Managing the Risk of Privileged Accounts and Passwords

Similar documents
The Common Access Card The problems it solves (and the ones it doesn t) Quest Software/One Identity Dan Conrad Federal CTO

Control access to your super user accounts

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Mapping BeyondTrust Solutions to

the SWIFT Customer Security

Privileged Account Security: A Balanced Approach to Securing Unix Environments

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

Virtual Machine Encryption Security & Compliance in the Cloud

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Compliance and Privileged Password Management

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Single Secure Credential to Access Facilities and IT Resources

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

Five critical features

Security Readiness Assessment

Use Cases for Unix & Linux

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

Watson Developer Cloud Security Overview

Security Fundamentals for your Privileged Account Security Deployment

CIS Top 20 #5. Controlled Use of Administrative Privileges

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

All the resources you need to get buy-in from your team and advocate for the tools you need.

W H IT E P A P E R. Salesforce Security for the IT Executive

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Crash course in Azure Active Directory

Cracking the Access Management Code for Your Business

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Secure VFX in the Cloud. Microsoft Azure

WHITEPAPER. Compliance with ITAR and Export Controls in Collaboration Systems

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Who am I? Identity Product Group, CXP Team. Premier Field Engineer. SANS STI Student GWAPT, GCIA, GCIH, GCWN, GMOB

Managing Microsoft 365 Identity and Access

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

A Security Admin's Survival Guide to the GDPR.

The Road to a Secure, Compliant Cloud

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Who s Protecting Your Keys? August 2018

Security in Bomgar Remote Support

Understand & Prepare for EU GDPR Requirements

Making Security a Business Enabler

The erosion of the perimeter in higher education. Why IAM is becoming your first line of defence.

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

SecureDoc: Making BitLocker simple, smart and secure for you. Your guide to encryption success

The Nasuni Security Model

Centrify for Dropbox Deployment Guide

SnapCenter Software 4.0 Concepts Guide

IAM Project Overview & Milestones

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

MEETING ISO STANDARDS

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Next Generation Privilege Identity Management

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

CompTIA SY CompTIA Security+

Cloud Customer Architecture for Securing Workloads on Cloud Services

Identity & Access Management

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

The 3 Pillars of SharePoint Security

Yubico with Centrify for Mac - Deployment Guide

Standard: Event Monitoring

Privileged Access Management

Novell Access Manager 3.1

OpenIAM Identity and Access Manager Technical Architecture Overview

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

Choosing a Full Disk Encryption solution. A simple first step in preparing your business for GDPR

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Centrify Identity Services for AWS

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

ADDRESSING PCI DSS 3.0 REQUIREMENTS WITH THE VORMETRIC DATA SECURITY PLATFORM

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Integrating Hitachi ID Suite with WebSSO Systems

GDPR How we can help. Solvit Networks CA. ALL RIGHTS RESERVED.

A HOLISTIC APPROACH TO IDENTITY AND AUTHENTICATION. Establish Create Use Manage

Mapping BeyondTrust Solutions to

McAfee Total Protection for Data Loss Prevention

See the unseen. CryptoAuditor SSH.COM. Control and audit encrypted 3rd party sessions. What is CryptoAuditor?

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

6 Key Use Cases for Securing Your Organization s Cloud Workloads. 6 Key Use Cases for Securing Your Organization s Cloud Workloads

Disk Encryption Buyers Guide

CS 356 Operating System Security. Fall 2013

Designing and Operating a Secure Active Directory.

Security Architecture

Security in the Privileged Remote Access Appliance

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Maximize your investment in Microsoft Office 365 with Citrix Workspace

Oracle Identity and Access Management

Transcription:

Managing the Risk of Privileged Accounts and Passwords

Definition: Privileged Account Privileged Management Obviously accounts with special or elevated permissions Windows Every workstation and server has a local administrator account Every enterprise has service accounts that run services Sets of administrators *.nix root every system has this Network devices, firewalls, switches, routers all have root accounts and most share common passwords Accounts buried in scripts that run on a schedule The ultimate insider threat Keywords: Administrator, root, local account, audit admins, insider threat 2

Privileged accounts are special One password, shared across lots of people (anonymous) Authentication You need admin access to do any of this stuff Admin Audit Don t know what is done with admin rights or who did it Authorization Rights are all or nothing SUPERusers 3

Concepts: Increasing security produces management and administrator overhead. If you don t make administration easy for your admins/users they will find a way to make it easy and you won t like how they do it. If more than one person knows the password to any account, auditing the activities of that account is pointless. 4

