Managing the Risk of Privileged Accounts and Passwords
Definition: Privileged Account Privileged Management Obviously accounts with special or elevated permissions Windows Every workstation and server has a local administrator account Every enterprise has service accounts that run services Sets of administrators *.nix root every system has this Network devices, firewalls, switches, routers all have root accounts and most share common passwords Accounts buried in scripts that run on a schedule The ultimate insider threat Keywords: Administrator, root, local account, audit admins, insider threat 2
Privileged accounts are special One password, shared across lots of people (anonymous) Authentication You need admin access to do any of this stuff Admin Audit Don t know what is done with admin rights or who did it Authorization Rights are all or nothing SUPERusers 3
Concepts: Increasing security produces management and administrator overhead. If you don t make administration easy for your admins/users they will find a way to make it easy and you won t like how they do it. If more than one person knows the password to any account, auditing the activities of that account is pointless. 4
Scenario: We realize shared accounts are a problem. The first step in remediation is realizing you have a vulnerability. Ignored due to effort required to manage correctly. Manual processes (if done at all) only moves the vulnerability and significantly increase effort of administration. Are we meeting STIG requirements? What does this look like when done manually? 5
Some Steps in the Right Direction Realize where privileged lives and what privileged account means to you Know where the accounts exist Determine what to control All accounts beyond basic user? Just the most powerful or vulnerable? Act like it s not a problem. 6
Some Steps in the Right Direction How is this influenced by CAC or PIV? CAC/PIV enabled admins CAC/PIV enabled service accounts Dual certs Understand capabilities of technology What can be done manually? Do I need automation? Determine a workable path 7
Scenario: Day-to-day Administration Admins need to connect quickly Challenge to add a security layer but not make their jobs impossible Auditing changes behavior PtH Need to add security with some level of convenience 8
The historical problem with privileged accounts No individual accountability nonrepudiation! Most powerful yet least protected Admins comfortable with keys to the kingdom Difficult/Impossible to manage Ignoring compliance requirements Often embedded in applications and scripts Unable to comply with regulations Employee turnover 9
Automating Privileged Account Management A few benefits Obvious - Increases security Satisfies audit demands by eliminating the sharing of privileged accounts Increases efficiency and decreases privileged user frustration by streamlining access Delivers individual accountability for shared account access Deploys easily as a secure, scalable, purpose-built appliance Reduces the effort in providing access reports for your next audit 10
Getting to the point using an automated solution Control all privileged accounts from a single point Use role-based password request with check-out check-in with approval Audit all privileged account use Nearly eliminate vulnerabilities such as Pass-the-Hash Provide a controlled interface for all administration sessions, passwords, etc. Remove embedded passwords from scripts PIV/CAC enable administration without dual certs Autodiscover and control new accounts as they are created 11
How to: One Identity Safeguard Password Module Session Module Future 1 Mod Future 2 Mod Provide a modular platform Create a common Console and API Authentication Roles / Permissions / Policies Reporting event logging Licensing / Documentation Console / API Authentication Roles/Permissions/Policy Reporting / Event Logging Licensing / Documentation 12
Securing the solutions that protect your privileged accounts Hardened appliance Full AES Disk encryption FIPS 140-2 & ISO 27001 Embedded hardware firewall Purpose built for security No direct access of any kind AUDIT 13
Wrap up concept review: Increasing security produces management and administrator overhead. If you don t make administration easy for your admins/users they will find a way to make it easy and you won t like how they do it. If more than one person knows the password to any account, auditing the activities of that account is pointless. 14
Getting IAM Right with the Industry s Broadest Product Portfolio Access Management Identity Governance Privileged Management CUSTOMER CHALLENGES CUSTOMER CHALLENGES CUSTOMER CHALLENGES Managing and securing hybrid Active Directory environments Streamlining the IT workload for user lifecycle management Unifying user logons and strengthening authentication Password management Secure remote access KEY PRODUCTS Active Roles overcome the shortcomings of native tools to streamline AD and AAD user and group administration and increase security over administrator access in the hybrid AD environment Cloud Access Manager Web access management, single sign-on and federation along with secure remote access and adaptive risk-based security Password Manager self service password resets, granular password policy, and helpdesk automation for AD and beyond Enterprise Single Sign-on single sign-on and security for legacy applications Defender flexible, affordable, and powerful multifactor authentication Starling Two-factor Authentication multifactor authentication 16 as a service Unifying enterprise provisioning Quickly embrace the move to the cloud Enabling users and the line-of-business Governance for access, data, and privileged accounts Adaptive risk-based security KEY PRODUCTS: One Identity Manager enterprise provisioning and governance including end-to-end identity lifecycle management, line-of-business self-service, attestation/recertification, process orchestration, and rapid response to changing requirements One Identity Manager Data Governance Edition governance, request, and fulfillment for unstructured data including file shares, SharePoint, and other sources Connect for Cloud easily extend the capabilities of One Identity Manager to cloud-based applications and services without heavy programing and onerous integration burdens Assigning individual accountability to administrator access and activities Eliminate password sharing Audit activities performed with elevated credentials Enforce separation of duties (SoD) KEY PRODUCTS: Privileged Password Manager password vaulting for any elevated credential with powerful workflows, approvals, and automation including service accounts, A2A, and A2DB access scenarios on an ultra-secure appliance Privileged Session Manager Session audit for activities performed via Privileged Password Manager Privileged Access Suite for Unix Active Directory bridging, Unix/Linux root delegation, and sudo management
Dan Conrad Federal CTO MCSE/MCSA/MCITP CISSP