Copyright 2015 Centrify Corporation. All Rights Reserved. 1
Single Identity Multiple services how do I stay compliant? Wade
Tongen NA Commercial SE Manager [email protected]
Slide 2
Copyright 2015 Centrify Corporation. All Rights Reserved. 2
Overview of Todays Environment Common Themes of Todays Standards
Identity Topics The New Perimeter Controlling Privileged Access
Accountability for Privileged Actions Agenda
Slide 3
Copyright 2015 Centrify Corporation. All Rights Reserved. 3 The
Modern IT Enterprise The Business of IT Staff Security
Infrastructure BudgetEmployees SaaS Outsourced IT Infrastructure as
a Service
Slide 4
Copyright 2015 Centrify Corporation. All Rights Reserved. 4
Desktops Data Center Apps Data Center Servers + + + and Harder to
Manage as Infrastructure Evolves Cloud (IaaS & PaaS)Cloud
(SaaS)MobileBig Data ID
Slide 5
Copyright 2015 Centrify Corporation. All Rights Reserved. 5
Core Challenges in Managing Privileged Identity Disgruntled IT
Worker Holds Company Hostage Disgruntled IT Worker Holds Company
Hostage Snowden Used Low-Cost Tool to Scrape N.S.A. Snowden Used
Low-Cost Tool to Scrape N.S.A. Massive Retailer Identity Theft
Threats & Breaches Over-Privileged Users APTs & Malware
Insider Threats Data Center Heterogeneity SOX PCI FISMA NIST 800-53
HIPAA Regulations Modern Enterprise
Slide 6
Copyright 2015 Centrify Corporation. All Rights Reserved. 6
Regulations Share Common Tenants No matter the standard the many
themes are common Generic Accounts are Bad Have users access the
services/applications as themselves vs administrator or root or SA
or oracle Have a Least Privileged Model If there is not a business
need for the access/right they should not have it Accountability
for Actions Essential for privileged actions Lock down shared
accounts When there is not another option
Slide 7
Copyright 2015 Centrify Corporation. All Rights Reserved. 7
Identity Management Needs to be Holistic
Slide 8
Copyright 2015 Centrify Corporation. All Rights Reserved. 8 The
Common/Weakest Link
Slide 9
Copyright 2015 Centrify Corporation. All Rights Reserved. 9
Identity at Center of Cyber Attacks ID END USERS PRIVILEGED
USERS
Slide 10
Copyright 2015 Centrify Corporation. All Rights Reserved. 10
Cloud (IaaS & PaaS)Big Data Unify Identity Management Stores
Were Possible Desktops Data Center Apps Data Center Servers Cloud
(SaaS) Mobile ID MS AD or LDAP ID Reduced Identity Footprint
ID
Slide 11
Copyright 2015 Centrify Corporation. All Rights Reserved. 11
The Case for a Reduced Identity Footprint Users are and will
continue to be the weak link In the security chain The more the
identities the more likely: Weaker passwords Same password Store on
a sticky note Store In a spreadsheet Store in a browser without
institutional control Use a personnel password product
Slide 12
Copyright 2015 Centrify Corporation. All Rights Reserved. 12
The Traditional Thought was the Firewall was the Perimeter This
approach was much better before: Explosion of virtualization Mobile
workforce SaaS offerings Elastic environments
Slide 13
Copyright 2015 Centrify Corporation. All Rights Reserved. 13
IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITYIDENTITY
IDENTITY IDENTITYIDENTITY IDENTITY IDENTITY IDENTITY IDENTITY
IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY The Paradigm
Shift Means the Identity is the New Perimeter Authenticate
Determine Access Enforce Policies Track
Slide 14
Copyright 2015 Centrify Corporation. All Rights Reserved. 14 So
Where Do We Consolidate? MS Windows: Use SSPI (Security Support
Provider Interface) Built into MS applications Leverages Kerberos
or NTLM to provide a single identity External trusts are possible
between environments
Slide 15
Copyright 2015 Centrify Corporation. All Rights Reserved. 15 So
Where Do We Consolidate? UNIX/Linux: Utilize the PAM authentication
Trust the OS for authentication Use GSSAPI (Generic Security
Services Application Program Interface) Supported by open source
