Agenda. Copyright 2015 Centrify Corporation. All Rights Reserved. 1

Similar documents
Secure & Unified Identity

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

the SWIFT Customer Security

Mapping BeyondTrust Solutions to

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Enforcing Enterprise-out Security for Cloud Servers

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Yubico with Centrify for Mac - Deployment Guide

Centrify Identity Services for AWS

Crash course in Azure Active Directory

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CyberArk Privileged Threat Analytics

Identity & Access Management

Critical Hygiene for Preventing Major Breaches

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Google Identity Services for work

Zero Trust in Healthcare Centrify Corporations. All Rights Reserved.

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

AKAMAI CLOUD SECURITY SOLUTIONS

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Teradata and Protegrity High-Value Protection for High-Value Data

HDP Security Overview

HDP Security Overview

Hybrid Identity de paraplu in de cloud

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Who s Protecting Your Keys? August 2018

Move Cyber Threats On To Another Target. Encrypt Everything, Everywhere. Imam Sheikh Director, Product Management Vormetric

10 FOCUS AREAS FOR BREACH PREVENTION

Centrify Infrastructure Services

Securing Data in the Cloud: Point of View

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Privileged Account Security: A Balanced Approach to Securing Unix Environments

News and Updates June 1, 2017

1 The intersection of IAM and the cloud

Security Readiness Assessment

Are You Sure Your AWS Cloud Is Secure? Alan Williamson Solution Architect at TriNimbus

Cloud Customer Architecture for Securing Workloads on Cloud Services

The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

THALES DATA THREAT REPORT

Keep the Door Open for Users and Closed to Hackers

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

SYMANTEC DATA CENTER SECURITY

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

[ Sean TrimarcSecurity.com ]

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

SECURING DEVICES IN THE INTERNET OF THINGS

Mobile Security using IBM Endpoint Manager Mobile Device Management

Centrify Suite Enterprise Edition Self-Paced Training

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Using Smart Cards to Protect Against Advanced Persistent Threat

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Secure Access & SWIFT Customer Security Controls Framework

Canadian Access Federation: Trust Assertion Document (TAD)

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Managing the Risk of Privileged Accounts and Passwords

Verizon Software Defined Perimeter (SDP).

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

IT Needs More Control

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

SECURING DEVICES IN THE INTERNET OF THINGS

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Liferay Security Features Overview. How Liferay Approaches Security

Comodo Certificate Manager

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Securing ArcGIS Services

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Censornet. CensorNet Unified Security Service (USS) FREEDOM. VISIBILITY. PROTECTION. Lars Gotlieb Regional Manager DACH

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

How Next Generation Trusted Identities Can Help Transform Your Business

Transforming Security Part 2: From the Device to the Data Center

SAP Security in a Hybrid World. Kiran Kola

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Managing SaaS risks for cloud customers

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

Traditional Security Solutions Have Reached Their Limit

On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor

Deploy and Configure Microsoft LAPS. Step by step guide and useful tips

DreamFactory Security Guide

Make Cloud the Most Secure Environment for Business. Seth Hammerman, Systems Engineer Mvision Cloud (formerly Skyhigh Networks)

Microsoft Security Management

Transcription:

Agenda 1. Trends Impacting Data Security 2. Best Practices (subset) to Minimize the Attack Surface 3. 10 Best Practices (appendix) 4. Case Study (appendix) Copyright 2015 Centrify Corporation. All Rights Reserved. 1 T

Trends Impacting Data Security

We believe that Identity is the New Perimeter Identity at the center of cyber attacks De-perimeterization is expanding the attack surface Copyright 2015 Centrify Corporation. All Rights Reserved. 3

Enterprise security model is under attack Copyright 2015 Centrify Corporation. All Rights Reserved. 4

A Lot of Press. Analysts Have Weighed In Too End Users and Privileged Users 95% of breaches are from compromised credentials 100% of breaches involved stolen credentials Copyright 2015 Centrify Corporation. All Rights Reserved. 5

Trend: The Attack Surface is Expanding On one side, you have more sophisticated attackers aiming to compromise privileged identities On the other you have an expansion of real estate into the cloud Copyright 2015 Centrify Corporation. All Rights Reserved. 6

Continual Adaptation & Innovation! APT attack flow: Attackers gain access to end user system via web site or email malware Mimikatz looks for Privileged Accounts that were used on the computer Pass-The-Hash enables lateral movement to other computers Once privileged accounts are found, then lateral move to servers and databases Attackers can now export ANY data Maintain Persistence Move Laterally Initial Compromise Establish Foothold Escalate Privileges Internal Recon Complete Mission Attack Lifecycle (Mandiant Trends 2015) Copyright 2015 Centrify Corporation. All Rights Reserved. 7

Even in 2015 Passwords Are Still The Weakest Link! and they re SO easy to crack Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours. Bruce Schneier, 2013 The five-server system uses a relatively new package of virtualization software that harnesses the power of 25 AMD Radeon graphics cards. It achieves the 350 billionguess-per-second speed when cracking password hashes generated by the NTLM cryptographic algorithm. Gosney used the machine to crack 90 percent of the 6.5 million password hashes belonging to users of LinkedIn. (in 2012) + = Clear Text Passwords Copyright 2015 Centrify Corporation. All Rights Reserved. 8

OPM Breach OPM suffered three breaches since Oct 2013 Breaches tend to go undetected for six months to a year Copyright 2015 Centrify Corporation. All Rights Reserved. 9

The Attack Surface is Expanding On one side, you have more sophisticated attackers aiming to compromise privileged identities On the other you have an expansion of real estate into the cloud de-perimeterization Copyright 2015 Centrify Corporation. All Rights Reserved. 10

Modern The Perimeter Enterprises Dissolving Increasing are showing us the future the Attack Surface Mac Mobile SaaS IaaS Access Anywhere Copyright 2015 Centrify Corporation. All Rights Reserved. 11

Obligatory Audience Participation Raise your hand if you have < 10 online accounts? Copyright 2015 Centrify Corporation. All Rights Reserved. 12

CA State Government Cloud Adoption Now that state agencies allowed to procure their own cloud apps under certain guidelines...more accounts, less control, bigger attack surface. Copyright 2015 Centrify Corporation. All Rights Reserved. 13

As Infrastructure Expands, Identities Harder to Manage Desktops Mobile + Data Center Apps Cloud (SaaS) by Red Hat + Data Center Servers Cloud (IaaS & PaaS) Big Data + Copyright 2015 Centrify Corporation. All Rights Reserved. 14

Main Attack Vector Very Large Attack Surface The End User Copyright 2015 Centrify Corporation. All Rights Reserved. 15

To Get to the Privileged User The Privileged User Copyright 2015 Centrify Corporation. All Rights Reserved. 16

Another Trend Impacting the Attack Surface A growing use of outsourced IT, development, and other services Copyright 2015 Centrify Corporation. All Rights Reserved. 17

Remember the Big 2013 Retail Breach Privileged Password VPN Login Password Privileged Password An HVAC Supplier!!! Copyright 2015 Centrify Corporation. All Rights Reserved. 18

The Future Looks Very Different Mac Mobile SaaS IaaS Access Anywhere No Physical Boundaries Copyright 2015 Centrify Corporation. All Rights Reserved. 19

Best Practices to Minimize the Attack Surface

1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Copyright 2015 Centrify Corporation. All Rights Reserved. 21

1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Active Directory Copyright 2015 Centrify Corporation. All Rights Reserved. 22

6. Avoid Direct Login Using Shared Privileged Accounts HIGH RISK STATE root Restart web server LOW RISK STATE tony Check mail Check mail.browse web do expenses Centrify privilege elevation Don t allow direct root login; login as yourself & elevate privilege Copyright 2015 Centrify Corporation. All Rights Reserved. 23 T

6. Avoid Direct Login Using Shared Privileged Accounts HIGH RISK STATE LOW RISK STATE root tony Check mail Upgrade the OS Emergency break glass X Check mail.browse web do expenses BUT - There are a small number of situations where we can t elevate. We have to physically login as root Copyright 2015 Centrify Corporation. All Rights Reserved. 24 T

7. Lockdown Privileged Accounts SHARE root administrator oracle secure storage share Keys to the kingdom Share it with others Introduce malware, APTs, bots Camp out all day Set weak password Make silly mistakes trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 25 T

7. Lockdown Privileged Accounts SECURE STORAGE secure storage Password not revealed (except for break glass ) Automatic login VPN-less remote access Password automatically cycled Strong password QOS Session recording MFA trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 26 T

8. Eliminate Passwords Where Possible Move to Smart Cards (MS AMA), USB PKI devices, and/or mobile MFA for Administrator logins and privilege elevation Copyright 2015 Centrify Corporation. All Rights Reserved. 27

Even If Only Those 3 Ton of Mileage Centrally manage identities, authentication, and ENFORCE granular access control policies Privilege elevation (90% of the time! Manage shared passwords = exception) MFA Thwart bots and malware a human responds to grant or deny push notification (e.g.) Smart cards Avoid passwords altogether completely eliminate pass the hash Copyright 2015 Centrify Corporation. All Rights Reserved. 28

Sum It Up. Steps to Mitigating Risks REDUCE THREAT SURFACE Copyright 2015 Centrify Corporation. All Rights Reserved. 29

Sum It Up. Steps to Mitigating Risks Eliminate Pwds Use Smart Cards REDUCE THREAT Vault The Rest Monitor Priv Activities Unify & Centralize s Disable Privileged Accts Enforce Least Privilege SURFACE Enable Privilege Elevation Via Roles Copyright 2015 Centrify Corporation. All Rights Reserved. 30

Centrify: Unified Identity Management Centrify Server Suite Consolidated identity and Active Directory bridge Privilege management Comprehensive auditing Server isolation Minimize privileged user risk and improve compliance Centrify Privilege Service Shared account password management Secure remote access Privileged session monitoring Mitigate risk of shared accounts and improve compliance Centrify Identity Service Identity-as-a-Service for SaaS, mobile and on-prem apps Fully integrated mobile device and app management Mac authentication and Group Policy management Improve SaaS and mobile app/device security Centrify Identity Platform Cloud-based platform for directory, authentication, MFA and policy, reporting and secure cloud store across both end users and privileged users Copyright 2015 Centrify Corporation. All Rights Reserved. 31

Why Centrify? 11 year enterprise security company with over 450 personnel, global sales and support Addressing two major IT challenges: the shift to cloud and mobile and security as the perimeter dissolves Unique portfolio that unifies identity across cloud, mobile and data center for end users and privileged users Trusted technology with 5,000+ customers ~50% of Fortune 50 and 97% retention rate Strategic alliances with Microsoft, Apple, AVG and Samsung; 250+ reseller partners Copyright 2015 Centrify Corporation. All Rights Reserved. 32

Centrify: 5,000+ Customers, 97% Retention Defense & Government Pharma & Health Banking & Finance Retail & Internet Technology & Telecom Automotive & Energy Copyright 2015 Centrify Corporation. All Rights Reserved. 33

Centrify: 5,000+ Customers, 97% Retention Defense & Government Pharma & Health Banking & Finance More Than 60 U.S. Federal Agencies 6 of Top 10 Pharma Companies 4 of Top 10 Financial Services Companies Retail & Internet Technology & Telecom Automotive & Energy 3 of Top 5 U.S. Retailers 7 of Top 12 Worldwide Telcos 2 of Top 4 Energy Companies Copyright 2015 Centrify Corporation. All Rights Reserved. 34

Resources Centrify web site: http://www.centrify.com/products/privilege-service/ http://www.centrify.com/products/server-suite/ Blogs: http://blog.centrify.com YouTube demos (search for Centrify Privilege Service) White paper: Best Practices for Privileged Identity Management in the Modern Enterprise : http://www.centrify.com/resources/10537-bestpractices-for-privileged-identity-management-inthe-modern-enterprise Copyright 2015 Centrify Corporation. All Rights Reserved. 35

Thank You Tony Goulding, Dir Technical Product Management tony.goulding@centrify.com Copyright 2015 Centrify Corporation. All Rights Reserved. 36

Appendix Case Study

National Weather Service - Key Centrify Features Used Smart Card Authentication / HSPD- 12 w/sso configured via AD GP; automatic root/int cert download Active Directory User and Computer Group Policies Role-Based Access Controls for Least- Privilege Access Copyright 2015 Centrify Corporation. All Rights Reserved. 38

National Weather Service - Key Centrify Features Used Smart Card Authentication / HSPD- 12 w/sso configured via AD GP; automatic root/int cert download You can do this in Linux natively by following our previous 26 page solution which was fairly complicated and time consuming to complete and had to be done on every system Active Directory User and Computer Group Policies Role-Based Access Controls for Least- Privilege Access Copyright 2015 Centrify Corporation. All Rights Reserved. 39

Appendix Best Practices to Minimize the Attack Surface

10 Best Practices to Minimize the Attack Surface 1. Unify and Centralize Identities and Identity Management 2. Separation of Duties and Delegated Administration 3. Minimize user access rights across the Enterprise 4. Establish host-based server isolation 5. Eliminate VPN network access 6. Enforce Least Privileges 7. Lock down Privileged Accounts 8. Eliminate passwords where possible 9. Require MFA for privileges 10.Monitor All Privileged User Access Copyright 2015 Centrify Corporation. All Rights Reserved. 41

1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Copyright 2015 Centrify Corporation. All Rights Reserved. 42

1. Unify and Centralize Identities and Identity Management Desktops Mobile Data Center Apps Cloud (SaaS) Apache by Red Hat Identity Platform Data Center Servers Cloud (IaaS & PaaS) Big Data Active Directory Copyright 2015 Centrify Corporation. All Rights Reserved. 43

2. Separation of Duties and Delegated Administration Delegate administration to department or business unit admins Engineering Admins Marketing Admins Finance Admins Engineering Department Marketing Department Finance Department Engineering Apps Engineering Databases Marketing Apps Marketing Databases Finance Apps Finance Databases Engineering Servers Marketing Servers Finance Servers Copyright 2015 Centrify Corporation. All Rights Reserved. 44

3. Minimize User Access Rights Across the Enterprise Grant user access only where necessary Finance Workstations Finance Apps Finance Databases Finance Staff Finance Staff Role Finance Servers Finance Admins Finance IT Admin Role Copyright 2015 Centrify Corporation. All Rights Reserved. 45

4. Establish Host-based Server Isolation Server protection should not trust the network the bad guys are on the network CORPORATE NETWORK Protect sensitive systems on any network Dynamic server isolation with IPsec on Linux, UNIX, and Windows TRUSTED Isolated Block communication with untrusted systems through peer-to-peer server authentication Managed Devices Enforce transparent encryption of data-in-motion Configured with AD Group Policy and manageable by server admins Rogue Computer Managed Computers Active Directory Isolated Computers Copyright 2015 Centrify Corporation. All Rights Reserved. 46

5. Eliminate VPN Network Access Provide targeted access to individual resources vs. network access User Portal Privilege Service Portal Centrify Identity Service Centrify Privilege Service Finance Staff Cloud Directory MFA and Policy Engine Centrify Identity Platform Authentication Engine Reporting Engine Secure Data Store Finance Admins Mobile App Centrify Cloud Connector App Gateway AD/LDAP Proxy Server Gateway On-Prem Apps On-Prem Servers Copyright 2015 Centrify Corporation. All Rights Reserved. 47

6. Enforce Least Privileges HIGH RISK STATE root Restart web server LOW RISK STATE tony Check mail Check mail.browse web do expenses privilege elevation sudo or Run as Role Minimize use of privileged accounts, e.g. no direct root login Login as yourself & elevate privilege Copyright 2015 Centrify Corporation. All Rights Reserved. 48

Hadoop Core Hadoop Web Management 6. Enforce Least Privileges Enforce least-privilege for admin access Centralized role-based privilege management Eliminate use of root privileges for all but break glass scenarios Per command privilege elevation or whitelisted restricted shell Example Roles: Helpdesk read only access to log files to find problems IT Admins limited privileges to manage config files and restart services Hadoop Admins grants privileges of ambari, hdfs or mapr account for CLI operations Example Hadoop Privileged Roles to Manage Cloudera Manager Roles Auditor Read Only Limited Operator Operator Configurator Cluster Administrator BDR Administrator Navigator Administrator User Administrator Full Administrator Map Reduce Commands User Commands Administration Commands HDFS Commands User Commands Administration Commands YARN Commands User Commands Administration Commands Linux Commands Cloudera Navigator Roles Lineage Viewer Auditing Viewer Policy Viewer Metadata Administrator Policy Administrator User Administrator Full Administrator Copyright 2015 Centrify Corporation. All Rights Reserved. 49

7. Lockdown Privileged Accounts Privileged accounts should be: Centrally secured & managed Have unique passwords per system Change after each use secure storage Password not revealed (except for break glass ) Remote session with automatic login VPN-less remote access Password automatically cycled Strong password QOS Session recording MFA trusted administrators Copyright 2015 Centrify Corporation. All Rights Reserved. 50

8. Eliminate Passwords Where Possible Move to Smart Cards (MS AMA), USB PKI devices, and/or mobile MFA for Administrator logins & privilege elevation Copyright 2015 Centrify Corporation. All Rights Reserved. 51

8. Eliminate Passwords Where Possible App Login PAM/NSS KERBEROS LDAP SDK/CLI PLUGINS SAML Copyright 2015 Centrify Corporation. All Rights Reserved. 52

9. Require MFA for Privileges Centrify Privilege Service portal multi-factor authentication shared account password management Copyright 2015 Centrify Corporation. All Rights Reserved. 53

9. Require MFA for Privileges Mobile provides a secure platform for MFA and privileged account checkout Copyright 2015 Centrify Corporation. All Rights Reserved. 54

9. Require MFA for Privileges Smart Cards can also be used as the MFA for privilege elevation Run as Role to request the application to be run with Privileges Copyright 2015 Centrify Corporation. All Rights Reserved. 55

10. Monitor All Privileged User Sessions Agent-based Session Audit for regulatory compliance Or Gateway-based Session Audit with no agent on the resources Centrify Privilege Service Remote IT Staff Remote Session Monitoring cloud connector Finance Servers Finance Admins Finance IT Admin Role Copyright 2015 Centrify Corporation. All Rights Reserved. 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback