Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to Engineer an Effective Access Review Program Ram Ramadoss, Staff Information Security Engineer, September 25, 2008.

Similar presentations


Presentation on theme: "1 How to Engineer an Effective Access Review Program Ram Ramadoss, Staff Information Security Engineer, September 25, 2008."— Presentation transcript:

1 1 How to Engineer an Effective Access Review Program Ram Ramadoss, Staff Information Security Engineer, September 25, 2008

2 2Agenda Definitions Definitions Challenges Challenges Common Mistakes Made by Organizations Common Mistakes Made by Organizations Access Review – Applications, Systems and Databases Access Review – Applications, Systems and Databases Summary Summary Q & A Q & A

3 3 Definitions Identification Authentication, Authorization and Accounting (AAA) Access Control, ACLs (Access Control Lists) Role Based Access Control & Rule Based Access Control Least Privilege (Need to Know) & Segregation of Duties (SoD) Access Review

4 4 Definitions (contd…) PCI (Payment Card Industry) PCI (Payment Card Industry) SOX (Sarbanes-Oxley) Act of 2002 SOX (Sarbanes-Oxley) Act of 2002 SOX Section 404: Assessment of internal control

5 5 Applications/Databases and Servers – Access Overview

6 6 Challenges Small Organizations: Many users may have full access to the system Many users may have full access to the system Users may perform multiple functions - Development, Test and Production Users may perform multiple functions - Development, Test and Production Group/Shared Ids - individual accountability issues Group/Shared Ids - individual accountability issues Large Organizations: Large number of users and systems Large number of users and systems Mainframe and Legacy Systems Mainframe and Legacy Systems User Provisioning managed by multiple groups User Provisioning managed by multiple groups Lack of custom tools for access review Lack of custom tools for access review Contractors, Partners and IT Outsourcing Contractors, Partners and IT Outsourcing Validation of non-personal ids, shared ids and ownership Validation of non-personal ids, shared ids and ownership

7 7 Common Mistakes Made by Organizations “Compliance Says So” “Compliance Says So” Confusion between compliance and security Confusion between compliance and security Not taking a risk based approach Not taking a risk based approach Not defining the scope of review Not defining the scope of review Tool centric rather than process centric Tool centric rather than process centric Unable to sustain repetitive access reviews Unable to sustain repetitive access reviews No central compliance monitoring group No central compliance monitoring group

8 8 Access Review – High Level Overview Policies and standards Scope of review, frequency, all types of ids (employee / contractor, group ids, system ids…), authorization levels, systems, provisioning and de-provisioning processes Discovery – Extract ids from sample systems, analyze ids, reverse engineer and identify access and authorization rules based on the current access Business SMEs, Production / System Admins and DBAs support crucial Validate ids against access and authorization rules; Obtain management approvals; Identify ids and authorization levels for clean-up;

9 9 Access Review – High Level Overview Set-up scripts to extract ids and authorization levels Repeat access review process at least every 90 days Review provisioning process - include management approvals and access/authorization rules De-Provisioning must address terminations, users leaving business and moving to other job functions

10 Access Review – High Level Flow

11 11 Access Review – Applications Overview J2EE, DotNet, Mainframe, Legacy, COTS and ERP Business Unit users – large population Large number of applications Challenges Lack of process, documentation and access / authorization rules No consistent user id or naming standards – difficulty in mapping individual users Provisioning managed by multiple groups

12 12 Access Review – Applications Challenges Applications may not use central/core authentication systems Group/Shared Ids, System Ids – Ownership and Accountability Transfer of users within the company No third party tool to address access review for complex application environment Approach Rule based access and periodic access review Conduct reverse engineering – Map ids to users, Job Titles, Business Units, Department Work with business unit contacts to extract access /authorization rules Identify owners for non-personal ids and obtain access and authorization approval Majority of the ids can be mapped to access /authorization rules

13 13 Access Review – Applications Approach (contd…) Ids with no access/authorization rules – Management approval is required Important Things Access/Authorization rules must be used as part of provisioning Applications with local authentication – Daily process review must be in place to disable/remove employees and users leaving the business 90 day access review – Validation of user ids against access and authorization rules Management approval for remaining ids; Conduct ongoing clean-up Auto Process to suspend Ids with no activity for more than X number of days

14 14 Access Review – Applications IdPrivilegesNameJob TitleDepartment Personal ID1READ / UPDATEJohnSales ConsultantBusiness Unit A Personal ID3READ / UPDATELindaSales ConsultantBusiness Unit A Personal ID4READ / UPDATEJoeSales ConsultantBusiness Unit A Personal ID6READRubySales ConsultantBusiness Unit A Personal ID2READMaryRepair ConsultantBusiness Unit B Personal ID7READTerryRepair ConsultantBusiness Unit B Personal ID8READ / UPDATEMikeRepair ConsultantBusiness Unit B Personal ID9READWendyRepair ConsultantBusiness Unit B Personal ID5 READ /UPDATE / DELETERonDevelopment EngineerDepartment IT SystemId1 READ / UPDATE / DELETE SystemId2 READ / UPDATE / DELETE GroupId1READ / UPDATE GroupId2READ / UPDATE Administrator Id READ / UPDATE / DELETE / Add Users Business Unit A

15 15 Access Review – Applications Sample Access and Authorization Rules: 1. Sales Consultant from Business Unit A shall have READ / UPDATE access to “ Sales ” application 2. Repair Consultant from Business Unit B shall have READ access to “Sales” application 3. Administrator Id must be approved by XXX (Segregation of Duties) Further Research Required: 1. Owner must be identified for System Id1,Systems Id2, GroupId1 and GroupId2; Access and authorization levels must be validated; Rules can be created based on the validation 2. Personal Id5 must be challenged – Why does an IT user require update access?

16 16 Access Review – Operating System Overview Many users may have privileged access Some ids have standard access and authorization levels Windows / UNIX and Mainframe Challenges Provisioning managed by multiple groups Difficult to derive access and authorization rules Difficult to re-validate access permissions UNIX systems – may not use central authentication UNIX servers may have several invalid/inactive ids

17 17 Access Review – Operating System Approach Sys Admins, Production Support Users and DBAs play a crucial role Sys Admins, Production Support Users and DBAs play a crucial role Extract ids and privileges. Access Review must cover all ids at the server Extract ids and privileges. Access Review must cover all ids at the server Identify system accounts, global groups and privileges for each platform (Windows / UNIX) Identify system accounts, global groups and privileges for each platform (Windows / UNIX) Access/Authorization Rules for system Ids and Ids/groups supporting multiple servers and Ids for application/database access Access/Authorization Rules for system Ids and Ids/groups supporting multiple servers and Ids for application/database access -Administrators, Back-up Operators, Help Desk or Support teams Remaining ids require management approval Remaining ids require management approval

18 18 Access Review – Windows Server IdPrivilege GroupGroupNameJob TitleDepartment Persoanl ID1AdministratorDomain\AdministratorJohnSystem AdministratorDepartment IT Persoanl ID3AdministratorDomain\AdministratorLindaSystem AdministratorDepartment IT Persoanl ID4AdministratorDomain\AdministratorJoeSystem AdministratorDepartment IT Persoanl ID6AdministratorDomain\AdministratorRuby System Engineer - Production Application SupportDepartment IT Persoanl ID2AdministratorDomain\Domain AdministratorMary System Engineer - Production Application SupportDepartment IT Persoanl ID7AdministratorDomain\AdministratorTerryDevelopment EngineerDepartment IT Persoanl ID8Backup OperatorDomain\Back-up OperatorMikeAnalystDepartment IT Persoanl ID9AdministratorDomain\AdministratorWendyProject ManagerBusiness Unit 1 Persoanl ID5Power UserDomain\Global_Group_1RonBusiness AnalystBusiness Unit 2 SystemId1Power User Application X SystemId2Power User Application Y GroupId1User Right Developers, Department IT GroupId2User Right Business Unit 1

19 19 Windows Built-in Users and Built-in Groups Built-in Groups Built-in Users Account Operators Administrator AdministratorsAnonymous Authenticated Users Guest Backup Operators Local System Domain Admins Domain Computers Domain Controllers Domain Users Enterprise Admins Everyone Group Policy Creators Owners Guests Network Power Users Print Operators RAS and IAS Servers Remote Desktop Users Server Operators