Scenario: We realize shared accounts are a problem. The first step in remediation is realizing you have a vulnerability. Ignored due to effort required to manage correctly. Manual processes (if done at all) only moves the vulnerability and significantly increase effort of administration. Are we meeting STIG requirements? What does this look like when done manually? 5

Some Steps in the Right Direction Realize where privileged lives and what privileged account means to you Know where the accounts exist Determine what to control All accounts beyond basic user? Just the most powerful or vulnerable? Act like it s not a problem. 6

Some Steps in the Right Direction How is this influenced by CAC or PIV? CAC/PIV enabled admins CAC/PIV enabled service accounts Dual certs Understand capabilities of technology What can be done manually? Do I need automation? Determine a workable path 7

Scenario: Day-to-day Administration Admins need to connect quickly Challenge to add a security layer but not make their jobs impossible Auditing changes behavior PtH Need to add security with some level of convenience 8

The historical problem with privileged accounts No individual accountability nonrepudiation! Most powerful yet least protected Admins comfortable with keys to the kingdom Difficult/Impossible to manage Ignoring compliance requirements Often embedded in applications and scripts Unable to comply with regulations Employee turnover 9

Automating Privileged Account Management A few benefits Obvious - Increases security Satisfies audit demands by eliminating the sharing of privileged accounts Increases efficiency and decreases privileged user frustration by streamlining access Delivers individual accountability for shared account access Deploys easily as a secure, scalable, purpose-built appliance Reduces the effort in providing access reports for your next audit 10

Getting to the point using an automated solution Control all privileged accounts from a single point Use role-based password request with check-out check-in with approval Audit all privileged account use Nearly eliminate vulnerabilities such as Pass-the-Hash Provide a controlled interface for all administration sessions, passwords, etc. Remove embedded passwords from scripts PIV/CAC enable administration without dual certs Autodiscover and control new accounts as they are created 11

How to: One Identity Safeguard Password Module Session Module Future 1 Mod Future 2 Mod Provide a modular platform Create a common Console and API Authentication Roles / Permissions / Policies Reporting event logging Licensing / Documentation Console / API Authentication Roles/Permissions/Policy Reporting / Event Logging Licensing / Documentation 12

Securing the solutions that protect your privileged accounts Hardened appliance Full AES Disk encryption FIPS 140-2 & ISO 27001 Embedded hardware firewall Purpose built for security No direct access of any kind AUDIT 13

Wrap up concept review: Increasing security produces management and administrator overhead. If you don t make administration easy for your admins/users they will find a way to make it easy and you won t like how they do it. If more than one person knows the password to any account, auditing the activities of that account is pointless. 14

Getting IAM Right with the Industry s Broadest Product Portfolio Access Management Identity Governance Privileged Management CUSTOMER CHALLENGES CUSTOMER CHALLENGES CUSTOMER CHALLENGES Managing and securing hybrid Active Directory environments Streamlining the IT workload for user lifecycle management Unifying user logons and strengthening authentication Password management Secure remote access KEY PRODUCTS Active Roles overcome the shortcomings of native tools to streamline AD and AAD user and group administration and increase security over administrator access in the hybrid AD environment Cloud Access Manager Web access management, single sign-on and federation along with secure remote access and adaptive risk-based security Password Manager self service password resets, granular password policy, and helpdesk automation for AD and beyond Enterprise Single Sign-on single sign-on and security for legacy applications Defender flexible, affordable, and powerful multifactor authentication Starling Two-factor Authentication multifactor authentication 16 as a service Unifying enterprise provisioning Quickly embrace the move to the cloud Enabling users and the line-of-business Governance for access, data, and privileged accounts Adaptive risk-based security KEY PRODUCTS: One Identity Manager enterprise provisioning and governance including end-to-end identity lifecycle management, line-of-business self-service, attestation/recertification, process orchestration, and rapid response to changing requirements One Identity Manager Data Governance Edition governance, request, and fulfillment for unstructured data including file shares, SharePoint, and other sources Connect for Cloud easily extend the capabilities of One Identity Manager to cloud-based applications and services without heavy programing and onerous integration burdens Assigning individual accountability to administrator access and activities Eliminate password sharing Audit activities performed with elevated credentials Enforce separation of duties (SoD) KEY PRODUCTS: Privileged Password Manager password vaulting for any elevated credential with powerful workflows, approvals, and automation including service accounts, A2A, and A2DB access scenarios on an ultra-secure appliance Privileged Session Manager Session audit for activities performed via Privileged Password Manager Privileged Access Suite for Unix Active Directory bridging, Unix/Linux root delegation, and sudo management

Dan Conrad Federal CTO MCSE/MCSA/MCITP CISSP

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback