Ken Ammon Chief Strategy Officer for XceediumBLACKHAT Joke
Security software company providing Privilege Access Control Solution. Later in the presentation I’ll provide additional color Privileged Identity and access and zero trust.Our product is named Xsuite…now offering Xsuite cloud.We support both Commercial and Government customers We have Headquarters in Herndon VAand development in New Jersey and Ottawa Canada.We maintain FIPS 140-2, Common criteria EAL4+, and Status on the DISA UC-APL
Our customers include some of the most notable commercial brands in the world and important US and International Government agencies.
Start off with an explanation of Privileged Identity and Access Management's application within the federal market. Privileged users are classified into three groups,IT Administrators, Users with elevated risk access such as Foreign NationalsApplications which operate with elevated privilege and require embedded credentialsControls, policy and risk management guidance is addressed in documents such as DoD Policy, the 2011 FISMA report where use of shared accounts is listed as critical area of most need of improvementNIST 800-53 requires a broad set of controls to manage the risk of privileged users and
In order to gain access these privileged users require credentials such as passwords, tokens, certificates.Proper management of these credentials is essential and pressure continues to mount to fully deploy HSPD-12compliant credentials. NIST defines four levels of credential and provides guidelines for applying them based upon risk The recent revised draft of FIPS 201-2 provides details for compliant PIV credentials. These credentials are necessary for contractors and government employees.
Given the elevated risk posed by privileged users and the credentials which enable them we have excellent alignment with ICAM guidance and framework to enable level 4 PIV access for privileged users while eliminating flawed password management implementations. In addition, we support the securing of credentials at rest within privileged applications.
IT executive priorities demand the adoption of new computing models IT reform aligns with austerity and Federal Data Center consolidation, virtualization, and Cloud first strategy have become the poster child for reducing spend.Implementation requires not sacrificing on security or introducing additional cost and complexity. Flexibility, simplicity, cost and scale.
Xceedium provides Xsuite and Xsuite cloud to meet the New enterprise challenge
We eliminate anonymous shared accounts, expensive, redundant, and non-compliant token based systems and Complicated and ineffective homegrown solutions such as jump-box solutionsWe enable Level 4 PIV credentials for privileged access through our centrally managed and highly scalable system all the while enabling ease of management in the new enterprise.Move forward byEmpoweringour customers to move forward with rapid deployment of private and public cloud solutions while meetingkey mandates, policies, and NIST controls.
We have been fortunate to develop our core product alongside the evolution of customer such as the Department of Security. Within DHS our privileged user level 4 PIV integration was largely driven by FDCCI requirements which led to the development of an enterprise wide private cloud. Our system to provide a single point of policy management platform within the privatecloud and component systems. Our DVR like monitoring and audit enable rapid response to violations of policy and reporting for continuous monitoring compliance
Xceedium's experience working with DHS was instrumental in preparing us to extend our offering into the public cloudand we have been fortunate enough to work with Amazon Web Services Cloud solution architect along the way. Xceedium now extends flexibility to our customers with choices of on prem or off-prem credential management and privileged access level 4 PIV card access. Xceedium in combination with FEDRAMP controls enable a zero-trust modelwhere all privileged access is monitored and recorded.
AWS team over 9months and we took advantage of the great API’s toenabled our solution.
New enterprise and zero trustXsuite Cloud provides a single, unified policy management capability across protected nodes regardless of where these nodes live.Zero Trust Controls Include:Vault Passwords – The first step is to change and vault critical passwords (so they don’t show up in spreadsheets) and so privileged users no longer have direct and uncontrolled access to devices through the network or by walking up to the system. This also keeps passwords and credentials off end devices and away from malware & APT that is looking to steal them.Positively ID and Authenticate User – The user logs onto the system forcing a positive user identification. The system supports integration with directories, single-sign-on and two factor ID/Authentication systems.Control Access (White List) – the user is presented a list of ONLY the servers and network devices they are explicitly authorized to access and the methods they can use to access the devices. They don’t see others.Monitor/Record – all activities are logged and the policy can be set to record the session.Filter Commands – the commands the user is enabled to perform can be constrained as required via a white list (allowed) or blacklist (disallowed)Prevent Leapfrogging – “Contain the user” -- prevent the user from jumping from an authorized device to unauthorized devices – for example using “RDP Hopping” or SSH.Attributed Identity When using Shared Accounts – even thought the user may be logged into a shared account – for example as “root” -- Xsuite knows exactly which user is logged in and using the account and what they are doing (no anonymous activity permitted).Log Everything - all of this activity is logged in a tamper proof log files. Session recordings can be reviewed through DVR or Tivo replay capability with skip ahead to tags indication where a policy violation occurred.Alert on Policy Violations – ensure the Security Operations Center and other key people are alerted to policy violations or attempted policy violations – e.g., via email, SIEM/log file integration, SNMP trap.
Xsuite Cloud is a superset of Xceedium’s Xsuite product and will be delivered in two form factors: 1) A Physical Appliance -- with all hardware/software installed and supported2) An Amazon Machine Interface – the entire software stack (Operating System, Xsuite Cloud Platform) on an AMI that can be run on and Amazon EC2 InstanceExisting Xsuite customers can upgrade current Xsuite appliance to Xsuite Cloud.