20 20 Access Review – Mid-Range Databases Overview Oracle, SQL Server, Informix, Sybase Potential data exposure areas Critical data - Company financial data, Customer financial data Challenges Databases may not follow consistent user id or naming standards – difficulty in mapping individual users Provisioning may be managed by multiple groups User ids may be used for database processes Developers / Business user access to databases

21 21 Access Review – Mid-Range Databases Challenges (contd…) Oracle databases may not be using central authentication Application Ids with DBA privileges Approach Identify users with DBA and Non-DBA privileges for each database Provisioning -strict management approvals for DBA access SoD – Restrict Developers and Testers access Identify owners for Non-Personal Ids – access and passwords restrictions Minimize Group/Shared Ids access to the database

22 22 Access Review – Mid-Range Databases Approach Risk based approach – identify critical tables that contain sensitive data Risk based approach – identify critical tables that contain sensitive data Identify users with DBA and Non-DBA privileges for each database Identify users with DBA and Non-DBA privileges for each database Provisioning process - strict management approvals for DBA access Provisioning process - strict management approvals for DBA access SoD – Restrict Developers and Testers access to production SoD – Restrict Developers and Testers access to production

23 23 Access Review – Mid-Range Databases Approach (contd…) Explore AAA central authentication Explore AAA central authentication Authorization - Tables that contain sensitive data Authorization - Tables that contain sensitive data Logging and Auditing - monitor privileged user access Logging and Auditing - monitor privileged user access Access and Authorization rules for users with DBA Job Tiles and System Ids, Access and Authorization rules for users with DBA Job Tiles and System Ids, Quarterly review of all user ids Quarterly review of all user ids Ids with access and authorization rules Ids with access and authorization rules Remaining ids require management approval Remaining ids require management approval

24 24 Access Review – Mainframe Databases Overview DB2, IMS and Legacy Databases RACF Authentication Challenges Access can be granted independently databases, tables, views and datasets Some databases may have 1000s of tables Development/Test users - access to production environment Difficult to encrypt data in mainframe databases

25 25 Stakeholders - Engagement Engage Business unit contacts, Application contacts, System Administrators, Application Administrators, DBAs Engage Business unit contacts, Application contacts, System Administrators, Application Administrators, DBAs Access and Authorization RulesAccess and Authorization Rules Provisioning and De-provisioningProvisioning and De-provisioning Management approvalsManagement approvals Engage Security Compliance, Internal Audit and External Auditor to review for compliance Engage Security Compliance, Internal Audit and External Auditor to review for compliance

26 26 Summary – Access Review Access Review Standards and Processes Access Review Standards and Processes Access Review should include validation of access/authorization rules and management approvals Access Review should include validation of access/authorization rules and management approvals Provisioning processes - access/authorization rules and management approvals Provisioning processes - access/authorization rules and management approvals De-Provisioning process - terminations and users leaving the business. Automated processes to de-activate invalid user ids De-Provisioning process - terminations and users leaving the business. Automated processes to de-activate invalid user ids Central authentication - AAA (Authentication, Authorization and Accounting) Central authentication - AAA (Authentication, Authorization and Accounting)

27 27 Summary – Access Review (contd…) Contractors, Service Providers and Partners access review - contractual requirements and oversight Contractors, Service Providers and Partners access review - contractual requirements and oversight Group/Shared Ids - ownership and access restrictions. (password expiration at periodic intervals and when users leave the business or transfer within the company) Group/Shared Ids - ownership and access restrictions. (password expiration at periodic intervals and when users leave the business or transfer within the company) Development/Business users - restricted access to production databases and operating systems and least privileged access Development/Business users - restricted access to production databases and operating systems and least privileged access Logging and Auditing - monitor privileged user access Logging and Auditing - monitor privileged user access Remote Network Access, Network Element Access & Central Authentication - Access Review Remote Network Access, Network Element Access & Central Authentication - Access Review

28 28 Q & A


Download ppt "1 How to Engineer an Effective Access Review Program Ram Ramadoss, Staff Information Security Engineer, September 25, 2008."

Similar presentations


Ads by Google