Access Governance in a Cloudy Environment Nabeel Nizar VP Worldwide Solutions Engineering @nabeelnizar Nabeel.Nizar@saviynt.com
How do I manage multiple cloud instances from a single place? Is my sensitive data already on cloud? Keep up with changing IT landscape Who are privileged users on Cloud? Who is doing what on cloud? How do I know if a workload is approved by business?
Cloud Security Concerns Data Platforms Data Platforms Support DAC (Discretionary Access Control Model) -Any user with Read rights to a file can share it with anyone else (Internally or Externally) Files can be setup by end users to be Open to Everyone on the Internet Link for a file can be generated and can be shared anonymously with any number of users with no tracking There is no other Data Exfiltration point (Email or USB) that can be protected like traditional enterprise if people have access to the data, they can log in from anywhere and download it / print it / take a picture Encryption of data can only protect from the provider getting compromised not an authorized account 3
Cloud Security Concerns Infrastructure Platforms Risk is very high of not managing access One mistake or compromised account can bring down the entire data center in seconds!! Infrastructure as a Service has a very complex architecture and associated security models due to the number of services provided Amazon released 200+ capabilities / services in 2015! Infrastructure as a service includes Servers (different types), Databases, Storage space etc. Access Management has to be extended to Entities (servers, DBs etc) not just limited to users for Infrastructure. Also companies have multiple AWS / Azure accounts with no visibility or mgt. across accounts Access to all services is controlled through Policies (in AWS) which are JSON objects!! Security and audit have no real resolution of the policies and what access are they providing unless you read the JSON Objects 4
Cloud Security Concerns Applications as a Service Your most critical data Customer data, HR Data, Financial Data (in some cases), CMDB is on Cloud Applications Logs from Cloud Applications are limited Access is the primary security control! Not easy to tell who really has access to what in Cloud Applications Roles are Profiles are managed by business in most cases No standard structure deployed Most companies are synchronizing access with Active Directory and doing Single Sign on That is not enough! No management of high privileged users for these applications No implementation of segregation of duties for critical data sitting in these applications 5
Cloud Identity Governance Capabilities Who Has Access To What and Who is Doing What Across Cloud Applications, Data and Infrastructure. Import fine grained access permissions and usage activity Continuous Controls Monitoring Out of box controls for all major Cloud applications, collaboration and infrastructure vendors Preventative Access Controls Intercepting Access Grants to files or role, evaluating new instances getting spun up against business policies High Risk Access and Usage Certification Certification of critical data access, Orphan and Critical Infrastructure Components and Fine Grained Application Entitlements Data Classification Content, Identity, Access and Usage based classification of data on the cloud Easy Access Request and Provisioning Standardized and Easy way to request specific access to Cloud Applications Segregation of Duty / Business Policy Implementation Implementation of Business Policies and Segregation of Duties across all Cloud providers User Behavior and Security Analytics Use advanced behavior based models to detect anomalous user and system behavior
Evolution of IGA 2.0 addresses today s and future business requirements CURRENT STATE IGA 1.0 FUTURE STATE IGA 2.0 1 Limited to coarse-grained and flat access management 1 Hierarchical fine-grained entitlement model 2 No support for unstructured data or workloads 2 Managed resources can be data / workloads / transactions / functions 3 No real-time preventive access control 3 Deep integration with Cloud Applications and Infrastructure 4 Cannot easily scale to hundreds of objects, privileges, entitlements 4 Intelligence analytics, risk-based IAM processes 7
Extend IGA to secure critical assets in Cloud IaaS / SaaS / PaaS Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 8
Step 1 360 0 view of user access, data and activity across Cloud Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 9
Scalable security warehouse to consolidate user access, data and activity across Cloud and Enterprise PDF, DOC, IP, Code S3 Data Jdoe J.doe JohnD Accounts Security Warehouse Access Site / Lists / Folders IAM Groups, Permissions Opportunities, Permission Sets Activity Audit Cloud Trail Logs Cloud Watch Usage 10
Understanding how final access has been derived is crucial for provisioning 11
Gain better visibility by identifying riskiest users with classification and PCI / PHI / PII Intellectual Property Source Code Custom tags Regex VPC Open Ports Configuration Tags 12
combining with access outlier / User Behavior Analytics (UBA) Cohesiveness: Do people within a peer group have any access in common? 96% JobKey 30003509 64% 80% Division Asset Mgt John Doe Dept. Funds Not only identify who has access to sensitive data, but identify who s access is an outlier Manager Title J.Smith Funds Analyst 86% 92% resulting in prioritized and risk-based approach to remediation 13
Step 2 Actively secure critical assets on IaaS / SaaS / Paas Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 14
Leverage role and rule mining techniques enhanced with usage analytics Derive enterprise roles and application-level roles Derive common attributes from users with similar entitlements to arrive at rules 15
Combine policies and roles (ABAC and RBAC) to achieve flexible security model and reduce end-user impact with automation Switch determines if access request is auto-submitted OR automatically granted if all conditions are met 16
Extend policies to provision access to data, transactions and workloads Data Access Policies Infrastructure Access Policies 17
and enforce in real-time to protect sensitive assets Saviynt real-time Security Plug-in on Office 365 tenant listens for selective events Saviynt validates and executes data access policy (sends for additional approvals / remediation / encrypt, remove share URL, etc.) User uploads document on Office365 Saviynt performs data classification and risk analysis Releases document to end user based on approval decision or no violation of data access policy User shares document internally or externally / assigns permissions 18
Step 3 Threats evolve, so should security Manage How do I stay clean Can I stay ahead of new threats? Is this activity suspicious? How can I ensure appropriate access at all times? Can I enforce SOD rules, security policies? How can I secure in real-time access to sensitive data or critical workloads? Protect Visibility Who has access to what? Is there sensitive data? vulnerable workloads? Who are my riskiest users? 19
Automate access control with identity event-based provisioning policies and access requests 20
Include sensitive Cloud assets in risk-based outlier access certification processes Certify only 5-10% entitlements and access to obtain > 80% revokes Eliminate rubber stamping Improve end-user experience with access risk decision tools 21
Continuously detect weak points in your Cloud infrastructure and take corrective action with extensive risk signatures 22
Leverage Event Rarity and Behavior analytics on user activity Behavior Profile 23
to quickly isolate risky actions and integrate IGA processes with security incident management processes 24
to quickly isolate risky actions and integrate IGA processes with security incident management processes 25
Easy and Intelligent Access Request Role based modular screen layout Access Request (for self) Access Request (for others) New User Registration (Delegated/Central) Update User Profile Approvals Password Management Infrastructure/Badge Request Service Account Request 26
Intelligent Access Request Dashboard 27
Application as a Service Dashboard 28
Detailed dashboards highlighting risks, events for each application 29
Comprehensive controls to detect weak points in your Cloud infrastructure and take corrective action 30
Centralize extend be smart A holistic security architecture provides better visibility, better detection, optimizes cost ContinuousControls Monitoring IntelligentAccess Request / Review Application SOD Management Role / Privilege / Policy Design & Mgmt. B2E IAM Data Access Governance Privilege Access Governance & Monitoring Infrastructure Access Governance Usage, Peer & Behavior Analytics B2C IAM Cloud Access Governance and Intelligence Cloud On-premise Managed B2B IAM Who has access to what? What does the access secure? What are they doing? 360 O view of Configuration security Identity Access Entitlements Controls Data Usage Audit Risk Events Infrastructure Data Applications Cloud OR Enterprise 31
(Saviynt + Microsoft) provides comprehensive enterprise IAM and cloud access governance for critical applications Cloud IaaS, SaaS Apps AD Azure AD Business Critical Apps Physical Assets Azure, O365, Concur, AWS, Dockers, WebEx, Slack, Ariba, SAP, Oracle EBS, Workday, SFDC Identity Management Security Management Identity Governance IDaaS + IDM Microsoft MIM + ADFS + EMS Federation / SSO / MFA Mobility Management Cloud Identity Warehouse Identity Management / Provisioning REST APIs IGA-aaS Intelligent Access Request SOD Management Compliance Monitoring Saviynt Security Manager Risk-based Certification Identity & Usage Analytics Role / Rule Engineering + Management Fine-grained Provisioning Connectors 32
Questions?