Agenda 1. Trends Impacting Data Security 2. Best Practices (subset) to Minimize the Attack Surface 3. 10 Best Practices (appendix) 4. Case Study (appendix) Copyright 2015 Centrify Corporation. All Rights Reserved. 1 T
Trends Impacting Data Security
We believe that Identity is the New Perimeter Identity at the center of cyber attacks De-perimeterization is expanding the attack surface Copyright 2015 Centrify Corporation. All Rights Reserved. 3
Enterprise security model is under attack Copyright 2015 Centrify Corporation. All Rights Reserved. 4
A Lot of Press. Analysts Have Weighed In Too End Users and Privileged Users 95% of breaches are from compromised credentials 100% of breaches involved stolen credentials Copyright 2015 Centrify Corporation. All Rights Reserved. 5
Trend: The Attack Surface is Expanding On one side, you have more sophisticated attackers aiming to compromise privileged identities On the other you have an expansion of real estate into the cloud Copyright 2015 Centrify Corporation. All Rights Reserved. 6
Continual Adaptation & Innovation! APT attack flow: Attackers gain access to end user system via web site or email malware Mimikatz looks for Privileged Accounts that were used on the computer Pass-The-Hash enables lateral movement to other computers Once privileged accounts are found, then lateral move to servers and databases Attackers can now export ANY data Maintain Persistence Move Laterally Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Attack Lifecycle (Mandiant Trends 2015) Copyright 2015 Centrify Corporation. All Rights Reserved. 7
Even in 2015 Passwords Are Still The Weakest Link! and they re SO easy to crack Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours. Bruce Schneier, 2013 The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billionguess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm. Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. (in 2012) + = Clear Text Passwords Copyright 2015 Centrify Corporation. All Rights Reserved. 8
OPM Breach OPM suffered three breaches since Oct 2013 Breaches tend to go undetected for six months to a year Copyright 2015 Centrify Corporation. All Rights Reserved. 9
The Attack Surface is Expanding On one side, you have more sophisticated attackers aiming to compromise privileged identities On the other you have an expansion of real estate into the cloud de-perimeterization Copyright 2015 Centrify Corporation. All Rights Reserved. 10
Modern The Perimeter Enterprises Dissolving Increasing are showing us the future the Attack Surface Mac Mobile SaaS IaaS Access Anywhere Copyright 2015 Centrify Corporation. All Rights Reserved. 11
Obligatory Audience Participation Raise your hand if you have < 10 online accounts? Copyright 2015 Centrify Corporation. All Rights Reserved. 12
CA State Government Cloud Adoption Now that state agencies allowed to procure their own cloud apps under certain guidelines...more accounts, less control, bigger attack surface. Copyright 2015 Centrify Corporation. All Rights Reserved. 13
As Infrastructure Expands, Identities Harder to Manage Desktops Mobile + Data Center Apps Cloud (SaaS) by Red Hat + Data Center Servers Cloud (IaaS & PaaS) Big Data + Copyright 2015 Centrify Corporation. All Rights Reserved. 14
Main Attack Vector Very Large Attack Surface The End User Copyright 2015 Centrify Corporation. All Rights Reserved. 15
To Get to the Privileged User The Privileged User Copyright 2015 Centrify Corporation. All Rights Reserved. 16
Another Trend Impacting the Attack Surface A growing use of outsourced IT, development, and other services Copyright 2015 Centrify Corporation. All Rights Reserved. 17
Remember the Big 2013 Retail Breach Privileged Password VPN Login Password Privileged Password An HVAC Supplier!!! Copyright 2015 Centrify Corporation. All Rights Reserved. 18
The Future Looks Very Different Mac Mobile SaaS IaaS Access Anywhere No Physical Boundaries Copyright 2015 Centrify Corporation. All Rights Reserved. 19
Best Practices to Minimize the Attack Surface
1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Copyright 2015 Centrify Corporation. All Rights Reserved. 21
1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Active Directory Copyright 2015 Centrify Corporation. All Rights Reserved. 22
6. Avoid Direct Login Using Shared Privileged Accounts HIGH RISK STATE root Restart web server LOW RISK STATE tony Check mail Check mail.browse web do expenses Centrify privilege elevation Don t allow direct root login; login as yourself & elevate privilege Copyright 2015 Centrify Corporation. All Rights Reserved. 23 T
6. Avoid Direct Login Using Shared Privileged Accounts HIGH RISK STATE LOW RISK STATE root tony Check mail Upgrade the OS Emergency break glass X Check mail.browse web do expenses BUT - There are a small number of situations where we can t elevate. We have to physically login as root Copyright 2015 Centrify Corporation. All Rights Reserved. 24 T
7. Lockdown Privileged Accounts SHARE root administrator oracle secure storage share Keys to the kingdom Share it with others Introduce malware, APTs, bots Camp out all day Set weak password Make silly mistakes trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 25 T
7. Lockdown Privileged Accounts SECURE STORAGE secure storage Password not revealed (except for break glass ) Automatic login VPN-less remote access Password automatically cycled Strong password QOS Session recording MFA trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 26 T
8. Eliminate Passwords Where Possible Move to Smart Cards (MS AMA), USB PKI devices, and/or mobile MFA for Administrator logins and privilege elevation Copyright 2015 Centrify Corporation. All Rights Reserved. 27
Even If Only Those 3 Ton of Mileage Centrally manage identities, authentication, and ENFORCE granular access control policies Privilege elevation (90% of the time! Manage shared passwords = exception) MFA Thwart bots and malware a human responds to grant or deny push notification (e.g.) Smart cards Avoid passwords altogether completely eliminate pass the hash Copyright 2015 Centrify Corporation. All Rights Reserved. 28
Sum It Up. Steps to Mitigating Risks REDUCE THREAT SURFACE Copyright 2015 Centrify Corporation. All Rights Reserved. 29
Sum It Up. Steps to Mitigating Risks Eliminate Pwds Use Smart Cards REDUCE THREAT Vault The Rest Monitor Priv Activities Unify & Centralize s Disable Privileged Accts Enforce Least Privilege SURFACE Enable Privilege Elevation Via Roles Copyright 2015 Centrify Corporation. All Rights Reserved. 30
Centrify: Unified Identity Management Centrify Server Suite Consolidated identity and Active Directory bridge Privilege management Comprehensive auditing Server isolation Minimize privileged user risk and improve compliance Centrify Privilege Service Shared account password management Secure remote access Privileged session monitoring Mitigate risk of shared accounts and improve compliance Centrify Identity Service Identity-as-a-Service for SaaS, mobile and on-prem apps Fully integrated mobile device and app management Mac authentication and Group Policy management Improve SaaS and mobile app/device security Centrify Identity Platform Cloud-based platform for directory, authentication, MFA and policy, reporting and secure cloud store across both end users and privileged users Copyright 2015 Centrify Corporation. All Rights Reserved. 31
Why Centrify? 11 year enterprise security company with over 450 personnel, global sales and support Addressing two major IT challenges: the shift to cloud and mobile and security as the perimeter dissolves Unique portfolio that unifies identity across cloud, mobile and data center for end users and privileged users Trusted technology with 5,000+ customers ~50% of Fortune 50 and 97% retention rate Strategic alliances with Microsoft, Apple, AVG and Samsung; 250+ reseller partners Copyright 2015 Centrify Corporation. All Rights Reserved. 32
Centrify: 5,000+ Customers, 97% Retention Defense & Government Pharma & Health Banking & Finance Retail & Internet Technology & Telecom Automotive & Energy Copyright 2015 Centrify Corporation. All Rights Reserved. 33
Centrify: 5,000+ Customers, 97% Retention Defense & Government Pharma & Health Banking & Finance More Than 60 U.S. Federal Agencies 6 of Top 10 Pharma Companies 4 of Top 10 Financial Services Companies Retail & Internet Technology & Telecom Automotive & Energy 3 of Top 5 U.S. Retailers 7 of Top 12 Worldwide Telcos 2 of Top 4 Energy Companies Copyright 2015 Centrify Corporation. All Rights Reserved. 34
Resources Centrify web site: http://www.centrify.com/products/privilege-service/ http://www.centrify.com/products/server-suite/ Blogs: http://blog.centrify.com YouTube demos (search for Centrify Privilege Service) White paper: Best Practices for Privileged Identity Management in the Modern Enterprise : http://www.centrify.com/resources/10537-bestpractices-for-privileged-identity-management-inthe-modern-enterprise Copyright 2015 Centrify Corporation. All Rights Reserved. 35
Thank You Tony Goulding, Dir Technical Product Management tony.goulding@centrify.com Copyright 2015 Centrify Corporation. All Rights Reserved. 36
Appendix Case Study
National Weather Service - Key Centrify Features Used Smart Card Authentication / HSPD- 12 w/sso configured via AD GP; automatic root/int cert download Active Directory User and Computer Group Policies Role-Based Access Controls for Least- Privilege Access Copyright 2015 Centrify Corporation. All Rights Reserved. 38
National Weather Service - Key Centrify Features Used Smart Card Authentication / HSPD- 12 w/sso configured via AD GP; automatic root/int cert download You can do this in Linux natively by following our previous 26 page solution which was fairly complicated and time consuming to complete and had to be done on every system Active Directory User and Computer Group Policies Role-Based Access Controls for Least- Privilege Access Copyright 2015 Centrify Corporation. All Rights Reserved. 39
Appendix Best Practices to Minimize the Attack Surface
10 Best Practices to Minimize the Attack Surface 1. Unify and Centralize Identities and Identity Management 2. Separation of Duties and Delegated Administration 3. Minimize user access rights across the Enterprise 4. Establish host-based server isolation 5. Eliminate VPN network access 6. Enforce Least Privileges 7. Lock down Privileged Accounts 8. Eliminate passwords where possible 9. Require MFA for privileges 10.Monitor All Privileged User Access Copyright 2015 Centrify Corporation. All Rights Reserved. 41
