Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privileged Account Management Jason Fehrenbach, Product Manager.

Published byAubrie Grimble Modified over 9 years ago

Similar presentations

Presentation on theme: "Privileged Account Management Jason Fehrenbach, Product Manager."— Presentation transcript:

1 Privileged Account Management Jason Fehrenbach, Product Manager

2 Customer Use Cases - Introduction A US-based Natural Gas and Electric company serving multiple states Project Requirements –Only grant access to shared administrative accounts with pre-approval based on established policy –Need to provide ‘firecall’ functionality –Needed to delegate administrative access for Separation of Duty (SoD) –Required logging of Windows administrator activity –Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management

3 Customer Use Cases - Introduction A global leader in payment processing Project Requirements –Needed to centralize accounts and get control over passwords and user lifecycles –Needed to replace NIS and provide centralized authentication –Needed to restrict and audit what users could do but at the same time provide for users to carry on with their day-to-day jobs –Needed to provide controls around shared administrative passwords –Needed to rotate administrative account passwords regularly –Needed to correlate and audit administrative activity with the actual end user

4 Delegation PAM Sub-Categories Use Case – Utility Company Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management Use Case - Payment Processing Needed to centralize accounts and get control over passwords and user lifecycles Needed to replace NIS and provide centralized authentication PRIVILEGES Privilege Sessions AD Bridge Shared Passwords PLATFORMS Operating Systems

5 Delegation Use Case – Utility Company Only grant access to shared administrative accounts with pre-approval based on established policy Need to provide ‘firecall’ functionality Use Case - Payment Processing Needed to provide controls around shared administrative accounts Needed to rotate administrative account passwords regularly PRIVILEGES PLATFORMS Privilege Sessions Shared Passwords Operating Systems Network Devices Databases Applications AD Bridge PAM Sub-Categories

6 Delegation PRIVILEGES Privilege Sessions Shared Passwords AD Bridge PAM Sub-Categories

7 Delegation PRIVILEGES Privilege Sessions Shared Passwords AD Bridge PAM Sub-Categories

8 PROTOCOLS RDP VNC PRIVILEGES 3270 4690 5250 SSH TELNET HTTP HTTPS Delegation Shared Passwords Privilege Sessions AD Bridge Use Case – Utility Company Required logging of Windows administrator activity PAM Sub-Categories

9 PLATFORMS Operating Systems PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge Use Case – Utility Company Needed to provide find-grained delegation of administrative (root) access for Separation of Duty (Sod) Use Case - Payment Processing Needed to restrict and audit what users could but at the same time provide for users to carry on with their day-to-day jobs Needed to correlate and audit administrative activity with the actual end- user PAM Sub-Categories

10 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge How do I allow users to perform elevated tasks on Unix without losing control of the root password? Pair a password vault with a delegation solution Common delegation solutions Native OS solutions (RBAC implementations) The open source Sudo project The Commercial Unix Security space Unix Delegation: Problem Statement

11 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge What did we discover? Result? Companies would: Purchase a PAM sol’n only for their highest risk machines Hate having to re-train admins & help desk staff on a new syntax “Bend” sudo in crazy ways Result? Companies would: Purchase a PAM sol’n only for their highest risk machines Hate having to re-train admins & help desk staff on a new syntax “Bend” sudo in crazy ways Commercial 3 rd party solutions ~3,000 customers Native OS options sudo Linux: 7.5M servers Unix: 2.8M servers Mac: 2.0M servers No focus on this segment!

12 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge Sudo v1.7 and earlier

13 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge How do I easily provide access control reports? How do I deal with sudoers? How to manage it, distribute it, etc How do I enable central keystroke logging? How do I know what is going on across lots of systems? How do I provide more fine-grain control in the policy? Field Feedback: Common Pain and Trends

14 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge Sudo v1.8 and the new plug-in API

15 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge Example architecture using plug-in API

16 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge Sudo Reporting Access Control Report Event Activity Commands run Policy changes Deployment Preflight and sudo plug-in installation Policy Management Editor, Versioning, Rollback Keystroke Logging Search, Playback Separation of Duty Example pain points that the plug-in API can assist with

17 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge http://www.sudo.ws/sudo/sudo-rbac.html (April 12, 2012)http://www.sudo.ws/sudo/sudo-rbac.html New security policy format Designed for the needs of the enterprise Include an API to support analysis and reporting tools Support grouping of commands and options in logical units Facility management of sudoers by multiple stake-holders Time based policy rules Data source plug-ins SUDO v2.0: Design Phase

18 PRIVILEGES Privilege Sessions Shared Passwords Delegation AD Bridge SUDO v2.0: Design Phase

19 19 ©2011 Quest Software, Inc. All rights reserved.. Simplify Account Management Manage Access to Business Critical Information Audit User Activity Privileged Account Management Access Governance Privileged Account Management Complete Identity & Access Management Understand & Control Administrator Activity Identity Administration User Activity Monitoring

20 Thank You

21 Centrally view sudo event activity

22 Search and filter sudo event logs

23 Manage local accounts

24 Replay sudo sessions

25 Detailed Sudo access control reporting

26 Separation of Duty

Download ppt "Privileged Account Management Jason Fehrenbach, Product Manager."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM

Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Complete Event Log Viewing, Monitoring and Management.

Complete Event Log Viewing, Monitoring and Management.
BalaBit Shell Control Box

BalaBit Shell Control Box
Complete Event Log Viewing, Monitoring and Management.

Complete Event Log Viewing, Monitoring and Management.
Privileged Identity Management Enterprise Password Vault

Privileged Identity Management Enterprise Password Vault
Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.

Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.
Www.tectia.com COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.

COPYRIGHT © 2010 TECTIA CORPORATION. ALL RIGHTS RESERVED. Proactive Measures to Prevent Data Theft Securing, Auditing and Controlling remote.
IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – 6.0.1 Domino Access for MS Outlook - Notes Domino.

IBM Software Group ® Accessing Domino via Outlook iNotes Access for Microsoft Outlook - Notes Domino 5.5 – Domino Access for MS Outlook - Notes Domino.
The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.

The Business Value of CA Solutions Ovidiu VALEANU Senior Consultant DNA Software – CA Regional Representative.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management

Identity and Access Management
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity – Multiple services how do I stay compliant? Wade Tongen NA Commercial SE.

Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity – Multiple services how do I stay compliant? Wade Tongen NA Commercial SE.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Winter 2005-2006 Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.

Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.

Similar presentations

Ads by Google