IT infrastructure layers requiring Privileged Identity Management

Similar documents
Privileged Identity Management. An Executive Overview

Next Generation Privilege Identity Management

Automating the Top 20 CIS Critical Security Controls

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

McAfee Database Security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

ALERT LOGIC LOG MANAGER & LOG REVIEW

Title: Planning AWS Platform Security Assessment?

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Virtual Machine Encryption Security & Compliance in the Cloud

Privileged Account Security: A Balanced Approach to Securing Unix Environments

90% of data breaches are caused by software vulnerabilities.

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Integrated Access Management Solutions. Access Televentures

10 Hidden IT Risks That Might Threaten Your Business

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Compliance and Privileged Password Management

CS 356 Operating System Security. Fall 2013

locuz.com SOC Services

Performing an ObserveIT Upgrade Using the Interactive Installer

Best Practices in Securing a Multicloud World

Comprehensive Database Security

Network Device Forensics. Digital Forensics NETS1032 Winter 2018

An ICS Whitepaper Choosing the Right Security Assessment

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

LOGmanager and PCI Data Security Standard v3.2 compliance

Penetration testing using Kali Linux - Network Discovery

Securing Amazon Web Services (AWS) EC2 Instances with Dome9. A Whitepaper by Dome9 Security, Ltd.

Layer Security White Paper

Carbon Black PCI Compliance Mapping Checklist

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Choosing the Right Security Assessment

EXECUTIVE VIEW. One Identity SafeGuard 2.0. KuppingerCole Report

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Are You Avoiding These Top 10 File Transfer Risks?

IT SECURITY FOR NONPROFITS

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

IT Needs More Control

10 FOCUS AREAS FOR BREACH PREVENTION

Best practices with Snare Enterprise Agents

Security Audit What Why

Total Security Management PCI DSS Compliance Guide

One Hospital s Cybersecurity Journey

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

6 Vulnerabilities of the Retail Payment Ecosystem

CoreMax Consulting s Cyber Security Roadmap

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Upgrading an ObserveIT One-Click Installation

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

1 Introduction to Identity Management. 2 Access needs evolve. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Vormetric Data Security

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

AKAMAI CLOUD SECURITY SOLUTIONS

Secret Server HP ArcSight Integration Guide

Security Solutions. Overview. Business Needs

Oracle Audit Vault Implementation

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

MySQL Enterprise Security

Maximizing IT Security with Configuration Management WHITE PAPER

Oracle Database Vault

Virtualization for your enterprise. A Dell Networking White Paper

Security Fundamentals for your Privileged Account Security Deployment

Security Configuration Assessment (SCA)

ISO27001 Preparing your business with Snare

Countermeasures and Best Practices Track 1: Large Business Sophisticated IT Security Program

Minfy MS Workloads Use Case

Clearing the Path to PCI DSS Version 2.0 Compliance

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Demystifying GRC. Abstract

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

8 Must Have. Features for Risk-Based Vulnerability Management and More

Bomgar Discovery Report

Unlocking the Power of the Cloud

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

the SWIFT Customer Security

Survey Results: Virtual Insecurity

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Will your application be secure enough when Robots produce code for you?

SECURING DEVICES IN THE INTERNET OF THINGS

Streamline IT with Secure Remote Connection and Password Management

Mapping BeyondTrust Solutions to

SECURITY PRACTICES OVERVIEW

SYMANTEC DATA CENTER SECURITY

Transcription:

White Paper IT infrastructure layers requiring Privileged Identity Management Abstract Much of today s IT infrastructure is structured as different layers of devices (virtual and physical) and applications. Now each installation (device or application) on each of these layers comes with its own administrative account. These credentials, in turn, have to be managed themselves to prevent security breaches. To get a sense of the scale, just one large-scale IT deployment can potentially have privileged accounts to the tune of 6-digits (>100,000) if we count all installations on all the layers. Even if the number of vulnerable credentials is a small subset of this number, an automated tool can work through them in matters of minutes. Just the thought of manually managing all of them can be very intimidating. Fortunately, automated privileged identity management systems exist for this very purpose. And the best part is that you can integrate them at all layers of your infrastructure.