1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Copyright 2015 Centrify Corporation. All Rights Reserved. 42
1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Active Directory Copyright 2015 Centrify Corporation. All Rights Reserved. 43
2. Separation of Duties and Delegated Administration Delegate administration to department or business unit admins Engineering Admins Marketing Admins Finance Admins Engineering Department Marketing Department Finance Department Engineering Apps Engineering Databases Marketing Apps Marketing Databases Finance Apps Finance Databases Engineering Servers Marketing Servers Finance Servers Copyright 2015 Centrify Corporation. All Rights Reserved. 44
3. Minimize User Access Rights Across the Enterprise Grant user access only where necessary Finance Workstations Finance Apps Finance Databases Finance Staff Finance Staff Role Finance Servers Finance Admins Finance IT Admin Role Copyright 2015 Centrify Corporation. All Rights Reserved. 45
4. Establish Host-based Server Isolation Server protection should not trust the network the bad guys are on the network CORPORATE NETWORK Protect sensitive systems on any network Dynamic server isolation with IPsec on Linux, UNIX, and Windows TRUSTED Isolated Block communication with untrusted systems through peer-to-peer server authentication Managed Devices Enforce transparent encryption of data-in-motion Configured with AD Group Policy and manageable by server admins Rogue Computer Managed Computers Active Directory Isolated Computers Copyright 2015 Centrify Corporation. All Rights Reserved. 46
5. Eliminate VPN Network Access Provide targeted access to individual resources vs. network access User Portal Privilege Service Portal Centrify Identity Service Centrify Privilege Service Finance Staff Cloud Directory MFA and Policy Engine Centrify Identity Platform Authentication Engine Reporting Engine Secure Data Store Finance Admins Mobile App Centrify Cloud Connector App Gateway AD/LDAP Proxy Server Gateway On-Prem Apps On-Prem Servers Copyright 2015 Centrify Corporation. All Rights Reserved. 47
6. Enforce Least Privileges HIGH RISK STATE root Restart web server LOW RISK STATE tony Check mail Check mail.browse web do expenses privilege elevation sudo or Run as Role Minimize use of privileged accounts, e.g. no direct root login Login as yourself & elevate privilege Copyright 2015 Centrify Corporation. All Rights Reserved. 48
Hadoop Core Hadoop Web Management 6. Enforce Least Privileges Enforce least-privilege for admin access Centralized role-based privilege management Eliminate use of root privileges for all but break glass scenarios Per command privilege elevation or whitelisted restricted shell Example Roles: Helpdesk read only access to log files to find problems IT Admins limited privileges to manage config files and restart services Hadoop Admins grants privileges of ambari, hdfs or mapr account for CLI operations Example Hadoop Privileged Roles to Manage Cloudera Manager Roles Auditor Read Only Limited Operator Operator Configurator Cluster Administrator BDR Administrator Navigator Administrator User Administrator Full Administrator Map Reduce Commands User Commands Administration Commands HDFS Commands User Commands Administration Commands YARN Commands User Commands Administration Commands Linux Commands Cloudera Navigator Roles Lineage Viewer Auditing Viewer Policy Viewer Metadata Administrator Policy Administrator User Administrator Full Administrator Copyright 2015 Centrify Corporation. All Rights Reserved. 49
7. Lockdown Privileged Accounts Privileged accounts should be: Centrally secured & managed Have unique passwords per system Change after each use secure storage Password not revealed (except for break glass ) Remote session with automatic login VPN-less remote access Password automatically cycled Strong password QOS Session recording MFA trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 50
8. Eliminate Passwords Where Possible Move to Smart Cards (MS AMA), USB PKI devices, and/or mobile MFA for Administrator logins & privilege elevation Copyright 2015 Centrify Corporation. All Rights Reserved. 51
8. Eliminate Passwords Where Possible App Login PAM/NSS KERBEROS LDAP SDK/CLI PLUGINS SAML Copyright 2015 Centrify Corporation. All Rights Reserved. 52
9. Require MFA for Privileges Centrify Privilege Service portal multi-factor authentication shared account password management Copyright 2015 Centrify Corporation. All Rights Reserved. 53
9. Require MFA for Privileges Mobile provides a secure platform for MFA and privileged account checkout Copyright 2015 Centrify Corporation. All Rights Reserved. 54
9. Require MFA for Privileges Smart Cards can also be used as the MFA for privilege elevation Run as Role to request the application to be run with Privileges Copyright 2015 Centrify Corporation. All Rights Reserved. 55
10. Monitor All Privileged User Sessions Agent-based Session Audit for regulatory compliance Or Gateway-based Session Audit with no agent on the resources Centrify Privilege Service Remote IT Staff Remote Session Monitoring cloud connector Finance Servers Finance Admins Finance IT Admin Role Copyright 2015 Centrify Corporation. All Rights Reserved. 56