPopular
SAML&SaaS
• Less than 25% of corporate apps have SSO support• Less than 1% of all SaaS apps understand SAML• Passwordsareheretostay!
MappingUserRoles
• How to map to 3rd party SaaS apps?• SAML assertions - weak support.• Nomagicbullet
What is Privilege
9
PrivilegeManagementisnotjustAccessControl
PrivilegeManagement
PAM- 100%Coverage
Web Apps Servers and Containers
PAM- LayersShrek: Ogres are like onionsDonkey: They Stink?
Shrek: Yes. No.Donkey: Oh.....they make you cry
Shrek: No!Donkey: Oh, you leave 'em out in the sun, they get all brown, start sproutin' little white hairs
Shrek: NO. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers. [sigh]Donkey: Oh, you both have layers.Oh.
PAM has layers. Onions have layers. We both have layers. Get it?
PAM- The7Layers
2FA on Apps and Servers
SaaS PAM
SSH Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM
EvolutionofPAM
PAM 1.0Crawl
• Password Vaulting• SSH Key Rotation• Video-session Recording
PAM 2.0Walk
• Rights Management• Time based checkout• Credential rotation
PAM 3.0Run
• SaaS PAM• Adaptive authentication• Automated auditing
Challenges
15
q PrivilegedAccessManagement§ Fullcontroloverwhohasaccesstowhatandwhen.§ RealtimeandIntuitive
HardProblems
q Vigilance§ Keeptrackofuseractivity§ Receivealertsforanomalousbehavior§ Gaincompletevisibilitythroughdetailedreports
HardProblems
q Secretsmanagement§ API/MachinetoAPI/Machineauthentication§ APIkeysincode
HardProblems
q ReportsandAuditing§ Complianceiscomplex,disparatesystems§ Continuousauditingisnecessary
HardProblems
Strategies
20
Layer on top of existing services
Dynamic Privilege Management
SSO NAC CASB
Deployment
User Fatigue
2FA=Friction
• Entering 8 Digit Codes
• Carrying Hardware• One time Passwords• Multiple IDs
HappyUsers
2FA≠Friction
Air-Signature
Touch ID
Proximity
Geo Fencing
What can an employee see
What can an employee click
What can an employee fill
What can an employee download
UseCase
Command Filtering
SSH Key Management
Session Recording
URL Filtering
Action Filtering
View Filtering
Solution
Conclusion
2FA on Apps and Servers
SaaS PAM
SSH Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM
q FineGrainedControl- SaaSPAMisimportant.
q Sessionrecordingforcomplianceandsecurity.
q Secretsmanagement- isanemergingarea.
q ReportsandAuditing- needcontinuousprocess.
q Simplify2FAExperience- reducefriction.