and commercial vendors Leverages Kerberos or NTLM to provide a
single identity External trusts are possible between
environments
Slide 16
Copyright 2015 Centrify Corporation. All Rights Reserved. 16 So
Where Do We Consolidate? Applications: Utilize the PAM
Authentication Trust the OS for authentication Use SSPI &
GSSAPI (Generic Security Services Application Program Interface) In
the Data Center Leverages Kerberos or NTLM In the Cloud Leverage
SAML and OAuth
Slide 17
Copyright 2015 Centrify Corporation. All Rights Reserved. 17 So
Where Do We Consolidate? Infrastructure: Routers Switches
Appliances Typically accessed via CLI or web interface for local
accounts External protocols such as: Radius LDAP
Slide 18
Best Practices for Controlling Privileged Identity
Slide 19
Copyright 2015 Centrify Corporation. All Rights Reserved. 19
Path to Reducing Identity-related Risk for Privileged Users
Privileged Accounts Least privilege access Single identity source
Limited # of privileged accounts (root, local admin, service
accounts) Individual Accounts Many privileged passwords Individual
identities with unstructured access Many identity silos Optimized
Risk Profile Poor Risk Profile
Slide 20
Copyright 2015 Centrify Corporation. All Rights Reserved. 20
Two Main Ways to Control Privileged Identities Super User Privilege
Management (SUPM) Assigning the privilege to user or groups at the
OS or device level Shared Account Password Management (SAPM)
Assigning a user to temporarily have access to accounts such as:
Root Administrator SA Oracle DATA CENTER SERVERS
Slide 21
Copyright 2015 Centrify Corporation. All Rights Reserved. 21
Super User Privilege Management OS Level Can grant granularity to
the individual executables UNIX/Linux sudo & 3 rd Party Tools
Take extra precautions if the tool modifies the kernel Windows - MS
GPO & 3 rd party tools A single cross-platform architecture
across would be easiest to deploy Applications Typically defined in
the application but try externalize the authentication Appliance
Typically configured in the context of the device DATA CENTER
SERVERS
Slide 22
Copyright 2015 Centrify Corporation. All Rights Reserved. 22
Shared Account Privilege Management Typically this is implemented
by using a vaulted password in an appliance, virtual appliance, or
service The password is checked out/in or provided without the user
knowing the password A complete log of who had access to which
privileged account and when Some typical needs for this are: Break
Glass Loss of Connectivity Appliances that do not support external
authentication Service Accounts DATA CENTER SERVERS
Slide 23
Copyright 2015 Centrify Corporation. All Rights Reserved. 23 to
Enable Maximum Security for Privileged Users Privileged Accounts
Check out account password Log in as shared account Attribute
account use to individual Log in as yourself Elevate privilege when
needed Attribute activity to individual Centrify manages identity
for both individual and Privileged accounts for maximum security +
IT efficiency and Individual Accounts Core Rule: Get users to log
in as themselves, while maximizing control of privileged
accounts
Slide 24
Accountability for Privileged Actions
Slide 25
Copyright 2015 Centrify Corporation. All Rights Reserved. 25
Auditing & Compliance Privileged session monitoring (PSM) for
Linux, UNIX and Windows and appliances No anonymous activity with
complete session record All activity associated to a single
identity across all platforms User session auditing with video and
searchable event records Must scale to tens of thousands of
systems; data stored in SQL database Satisfies regulatory mandates
including PCI, HIPAA, SOX and ISO A single audit store across
individual and privileged access Network Monitoring Privileged
Access Security Perimeter Firewall Report and Replay Privileged
Sessions DATA CENTER SERVERS
Slide 26
Copyright 2015 Centrify Corporation. All Rights Reserved. 26
Thank You