Privileged Account Security: A Balanced Approach to Securing Unix Environments

Transcription

1 Privileged Account Security: A Balanced Approach to Securing Unix Environments

2 Table of Contents Introduction 3 Every User is a Privileged User 3 Privileged Account Security: A Balanced Approach 3 Privileged Credential Management 4 Account and Key Discovery: Inventory privileged accounts and credentials 4 Credential Security and Management: Protecting privileged passwords and SSH keys 4 Controls for User Credentials: 4 Controls for Application Credentials: 5 Least Privilege and Access Control 5 Shared Accounts: Introducing individualized control and accountability 5 Individual Accounts: Enabling the necessary privileges, but no more 6 Individual Accounts: Streamlining privileged identity management 6 Session Management 7 Session Isolation: Protect critical systems from malware and uncontrolled access 7 Session Recording: Gain a complete audit trail of user activity 7 Session Monitoring: Detect and terminate suspicious activity in real-time 7 Behavioral Threat Analytics 8 Behavioral analysis: Using anomaly detection to rapidly identify threats 8 Strengthen and Simplify Unix Security 8 CyberArk Privileged Account Security 9 Cyber-Ark Software Ltd. cyberark.com 2

3 Introduction Enterprise IT environments can contain hundreds or thousands of Unix systems, all of which are accessed by privileged users on a regular basis. However, unlike Windows environments that offer centralized administration, Unix systems operate in silos and offer no native capabilities for central management. As a result, it is incredibly difficult for Unix security teams to manage identities, control access rights or know who is doing what on critical Unix systems. This document will outline common challenges within Unix environments, offer recommendations on how to address those challenges, and describe how CyberArk Privileged Account Security solutions can work together to help organizations better secure and manage privileged access within these environments. Every User is a Privileged User The greatest challenge facing Unix security teams is that, in Unix environments, every user is a privileged user. Unix users, by nature, include systems administrators, security administrators, and network administrators, all of whom have privileged access, including root access, to critical systems and sensitive data. Without clear visibility and control over what these users are able to do, organizations will continue to face several security and compliance challenges that simply cannot be left unaddressed. Compounding the security and compliance challenges are the perceived tradeoffs of Unix security. In the past, Unix security has often been viewed as an all or nothing decision; teams have felt forced to choose between locking down systems and keeping users productive. However, with the right tools, organizations can now implement a balanced approach that protects critical accounts and systems, yet enables administrators to carry out their day-to-day responsibilities without being impacted. Privileged Account Security: A Balanced Approach Privileged account security solutions offer a balanced approach to help organization better secure, manage and control Unix environments while keeping users productive. An optimal privileged account security solution should offer the capabilities needed to achieve end-to-end protection of all privileged accounts, including: Credential Management Least Privilege and Access Control Session Management Behavioral Threat Analytics Without clear visibility and control over what Unix users are able to do, organizations will continue to face several security and compliance challenges that simply cannot be left unaddressed. By implementing controls in each of these areas, organizations can secure, manage and control access within their Unix environments without impacting user productivity. Cyber-Ark Software Ltd. cyberark.com 3

4 Privileged Credential Management To effectively protect privileged accounts and therefore the systems and data accessed by those accounts organizations should proactively secure and manage privileged account credentials, including both passwords and SSH keys. When taking steps to protect privileged credentials, it s crucial that organizations consider both interactive user credentials and application credentials, as both enable privileged account access and can be exploited by malicious users to facilitate a data breach. Account and Key Discovery: Inventory privileged accounts and credentials Due to the decentralized nature of Unix environments and lack of native management tools, it s often very difficult for security teams to see what accounts and keys exist, much less know who has access to what. Without this baseline visibility, it s impossible for IT to secure, manage or control access to these privileged accounts and credentials. The CyberArk Discovery and Audit tool provides the visibility organizations need to begin taking control of Unix environments. The Discovery and Audit tool enables organizations to locate all privileged accounts and SSH keys, as well as map trust relationships between users and systems. The data enables security teams to clearly see which accounts and keys are compliant with organization policy, which require attention and which should be removed altogether. Armed with this information, organizations can set an actionable plan to clean up their environment and begin securing and managing privileged credentials. Credential Security and Management: Protecting privileged passwords and SSH keys After locating privileged user and application accounts and SSH keys, organizations should proactively secure, rotate and control access to their privileged account credentials. The CyberArk Digital Vault provides a highly secure repository for storing sensitive account passwords and private SSH keys, and it supports strong access controls to help ensure that only authorized users, applications or systems are able to access these credentials. Using the Digital Vault, organizations can centrally manage access to most all privileged accounts, including but not limited to those on Unix systems, Windows systems, databases, and network devices, both on-premises and in the cloud. To comply with best practices, as well as to reduce the of risk compromise with a stolen credential, organizations should proactively rotate privileged passwords and SSH keys. Using CyberArk Enterprise Password Vault and CyberArk SSH Key Manager, security teams can automate password and key pair rotation, set policies to rotate these credentials at regular intervals and rotate credentials on-demand as needed. When securing and managing privileged account credentials, it s important to keep in mind the nuanced differences between privileged user credentials and privileged application credentials. While both types of credentials require centralized security, rotation and access controls, the approaches should be slightly different in order to maintain user productivity and application availability. Controls for User Credentials: Once user credentials are securely stored and managed in the Digital Vault, security teams should set policies to ensure that only authorized users are able access authorized credentials. To do this, CyberArk solutions enable organizations to create access control policies based on individual users or user groups. Customizable workflows enable users to request access to credentials with elevated privileges as needed for business purposes, and integrations with IT ticketing systems are available to validate approvals. Cyber-Ark Software Ltd. cyberark.com 4

5 For added control, organizations can require two-factor authentication before users may gain access to credentials in the Digital Vault. This not only helps to strengthen security, but also enforces strong authentication to protected systems, as required by some regulations and industry standards. Controls for Application Credentials: Applications that run automated processes often rely on embedded passwords or locally stored SSH keys for authentication, both of which are stored in plaintext. These credentials can be copied by anyone inside the network and can be exploited to propagate unauthorized privileged access across the environment. To remediate this vulnerability, organizations should remove plaintext credentials from applications and scripts and instead securely store, rotate and control access to them. CyberArk Application Identity Manager enables organizations to removed hard-coded passwords and locally stored SSH keys from applications and scripts, and instead stores these credentials in the Digital Vault where they can be called only as needed. The solution offers high availability, helping organizations strengthen security and meet compliance requirements while ensuring that business critical applications are always available, even in the event of a network outage. As an added control, CyberArk Application Identity Manager includes advanced authentication capabilities, which authenticate applications before granting them access to privileged credentials. This helps to ensure that spoofed applications are unable to steal privileged passwords or SSH keys. Least Privilege and Access Control In an ideal scenario, each administrative user would have a personalized, controllable, auditable account that is known and used only by that user. Better, these accounts could be tailored so that each user has all the privileges needed for day-to-day responsibilities but no more. The trouble is, in reality, this scenario is all too often infeasible. Because Unix environments are incredibly siloed and each account on each system requires its own identity, the use of individual user accounts can create far more identities than IT can reasonably be expected to manage. As a result, organizations frequently resort to using shared administrative accounts, which are incredibly difficult to control and, for simplicity, often provide more privileges than the majority of users require. With shared accounts, security and audit teams have no way to know who did what, much less know which users have access to each account. Worse, shared account credentials can be easily shared between authorized and unauthorized users, and oftentimes less-privileged users receive, by default, unnecessary root privileges. To help Unix security teams better control privileged user access in these siloed environments, CyberArk provides tools to remove unnecessary root privileges, enforce least privilege at the user level and gain auditability at the user level regardless of whether an organization is using individual accounts, shared accounts or a combination of both. CyberArk solutions help organizations enforce practical least privilege policies, allowing for granular access controls and better reporting without compromising productivity. Shared Accounts: Introducing individualized control and accountability To gain individualized control over shared accounts, organizations should store shared account credentials in a secure repository and then control which users may access those credentials. Using CyberArk, organizations can secure shared privileged passwords and SSH keys in the Digital Vault and set policies based on user or user group that dictate who may access which credentials. Authorized users can be required to checkout the shared credentials for use, providing security and audit teams with a complete audit trail of exactly which user accessed what account and when. To ensure that an authorized user is unable to share the credential or gain unaudited Cyber-Ark Software Ltd. cyberark.com 5

6 access to a target system, organizations can opt to either mask the credential from the user or automatically rotate the credential after use. To enforce the principle of least privilege to shared accounts, organizations can leverage automated workflows that enable less-privileged users to request access to shared credentials with elevated privileges. Using CyberArk Enterprise Password Vault and CyberArk SSH Key Manager, users can request access to passwords and keys with elevated privileges for legitimate business purposes. Only upon approval by the required approver(s) can the user gain temporary access to the elevated privileged account. With this approach, organizations can remove root privileges from less privileged users, while still providing a way for users to complete one-off, approved tasks that require root access. Individual Accounts: Enabling the necessary privileges, but no more When working towards a least-privilege model for individual user accounts, organizations should look to solutions that remove unnecessary root privileges and support user productivity while simultaneously helping IT teams simplify the management of so many identities. Similar to shared credentials, organizations should securely store individual privileged account credentials in a digital vault to prevent their misuse and unauthorized sharing. Next, to limit privileges associated with each account, organizations should set policies that dictate which users or user groups may run which commands under what circumstances. CyberArk On-Demand Privileges Manager acts as a sudo replacement, providing a restricted shell that allows for granular, centrally managed privilege controls. Using this solution, organizations can limit what commands may be run based on individual user or user group, as well as define what elevated privileges may be invoked for legitimate business purposes. When a user does elevate privileges, CyberArk On-Demand Privileges Manager provides a full record of when it happened, for what purpose, and all commands run during that elevated session. As a result, security teams are able to remove unnecessary privileges, keep users productive by enabling limited elevated privileges, and gain a complete, tamper-proof audit trail of all elevated session activity. Individual Accounts: Streamlining privileged identity management To complement individualized least privilege controls, CyberArk offers Active Directory (AD) bridge capabilities to help organizations streamline and centralize the management of privileged user identities across both Unix and Windows systems. Using CyberArk s AD bridge capabilities, organizations can define Unix user groups in AD and centrally manage privileged access policies for those user groups within CyberArk. As new Unix users are added to AD, the associated Unix accounts can be automatically provisioned, in accordance with policy, as needed. Similarly, as users leave the organizations and their identities are deprovisioned from AD, the users will no longer be able to access any associated Unix accounts. As an added benefit, users may use their AD passwords to authenticate to Unix systems, thus reducing the total number of credentials each user must manage. Cyber-Ark Software Ltd. cyberark.com 6

7 Session Management Once privileged account credentials are secured, organizations should takes steps to proactively control and review privileged user sessions on Unix systems. Effective controls include session isolation, session recording and real-time session monitoring. Using these controls, organizations can separate critical systems from potentially infected user devices, control how users access target systems, and verify that authorized users are only engaging in authorized session activity. Session Isolation: Protect critical systems from malware and uncontrolled access End users often work on devices that are difficult to control and vulnerable to malware. If a user on an infected machine were to directly access a target system, the malware could easily spread, thus infecting critical IT infrastructure and putting sensitive data at risk. To mitigate this risk, organizations should isolate critical systems while still ensuring that users can easily administer these systems. CyberArk Privileged Session Manager acts as a secure jump server, separating vulnerable user devices from the critical systems that must be administered. As a result, organizations are able to prevent malware on end user devices from infecting target systems. To ensure that users are unable to bypass this control, organizations should mask target system credentials and restrict traffic to the target. To prevent direct, uncontrolled access to critical target Unix systems, CyberArk Privileged Session Manager can facilitate seamless connections to target systems via the jump server without ever exposing users or their machines to the target s credentials. Additionally, organizations should lock down target systems to require that all privileged user sessions occur via the jump server. Such an architecture creates a single point of control for all privileged sessions and prevents users, both authorized or unauthorized, from gaining direct, uncontrolled access to critical systems. Session Recording: Gain a complete audit trail of user activity Once all privileged traffic is directed through a secure jump server, organizations can leverage controls on that jump server to record all privileged sessions. Using CyberArk Privileged Session Manager, organizations can gain a complete audit trail of all privileged session activity. That audit trail is then stored in the secure Digital Vault with full access controls, limiting viewership to only authorized members of the security or audit teams. During an investigation, security teams can easily search session history to quickly understand what happened, what commands were run and which user executed them. Using detailed audit logs and recordings, security teams can accelerate incident investigation times and gain the opportunity to stop attackers before it s too late. Audit teams can leverage the same session logs and recordings to easily search for relevant activity and accelerate audit times. Session Monitoring: Detect and terminate suspicious activity in real-time For real-time awareness of privileged session activity, CyberArk Privileged Session Manager enables security teams to monitor privileged user activity in real-time. The solution also integrates with leading SIEM solutions so that security and incident response teams can gain real-time alerts on suspicious, unauthorized activity. Using CyberArk Privileged Session Manager, security teams can detect suspicious, unauthorized activity in real-time, instantly locate the session, and remotely terminate it, thus disrupting the potential attack while in-progress. Cyber-Ark Software Ltd. cyberark.com 7

8 Behavioral Threat Analytics In today s threat environment, organizations must do everything they can to proactively protect their critical systems and sensitive data, but they must also anticipate targeted and insider attacks that bypass proactive controls. The greatest risk associated with privileged accounts is that once one is compromised, attackers are able to freely move around the environment, locating and accessing sensitive data. And because these accounts allow attackers to hide in plain sight, deleting their tracks along the way, the attackers can operate undetected for months. Without the ability to detect abnormal privileged account activity, advanced and inside attackers can exfiltrate sensitive data before an organization even knows that a breach occurred. Behavioral analysis: Using anomaly detection to rapidly identify threats Cyber attackers behave differently than legitimate users, logging in at different times, from different locations, and accessing systems in different patterns. As such, these malicious users can hide from rules-based detection methods. However, it is much more difficult for them to hide from detection mechanisms that rely on behavioral pattern analysis. Privileged accounts are an organization s last line of defense against a cyber attack. Once these accounts are compromised, the attackers have everything they need to successfully locate and steal the targeted data. At this point in a breach, the only way to thwart the attack is locate anomalous privileged account activity that indicates a compromise and restrict the impacted accounts. CyberArk helps organizations do just that. CyberArk Privileged Threat Analytics monitors all privileged user and account activity to establish a baseline of what is normal. Using a self-learning, statistical analysis engine, CyberArk Privileged Threat Analytics is able to rapidly detect and alert on any information that falls outside of that norm, indicating a potential attack in progress. By alerting organizations to anomalous activity early, the solution enables organizations to accelerate incident detection times, reduces the window of opportunity for attackers, and gives security teams the opportunity to stop cyber criminals before they cause irreparable damage. Strengthen and Simplify Unix Security While the decentralized nature of Unix environments presents a series of challenges for IT and security administrators, these challenges can be overcome with the right tools. CyberArk s portfolio of products is designed to work together to help organizations strengthen security, even in the most complex, disparate IT environments. By centralizing the management of privileged Unix users, accounts, and credentials, CyberArk can help organizations strengthen security, accelerate threat detection and streamline identity management in Unix environments. CyberArk s Privileged Account Security Solution delivers a single, unified platform from which organizations can centrally manage access control policies, proactively secure and rotate privileged account passwords and SSH keys, monitor and record all privileged session activity, and analyze privileged account behavior to rapidly detect threats. With CyberArk, organizations can protect their most critical assets and confidently prove compliance with regulatory requirements. Cyber-Ark Software Ltd. cyberark.com 8

9 CyberArk Privileged Account Security CyberArk s privileged account security portfolio offers a complete solution to protect, monitor, detect, alert, and respond to privileged accounts. Products within the portfolio include: Enterprise Password Vault fully protects privileged passwords based on privileged account security policies and controls who can access which passwords when. SSH Key Manager secures, rotates and controls access to SSH keys in accordance with policy to prevent unauthorized access to privileged accounts. Privileged Session Manager isolates, controls, and monitors privileged user access and activities on critical systems throughout most traditional on-premises and cloud environments. Application Identity Manager eliminates hard-coded passwords and locally stored SSH keys from applications, service accounts and scripts with no impact on application performance. On-Demand Privileges Manager allows for control and continuous monitoring of the commands super-users run based on their role and task. Privileged Threat Analytics analyzes and alerts on previously undetectable malicious privileged user behavior enabling incident response teams to disrupt and quickly respond to an attack. Endpoint Privilege Manager enables organizations to control privileges on the endpoint and contain attacks early in their lifecycle. To learn more about the CyberArk Privileged Security Solution, please visit Cyber-Ark Software Ltd. cyberark.com 9

10 All rights reserved. No portion of this publication may be reproduced in any form or by any means without the express written consent of CyberArk Software. CyberArk, the CyberArk logo and other trade or service names appearing above are registered trademarks (or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names are the property of their respective owners. U.S., Doc # 124 CyberArk believes the information in this document is accurate as of its publication date. The information is provided without any express, statutory, or implied warranties and is subject to change without notice. CyberArk Software Ltd. cyberark.com