White Paper 01 Overview vulnerable privileged Identities are a clear and present danger The layered architecture of IT infrastructure exists for several reasons, like flexibility in switching vendors, having separate operational team manage each layer, no single points of failures and so on. But with all these advantages comes the cost of having a multitude of systems that need to be managed separately, i.e., the administrative logins don t get mis-configured, stale or shared; instances are not published with default logins that can be looked up in the device s user manual; and other general security practices that should be followed for credentials and access rights. If an attacker gets access to just a small subset of these vulnerable credentials, he can breach the system, working as a privileged user, with complete control over the installation in question, without leaving any trace, until it s too late. With the advent of the cloud, IT is expected to work at an absolute minimum cost to ensure high service availability and consistent data security. Until now, privileged access has been difficult to secure within a large-scale, dynamic IT setup using just manual intervention and outdated software tools. This, predictably, has led to inappropriately secured privileged accounts, which has been exploited byhackers and malicious insiders. As an example, compromised credentials were the reason for 84% of stolen data, as per a 2012 Verizon survey of larger organizations that suffered data breaches. This problem of fragile and unmanaged privileged credentials can be successfully addressed by automated Privileged Identity Management solutions across the disparate layers of the IT infrastructure, which are getting more complicated each passing day.

White Paper 02 Problems managing privileged identities IT infrastructure is mostly structured as layers of devices (virtual and physical), which are home to vast numbers of rapidly changing privileged accounts (Figure 1 below), including - Administrative logins at the Operating System layer - on physical and virtual computers (Windows, Linux, UNIX, and others), as well as the privileged logins present in VM hypervisors. - Administrator and Root accounts present in shared file system layer. - Highly privileged service and process accounts on the Application and Database layers - used for application-to-application and application-to-database authentication. - Root and Admin accounts on the Network layer - present on physical and virtual network security appliances and backup appliances. Securing these privileged identities is very crucial to the secure functioning any IT setup. According to the SANS Institute, a primary method for attackers to spread inside a target enterprise is the misuse of these administrative privileges. It is tempting to reason that these administrative credentials can be managed by conventional Identity and Access Management (IAM) systems. But privileged accounts aren t typically provisioned as user logins are. Privileged accounts are found on the network whenever physical and virtual IT assets are deployed (or changed).

White Paper 03 manufacturing Privileged Idenitities - Admin; Service Accounts Used to - Access data feeds; Enable/Disable monitoring shared file system Privileged Identities - Root Admin Used to - Add/Delete User, Change user privileges, Manage storage use. applications Privileged Identities - Service Accounts, ASP.Net, Run As Used to - Modify back-end applications, After published web-content, Access DB, Transact operating system Privileged Identities - Administrator; Root; Super User Used to - Read/Copy/Alter data; Manage security settings; Manage user accounts; Run daemons; Enable/Remove shared files. database Privileged Identities - SYS, SYSDBA, SA Used to - After schema/db configs; Modify schema objects; Manage Data network Privileged Identities - Admin; Root Enable Used to - After config settings; Manage security policies; Grant/Deny/Revoke network access; Access data feeds. backup Privileged Idenitities - Administrator; Root; Service Accounts Used to - Access transaction data; Manage archives; Purge saved files; Modify backup configs Figure 1: An inventory of privileged accounts across various layers Thus, automated software (not IAM) must discover and continuously track privileged credentials. And IT regulatory mandates including Critical National Infrastructure mandates, PCI DSS, SOX, HIPAA and others require that these credentials be frequently changed, as every shared, static, or cryptographically weak privileged identity represents a potential attack surface. These privileged passwords must also be cryptographically complex. Access to these passwords must be attributed to named individuals and audited. Because of the risks introduced by unmanaged privileged identities, industry groups cite the control and auditing of privileged access as an essential cornerstone of effective cloud security. a typical example Consider an IT setup for a bank s data center. Because of the sheer transaction volume that the system can experience at any time, there are several virtualized as well as physical servers distributing the load amongst them. Also, the regulatory mandates require each

