Download presentation
Presentation is loading. Please wait.
Published byMelvin Cummings Modified over 9 years ago
1
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity – Multiple services how do I stay compliant? Wade Tongen NA Commercial SE Manager Wade.tongen@centrify.com
2
Copyright © 2015 Centrify Corporation. All Rights Reserved. 2 Overview of Today’s Environment Common Themes of Today’s Standards Identity Topics The New Perimeter Controlling Privileged Access Accountability for Privileged Actions Agenda
3
Copyright © 2015 Centrify Corporation. All Rights Reserved. 3 The Modern IT Enterprise The Business of IT Staff Security Infrastructure BudgetEmployees SaaS Outsourced IT Infrastructure as a Service
4
Copyright © 2015 Centrify Corporation. All Rights Reserved. 4 Desktops Data Center Apps Data Center Servers + + + …and Harder to Manage as Infrastructure Evolves Cloud (IaaS & PaaS)Cloud (SaaS)MobileBig Data ID
5
Copyright © 2015 Centrify Corporation. All Rights Reserved. 5 Core Challenges in Managing Privileged Identity Disgruntled IT Worker Holds Company Hostage Disgruntled IT Worker Holds Company Hostage Snowden Used Low-Cost Tool to Scrape N.S.A. Snowden Used Low-Cost Tool to Scrape N.S.A. Massive Retailer Identity Theft Threats & Breaches Over-Privileged Users APTs & Malware Insider Threats Data Center Heterogeneity SOX PCI FISMA NIST 800-53 HIPAA Regulations Modern Enterprise
6
Copyright © 2015 Centrify Corporation. All Rights Reserved. 6 Regulations Share Common Tenants No matter the standard the many themes are common Generic Accounts are Bad Have users access the services/applications as themselves vs administrator or root or SA or oracle Have a Least Privileged Model If there is not a business need for the access/right they should not have it Accountability for Actions Essential for privileged actions Lock down shared accounts When there is not another option
7
Copyright © 2015 Centrify Corporation. All Rights Reserved. 7 Identity Management Needs to be Holistic
8
Copyright © 2015 Centrify Corporation. All Rights Reserved. 8 The Common/Weakest Link
9
Copyright © 2015 Centrify Corporation. All Rights Reserved. 9 Identity at Center of Cyber Attacks… ID END USERS PRIVILEGED USERS
10
Copyright © 2015 Centrify Corporation. All Rights Reserved. 10 Cloud (IaaS & PaaS)Big Data Unify Identity Management Stores Were Possible… Desktops Data Center Apps Data Center Servers Cloud (SaaS) Mobile ID MS AD or LDAP ID Reduced Identity Footprint ID
11
Copyright © 2015 Centrify Corporation. All Rights Reserved. 11 The Case for a Reduced Identity Footprint Users are and will continue to be the weak link In the security chain The more the identities the more likely: Weaker passwords Same password Store on a sticky note Store In a spreadsheet Store in a browser without institutional control Use a personnel password product
12
Copyright © 2015 Centrify Corporation. All Rights Reserved. 12 The Traditional Thought was the Firewall was the Perimeter This approach was much better before: Explosion of virtualization Mobile workforce SaaS offerings Elastic environments
13
Copyright © 2015 Centrify Corporation. All Rights Reserved. 13 IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY The Paradigm Shift Means the Identity is the New Perimeter Authenticate Determine Access Enforce Policies Track
14
Copyright © 2015 Centrify Corporation. All Rights Reserved. 14 So Where Do We Consolidate? MS Windows: Use SSPI (Security Support Provider Interface) Built into MS applications Leverages Kerberos or NTLM to provide a single identity External trusts are possible between environments
15
Copyright © 2015 Centrify Corporation. All Rights Reserved. 15 So Where Do We Consolidate? UNIX/Linux: Utilize the PAM authentication – Trust the OS for authentication Use GSSAPI (Generic Security Services Application Program Interface) Supported by open source and commercial vendors Leverages Kerberos or NTLM to provide a single identity External trusts are possible between environments
16
Copyright © 2015 Centrify Corporation. All Rights Reserved. 16 So Where Do We Consolidate? Applications: Utilize the PAM Authentication – Trust the OS for authentication Use SSPI & GSSAPI (Generic Security Services Application Program Interface) In the Data Center Leverages Kerberos or NTLM In the Cloud Leverage SAML and OAuth
17
Copyright © 2015 Centrify Corporation. All Rights Reserved. 17 So Where Do We Consolidate? Infrastructure: Routers Switches Appliances Typically accessed via CLI or web interface for local accounts External protocols such as: Radius LDAP
18
Best Practices for Controlling Privileged Identity
19
Copyright © 2015 Centrify Corporation. All Rights Reserved. 19 Path to Reducing Identity-related Risk for Privileged Users Privileged Accounts Least privilege access Single identity source Limited # of privileged accounts (root, local admin, service accounts) Individual Accounts Many privileged passwords Individual identities with unstructured access Many identity silos Optimized Risk Profile Poor Risk Profile
20
Copyright © 2015 Centrify Corporation. All Rights Reserved. 20 Two Main Ways to Control Privileged Identities Super User Privilege Management (SUPM) Assigning the privilege to user or groups at the OS or device level Shared Account Password Management (SAPM) Assigning a user to temporarily have access to accounts such as: Root Administrator SA Oracle DATA CENTER SERVERS
21
Copyright © 2015 Centrify Corporation. All Rights Reserved. 21 Super User Privilege Management OS Level – Can grant granularity to the individual executables UNIX/Linux – sudo & 3 rd Party Tools Take extra precautions if the tool modifies the kernel Windows - MS GPO & 3 rd party tools A single cross-platform architecture across would be easiest to deploy Applications Typically defined in the application but try externalize the authentication Appliance Typically configured in the context of the device DATA CENTER SERVERS
22
Copyright © 2015 Centrify Corporation. All Rights Reserved. 22 Shared Account Privilege Management Typically this is implemented by using a vaulted password in an appliance, virtual appliance, or service The password is checked out/in or provided without the user knowing the password A complete log of who had access to which privileged account and when Some typical needs for this are: Break Glass Loss of Connectivity Appliances that do not support external authentication Service Accounts DATA CENTER SERVERS
23
Copyright © 2015 Centrify Corporation. All Rights Reserved. 23 …to Enable Maximum Security for Privileged Users Privileged Accounts Check out account password Log in as shared account Attribute account use to individual Log in as yourself Elevate privilege when needed Attribute activity to individual Centrify manages identity for both individual and Privileged accounts for maximum security + IT efficiency and Individual Accounts Core Rule: “Get users to log in as themselves, while maximizing control of privileged accounts”
24
Accountability for Privileged Actions
25
Copyright © 2015 Centrify Corporation. All Rights Reserved. 25 Auditing & Compliance Privileged session monitoring (PSM) for Linux, UNIX and Windows and appliances No anonymous activity with complete session record All activity associated to a single identity across all platforms User session auditing with video and searchable event records Must scale to tens of thousands of systems; data stored in SQL database Satisfies regulatory mandates including PCI, HIPAA, SOX and ISO A single audit store across individual and privileged access Network Monitoring Privileged Access Security Perimeter Firewall Report and Replay Privileged Sessions DATA CENTER SERVERS
26
Copyright © 2015 Centrify Corporation. All Rights Reserved. 26 Thank You
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.