Xsuite Cloud protects nodes in all key AWS Regions – AWS Public Cloud, AWS GovCloud and AWS Virtual Private CloudXsuite also provides security and separation of Duties for the AWS Management Console. The AWS Management Console is “superuser” account for AWS that enables customers to make changes that can have a financial or operational impact across the full compliment of AWS services (e.g., EC2, S3 Storage, VPC, etc.):Adding/Deleting EC2 InstancesPerform actions on running EC2 InstancesAdding S3 Storage CapacityConfigure Elastic Beanstalk to auto deploy/load balance resourcesEtc.
Xceedium has worked over 9 months with the AWS team. Our experience working with AWS APIs was an exceptional and all of the necessary functionality was intuitive and well documented. All of which enabled us to release a public sector ready GovCloudsolution.The following movie provides an overview of our product and features available to support public sector adoption of the Amazon Web Services Public cloud.
Xceedium - Privileged User Management in the AWS Cloud
Zero TrustPrivileged Identity and Access Management Platform XsuiteTM
Introduction • Security software company providing Best Overall IT Company 2011 Privileged Access Control Solutions RSA 2011 Hot New • Global Fortune 1000 and Government Security Product customer base Cool Vendor • Privately held - Headquartered in Herndon, VA Best Network Security • Single Platform – XsuiteTM Hot Company to Watch Top 100 Global Company FIPS 140-2, Level-2 Common Criteria EAL 4+ UC/Approved Prod. List2
Our Customers Include… Commercial Federal Top 5 Global Bank Top 3 Telecommunications Company Fortune 10 Financial Services Company Top 5 Global Retailer Multiple Global Stock Exchanges Fortune 200 Food Products Company Top 3 Online Broker Top 3 Smart Phone Provider Top 3 Food and Drug Retailer3
Privileged Identity and AccessManagement for Federal • DOD CIO Instruction 8520.03 • Administrative accounts shall not be accessed from an untrusted or user managed environments • Administrative accounts, both partner and DoD must utilize level 4 credential • 2011 FISMA report • Privileged access identified by IG as the area in most need of improvement • Use of risky shared accounts and no identified policy • NIST 800-53 • Privileged users require a broad set of security controls: AC, AU, CA, CM, IA, MA, etc…
Evolving Credential ManagementChallenge • HSPD-12 • Presidential directive to establish trusted identity for physical and logical access • OMB-11-11 requires 2013 IT budget submission to address logical PIV integration • FICAM chaired by CIOs develops common framework and maintains roadmap • FY2012 Presidential IT Budget Priority • NIST 800.63 • Electronic authentication mechanism guide includes Levels 1 to 4 • FIPS 201-2 • Personal Identity Verification (PIV) of federal employees and contractors • X.509 based Federated PKI • Revised draft addresses mobility
Setting Priority Within aFramework • ICAM roadmap guidance for Privileged Users • Agencies shall use high assurance credentials for administrative users • Level 4 Personal Identification Verification (PIV) card • Smart cards with embedded PKI Certificate • Commonly referred to in DOD as CAC (Common Access Card) • Minimize use of password and tokens for all administration • Agencies should eliminate duplicative infrastructure to reduce or eliminate the costs associated with expired/forgotten passwords • Eliminate application-specific password tokens • Enabled application to accept the PIV card for federal employees and contractors
Align with Executive Priorities • IT Reform • OMB mandates coordinated through the CIO Council • 25 Point execution plan • FDCCI (Federal Data Center Consolidation Initiative) • CIO counsel program aligned with OMB requirements • Must report FY progress • Four primary goals • Reduce costs • Increase security • Increase efficiency • Reduce energy consumption • Cloud Computing Strategy “Cloud First” • Efficiency, agility and innovation • Accelerate FDCCI • FEDRAMP
Problems We Solve… • Eliminate • Risk of privileged access through anonymous shared accounts • Expense of redundant administrative access solutions • Complication of ineffective homegrown solutions • Enable • Enterprise PIV Level 4 credential for privileged access • Centralized policy management and compliance reporting for privileged users • “New Enterprise” support for legacy IT, data center, private and public cloud • Move Forward • Rapid deployment • OMB Mandated compliance, DoD policy, and FISMA required security controls • Supports emerging Continuous Monitoring requirements
Department of Homeland Security Problem: Consolidate & grant secure access to geographically dispersed data centers • centralize access control across agencies with distinct missions • ensure contained and auditable access • meet federal compliance requirements (FDCC/FISMA) Results: Control over privileged users and critical infrastructure and assets • tight control over who gets access to what, when and for how long • contain users from the 21 component agencies to authorized systems only • audit quality logging for compliance “With Xceedium GateKeeper we have an all-in-one solution for these higher risk users which gives us the peace of mind that we are meeting our objectives to safeguard our network and the sensitive information it contains.” Security Expert at DHS10
Use Case- DHS -IT Admins -Elevated Risk -Applications• Single point for management and cloud entry • Continuous Monitoring• PIV-to-Shared identity resolution (OMB-11-11) • LDAP/AD component support• Security Controls (NIST 800-53) • Virtual private cloud management network
Xceedium Unveils Xsuite Cloud For Amazon Web Services AWS Security Solution Provider Delivers Comprehensive Privileged Identity and Access Management Solution for the New Enterprise12
Privileged Identity & Access Management for the NewEnterprise Traditional Data Center Private Cloud Public Cloud Virtual Management Console AWS Management Console • Single Scalable Platform • Comprehensive Zero Trust Controls • Unified Policy Management13
Two Form Factors Public Cloud Traditional Data Center Private Cloud Traditional Data Center Private Cloud Virtual Management Console AWS Management Console Virtual Management Console Public Cloud Physical Appliance Amazon Machine Image (AMI)14