White Paper 04 transaction to be atomic, and the system fault-tolerant. This requires the system to have multiple levels of redundancy with regular monitoring of nodes over a robust network, with regular backups. On breaking the setup into various layers, we can do a high level walkthrough. Keep in mind that each installation on each of the below layers have privileged identities that need to be managed: Network Devices layer Any networked system of this scale has a whole army of routers (wired and wireless), switches, load balancers and firewalls. The hardware surge on this layer is specifically to: a) handle the immense workload that transactional systems experience; b) and to act as the first line of defense for the entire setup by being impenetrable. Operating Systems layer As deployments of scale require multiple applications running on multiple servers, each with its own hardware and software requirements, the same environment can have Linux, Windows, Solaris or, custom OS s with multiple flavors (like CentOS, Ubuntu, Debian), and versions (like Windows Server 2003, 2008) Application layer The plethora of apps, custom-made and licensed, that run on these servers need to interact with each other, and other installations like network and OS, over the line. Credentials with access to more resources than necessary are usually configured for them. Any backdoors in these apps, in case of improperly managed privileged credentials, can compromise the whole system. Database layer Though the DB is a specialized application server, it s categorized as a separate layer due to the sizeable chunk of dedicated resources it needs. It is innermost, and the most important layer to protect, even from DBAs, as any unauthorized or mis-configured access can have disastrous consequences for the organization and its customers. Shared File System layer A fairly common need in such a setup is file sharing across applications. These can be reports, or data feeds, etc. This warrants a NAS (Network Attached Storage), or SAN (Storage Area Network) installation within the deployment. Backup layer Generally an automated task, backups themselves require privileged read-only access to data that needs to be backed-up. Sometimes, though, the back-up scripts are hard-coded with super-user credentials, which in itself is very unsafe as : a) bugs in the scripts can change the original data as it can write to it; b) and access to the script would be like handing someone the keys to the treasure vault.

White Paper 05 Monitoring layer Fault-tolerant systems need to be constantly monitored, and alerts need to be raised if something goes wrong. The automated systems that handle this requirement exist outside as well as inside the setup, and generally have deep access to all resources to properly accomplish these tasks. A breach at this layer can potentially lead to data leak about the internal configuration and will be disastrous. Large setups generally, but not always, go with a specific vendor for these devices/ applications because of economies of scale. Consider the following facts: the vendor s website a) has the bank listed as a satisfied customer; b) and has the downloadable user manuals with the default privilegedcredentials printed for all to see. This is generally enough for an attacker to get started on breaking in. Each layer above can act as a blockade(with properly managed privileged identities) or a gateway(with default, static, or weak privileged identities) for hackers. Compliance standards also require the bank to have on-site and off-site Disaster Recovery (DR) setups that can be switched over to in case of failures. Thus, the DR needs to be a reasonable reproduction of the main system, with close to 75% (if not 100%) of all nodes replicated. It is more often than not, that the DR setups once provisioned lay forgotten until the next system -wide failure. This means that not only are they not up-to-date with respect to the actual system they are supposed to fill in for, but also their privileged identities need to be excavated from long overdue reminders about updating the setup. Conclusion Now that solutions have evolved to service platforms that are designed to meet IT infrastructure requirements for managing privileged identities, certificates and other file-based secrets in large, ever-changing environments, a significant operational roadblock is removed that once prevented the largest service providers (in-house or vendor) from complying with industry and regulatory requirements.

White Paper 06 Organizations these days are aware of the potential risks of the unsecured privileged accounts in their IT environments and want to work to close these gaps. A PIM solution documents potential risks present in the infrastructure, enumerating privileged accounts by hardware platform, account and service type. It then continuously secures privileged accounts everywhere on a network and provides an audit trail of each access request. About ARCON ARCON is a leading Information Security solutions company specializing in Privileged Identity Management and Continuous Risk Assessment solutions. With its roots strongly entrenchaed in identifying business risks across industries, it is in a unique position to comprehend and identify inherent security gaps in an organizations infrastructure framework and build and deploy innovative solutions/products to significantly mitigate potential risks.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback