Privileged Identity Management Sven-Erik Vestergaard Certified IT specialist Security architect IBM Nordic
Agenda What is Privileged Identity Management Compliance issues Steps in controlling Privileged Identity Management How to create and maintain compliance Q/A 2
Who cares about privileged identities? Malicious insiders care The problem: 3 of the Top 10 Threats to Enterprise Security are insider related: Employee error Data stolen by partner/employee Insider Sabotage Insider driven fraud costs US enterprises over $600 Billion annually 3
Identity Governance 4 Role Management Process used to manage user access to resources but unlike user provisioning, role management doesn t grant/remove user access, it sets up a role structure to do it more efficiently Access Certification Ongoing review/validation of access to resources at role or entitlement level Privileged Identity Mgmt Identity Governance Role Management Separation of Duties Privilege Identity Management Entitlement Management Access Certification Enhanced user administration and monitoring of system or administrator accounts that have elevated privileges Entitlement Management Entitlement management simplifies access control by administering and enforcing fine-grained authorizations Separation of Duties Prevents and detects business specific conflicts at role or entitlement level
Privileged Identity Management What is a privileged Identity Generic/shared accounts Privileged personal accounts Application accounts Emergency accounts 5
Special focus for Privileged Identity Management Must be a part of the Provisioning and Identity lifecycle management This includes Authorization Authentication Password Management Auditing 6
Agenda Compliance issues 7
Privileged Identity Management Lack of accountability internal solutions not able to ensure 100% accountability for shared or application privileged accounts Lack of effective, secure release controls Limited implementation of strong inter-application authentication Lack of monitoring of privileged activities and enforcement of privileged activity policies Lack of change controls Lack of consistency in password change policies Limited auditing of privileged activities, approvals processes, privileged account access request, privileged password changes, and/or strength/uniqueness 8
Agenda First steps in controlling Privileged Identity Management 9
Privileged Identity Management Locate, Identify, and label privileged identities. Apply the appropriate security parameters for access personalization, change, and control. Implement a centralized management function or dashboard, to monitor processes. Regularly audit all privileged identity activity by appropriate internal systems management and external regulatory sources. 10
Problems with today s scenario Privileged identities are shared No audit trail Joe signed on to work station but administrator signed on to SAP for example Difficult to manage good practices For example changing passwords frequently requires all sharers ot be informed 11
Shared Privileged ID Account Lifecycle Management in TIM 1.1 Create/Configure at End point 4.1 Manual Transfer Request 4.2 Owner Job Change (triggered in Person Modify workflow) 4.3 Employment Termination 1.2 Create/Configure in ITIM (ITIM Admin Only, Owner is assigned during creation) Creation Termination Assign Owner Change 2.Assign Owner via Adoption Rule or other mapping rule (URT code) 3.3 Revalidation Employment Verification Recertification Policy 3.1 Password Change 3.2 Account Attribute Change Privileged ID accounts in ITIM are flagged and can be enabled for sharing. Specific Access Control is required for Privileged ID via ITIM ACI Specific Lifecycle workflows are required for lifecycle change events of shared ID (Create/Modify/PasswordCha nge/suspend/delete) Password Change needs to support privilege sharing 12
Privilege Identity Management in ITIM Authorized Privilege Defined As Access Accounts User Id, Password, Group (Controls Access Privilege) 13
Shared Privilege lifecycle management (ITIM+TAM-ESSO) Access Check In Business Approval Check Out Business Justification is required during access request Justification is required Request Access Access Termination Access Provisioning Established Authorization Record for Privileged Access and enable user for checkout/check in Employment Verification Recertification Policy Access Revalidation Pulse Comes To You 2009 Check out and check in is triggered when user access native system via TAM-ESSO once the access is authorized in ITIM User does not have to know the id/password, it is provided by TAM- ESSO Justification may be required based on the Business privilege type Justification is required 14
Shared privilege identity management Solution provided through services Authorized Shared Privileged Access Flagged Shared Privileged Accounts Accounts User Id, Password, Group (Controls Access Privilege) Shared Privileged Services 15
Agenda How to create and maintain compliance 16
After Log Capture, Translation is Next Windows z/os AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris Comprehend Windows expert z/os expert AIX expert Oracle expert SAP expert ISS expert FireWall-1 expert Exchange expert IIS expert Solaris expert 17
Now all Logs in Your Enterprise in a Single Language Pulse Comes To You 2009 Windows z/os AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris Comprehend Translate logs to English TCIM W7 TCIM TCIM saves saves your your information information security security and and compliance compliance staff staff time time and and money money by by automating automating monitoring monitoring across across the the enterprise. enterprise. 18
Demonstrate Compliance Quick Drill-down Policy Exceptions Special Attentions Failures Trends Reporting DBs Aggregation DBs Enterprise Overview Reports Distribution Self-audit 19
EventDetail Pulse Comes To You 2009 An Event Detail Report Even drill down into that specific event and see all the event details, and we can even go to the raw log-file 21
Key Solution Functions Centralized web-based management of Privileged IDs Provisioning Access management who can access Change password Password reset De-provisioning Approval workflows Single Sign-on with Real-time Privileged ID Access Control On demand check-in/check-out and verification of Privileged IDs Single sign on to all systems with Privileged ID Easy on boarding of applications through visual profiling Comprehensive audit trail and reporting Logs for password provisioning, change, reset, de-provisioning Logs for check in. check out cross by user and application 22
Putting it all together -Privileged Identity Management Solutions Leverage your IAM infrastructure Approval workflows Ensure password management/ regular password changes Centralized ID management and password management and password store improves overall control and security Password Reset Tivoli Identity Manager helps here Exploit your SSO infrastructure Utilise check-in/ check-out Single sign-on of all privileged IDs TAM ESSO helps here Access control Limit the rights of privileged users TAMOS helps here Leverage your SIM infrastructure Audit real user access Audit privileged identity access Correlate and report TCIM helps here 23
IBM Tivoli Identity, Access, and Audit Management Suite provides a complete solution for cost effective privileged identity management Define Controls Tivoli Security Policy Manager Tivoli Compliance Insight Manager Tivoli Access Manager for Operating Systems Tivoli Access Manager for Enterprise Single Sign On Tivoli Federated Identity Manager Tivoli zsecure Family IBM RACF Monitor, Audit, Report Enforce Access Control Issue & Manage User Rights Enroll & Proof Users Tivoli Identity Manager Tivoli zsecure Family IBM Entity Analytics IBM RACF
25 Pulse Comes To You 2009