1 / 26

Single Identity – Multiple services how do I stay c ompliant?

Single Identity – Multiple services how do I stay c ompliant?. Wade Tongen NA Commercial SE Manager Wade.tongen@centrify.com. Agenda. Overview of Today’s Environment Common Themes of Today’s Standards Identity Topics The New Perimeter Controlling Privileged Access

helzer
Download Presentation

Single Identity – Multiple services how do I stay c ompliant?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Identity – Multiple services how do I stay compliant? • Wade Tongen • NA Commercial SE Manager • Wade.tongen@centrify.com

  2. Agenda • Overview of Today’s Environment • Common Themes of Today’s Standards • Identity Topics • The New Perimeter • Controlling Privileged Access • Accountability for Privileged Actions

  3. The Modern IT Enterprise Infrastructure as a Service Security SaaS Infrastructure Outsourced IT The Business of IT Staff Budget Employees

  4. …and Harder to Manage as Infrastructure Evolves Mobile Desktops + ID ID ID ID ID ID ID Cloud (SaaS) Data Center Apps + ID ID ID ID ID ID ID ID ID ID ID Data Center Servers Cloud (IaaS & PaaS) Big Data + ID ID ID ID ID ID ID ID ID ID ID ID

  5. Core Challenges in Managing Privileged Identity InsiderThreats APTs & Malware Over-Privileged Users Snowden Used Low-Cost Tool to Scrape N.S.A. Massive RetailerIdentity Theft Disgruntled IT Worker Holds Company Hostage HIPAA NIST 800-53 SOX FISMA Threats & Breaches Data Center Heterogeneity PCI Modern Enterprise Regulations

  6. No matter the standard the many themes are common Generic Accounts are Bad • Have users access the services/applications as themselves vs administrator or root or SA or oracle Have a Least Privileged Model • If there is not a business need for the access/right they should not have it Accountability for Actions • Essential for privileged actions Lock down shared accounts • When there is not another option Regulations Share Common Tenants

  7. Identity Management Needs to be Holistic

  8. The Common/Weakest Link

  9. Identity at Center of Cyber Attacks… END USERS PRIVILEGED USERS • ID

  10. ID Unify Identity Management Stores Were Possible… Desktops Mobile ID ID ID ID ID ID ID ID Cloud (SaaS) Data Center Apps ID ID ID Reduced IdentityFootprint ID ID ID ID ID ID ID ID • ID Data Center Servers Big Data Cloud (IaaS & PaaS) ID ID ID ID ID ID ID ID ID ID ID MS AD or LDAP

  11. The Case for a Reduced Identity Footprint • Users are and will continue to be the weak link In the security chain • The more the identities the more likely: • Weaker passwords • Same password • Store on a sticky note • Store In a spreadsheet • Store in a browser without institutional control • Use a personnel password product

  12. The Traditional Thought was the Firewall was the Perimeter • This approach was much better before: • Explosion of virtualization • Mobile workforce • SaaS offerings • Elastic environments

  13. The Paradigm Shift Means the Identity is the New Perimeter IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY Authenticate Determine Access Enforce Policies Track

  14. So Where Do We Consolidate? • MS Windows: • Use SSPI (Security Support Provider Interface) • Built into MS applications • Leverages Kerberos or NTLM to provide a single identity • External trusts are possible between environments

  15. So Where Do We Consolidate? • UNIX/Linux: • Utilize the PAM authentication – Trust the OS for authentication • Use GSSAPI (Generic Security Services Application Program Interface) • Supported by open source and commercial vendors • Leverages Kerberos or NTLM to provide a single identity • External trusts are possible between environments

  16. So Where Do We Consolidate? • Applications: • Utilize the PAM Authentication – Trust the OS for authentication • Use SSPI & GSSAPI (Generic Security Services Application Program Interface) • In the Data Center • Leverages Kerberos or NTLM • In the Cloud • Leverage SAML and OAuth

  17. So Where Do We Consolidate? • Infrastructure: • Routers • Switches • Appliances • Typically accessed via CLI or web interface for local accounts • External protocols such as: • Radius • LDAP

  18. Best Practices for Controlling Privileged Identity

  19. Path to Reducing Identity-related Risk for Privileged Users • Optimized Risk Profile Limited # of privileged accounts (root, local admin, service accounts) Least privilege access Single identity source PrivilegedAccounts Manyprivileged passwords Individual identities with unstructured access Many identity silos • Poor Risk Profile Individual Accounts

  20. Two Main Ways to Control Privileged Identities DATA CENTER SERVERS • Super User Privilege Management (SUPM) • Assigning the privilege to user or groups at the OS or device level • Shared Account Password Management (SAPM) • Assigning a user to temporarily have access to accounts such as: • Root • Administrator • SA • Oracle

  21. Super User Privilege Management DATA CENTER SERVERS • OS Level – Can grant granularity to the individual executables • UNIX/Linux – sudo & 3rd Party Tools • Take extra precautions if the tool modifies the kernel • Windows - MS GPO & 3rdparty tools • A single cross-platform architecture across would be easiest to deploy • Applications • Typically defined in the application but try externalize the authentication • Appliance • Typically configured in the context of the device

  22. Shared Account Privilege Management DATA CENTER SERVERS • Typically this is implemented by using a vaulted password in an appliance, virtual appliance, or service • The password is checked out/in or provided without the user knowing the password • A complete log of who had access to which privileged account and when • Some typical needs for this are: • Break Glass • Loss of Connectivity • Appliances that do not support external authentication • Service Accounts

  23. …to Enable Maximum Security for Privileged Users Centrify manages identity for both individual and Privileged accounts for maximum security + IT efficiency and Individual Accounts Privileged Accounts • Log in as yourself • Elevate privilege when needed • Attribute activity to individual • Check out account password • Log in as shared account • Attribute account use to individual Core Rule: “Get users to log in as themselves, while maximizing control of privileged accounts”

  24. Accountability for Privileged Actions

  25. Auditing & Compliance • Privileged session monitoring (PSM) for Linux, UNIX and Windows and appliances • No anonymous activity with complete session record • All activity associated to a single identity across all platforms • User session auditing with video and searchable event records • Must scale to tens of thousands of systems; data stored in SQL database • Satisfies regulatory mandates including PCI, HIPAA, SOX and ISO • A single audit store across individual and privileged access Perimeter Firewall Network Monitoring Privileged Access Security DATA CENTER SERVERS Privileged Sessions Report and Replay

More Related