CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management

Uploaded on

Russell Miller, Director, Solutions Marketing, CA …

Russell Miller, Director, Solutions Marketing, CA
Securing privileged identities is essential to reducing the risk of not only insider attacks, but from outsiders as well. Learn how to expand your thinking about privileged identities to address the latest trends and threats.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. From  Governance  to   Virtualiza2on:   The  Expanding  Arena  of   Privileged  Iden2ty  Management   Russell  Miller   Director,  Solu0ons  Marke0ng  
  • 2. 2   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  • 3. Edward  Snowden  was  a  privileged  user  on  key  NSA   systems     “When  you’re  in  posi2ons  of   privileged  access,  like  a  systems   administrator  for  these  sort  of   intelligence  community  agencies,   you’re  exposed  to  a  lot  more   informa2on  on  a  broader  scale   than  the  average  employee.”     -­‐  Edward  Snowden   Source:  hSp://­‐snowden-­‐nsa-­‐whistleblower-­‐surveillance?guni=Network%20front:network-­‐front%20full-­‐ width-­‐1%20bento-­‐box:Bento%20box:Posi2on1   3   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 4. Privileged  iden00es  pose  a  par0cularly  significant  threat  to   network  and  data  security   All-­‐Powerful   Access   Lack  of   Accountability   Risk   §  Unrestricted   “root”  or   “Administrator”   access   §  No  segrega2on   of  du2es   §  Use  of  shared   accounts   §  Poor  log  integrity   and  quality   Virtualiza0on  magnifies  these  challenges!   Copyright  ©  2013  CA.  All  rights  reserved.  4   The  Problem  With  Privileged  Iden00es  
  • 5. There  are  three  types  of  insider  threats  and  two  primary   principles  to  apply  to  mi0gate  the  risk   §  Deter  malicious   insiders   §  Trace  ac0ons  to   individuals   § Limit  damage  done   by  a  malicious  or   exploited  insider   § “Stop  Stupid!”   Implement   Least  Privilege   Access   Ensure   Accountability   Types  of   Insider  Threats   Exploited   Insiders   Malicious   Insiders   Careless   Insiders   ?   Ac0ons  to  Take   5   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 6. There  are  many  real-­‐world  –  and  public  –  examples  of   insiders  causing  significant  damage   Copyright  ©  2013  CA.  All  rights  reserved.  6   hSp://­‐city-­‐charged/   hSp://   hSp://­‐worker-­‐indicted-­‐for-­‐sefng-­‐malware-­‐bomb-­‐at-­‐fannie-­‐mae.html   hSp://­‐management/229100384/a-­‐glaring-­‐lesson-­‐in-­‐shared-­‐passwords.html   hSp://www.infosecurity-­‐­‐data-­‐breach-­‐costs-­‐bank-­‐of-­‐america-­‐over-­‐10-­‐million-­‐says-­‐secret-­‐service/   hSp://­‐watch/former-­‐gucci-­‐employee-­‐indicted-­‐for-­‐it-­‐rampage.html   hSp://­‐tsa-­‐employee-­‐indicted-­‐for-­‐tampering-­‐with-­‐database-­‐of-­‐terrorist-­‐suspects.html  
  • 7. The  stages  of  an  external  aPack   §  Basic  research   §  Domain   queries   §  Port  scans   §  Vulnerability   scans   §  “Spear   Phishing”   §  Social   Engineering   §  Zero  day   vulnerability   exploita0on   §  OS  &   applica0on   vulnerability   exploita0on   §  Administra0ve   access   §  Compromise  of   new  systems   §  Con0nuous   export  of   sensi0ve  data   §  Effect  service   availability   §  Covering  of   tracks   §  Rootkits   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   Stages  of  an  External  APack   7   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 8. Tradi0onal  perimeter  and  infrastructure  security   capabili0es  only  address  part  of  the  problem!   Perimeter  security   An0-­‐virus   Phishing  protec0on   Server  hardening   Capture  and  review  server  and  device  audit  logs   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   8   Copyright  ©  2013  CA.  All  rights  reserved.   Stages  of  an  External  APack  
  • 9. Content-­‐aware  iden0ty  &  access  management  bolster  an   APT  defense!   Log  and  audit  privileged  user  ac0vity   Perimeter  security   Least  privilege  access   An0-­‐virus   Phishing  protec0on   Employee  educa0on   Virtualiza0on  security   Externalized/   unexpected  security   Server  hardening   Shared  account  management   Capture  and  review  server  and  device  audit  logs   Data  controls  &  analysis   Advanced  authen0ca0on  &  fraud  preven0on   Iden0ty  &  Access  Governance   Capabili0es  of  CA  Security   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   9   Copyright  ©  2013  CA.  All  rights  reserved.   Stages  of  an  External  APack  
  • 10. Effec0ve  Privileged  Iden0ty  Management  requires  a   comprehensive  solu0on   Privileged   Iden0ty   Management   Copyright  ©  2013  CA.  All  rights  reserved.  10   Hypervisor   VM   VM   VM   Shared  Account   Management   Fine-­‐ Grained   Access   Controls   User  Ac2vity   Repor2ng  /   Session  Recording   UNIX   Authen2ca2on   Bridging   Virtualiza2on   Security  
  • 11. 11   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  • 12. Jason  Cornish,  former  Shionogi  Pharma  IT  Staffer   Pled  guilty  to  Feb  ‘11  computer  intrusion   A  recent  incident  demonstrates  the  real-­‐world  poten0al   for  damage  in  a  virtual  environment   –  Wiped  out  88  virtual  servers     on  15  VMware  hosts:  email,     order  tracking,  financial,     &  other  services   –  Shionogi’s  opera2ons  frozen  for  days   §  unable  to  ship  product   §  unable  to  issue  checks   §  unable  to  send  email   All  of  this  was  accomplished  from  a  McDonald’s   12   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 13. Virtualiza0on  has  many  clear  benefits,  but  also  many   o[en-­‐ignored  risks   Capital  and  opera2onal  cost  savings   Great  availability  /  recovery   Ease  of  disaster  recovery   Hardware  independence   Improved  service  levels   New  class  of  privileged  iden22es  on  the   hypervisor   Greater  impact  of  aSack  or   misconfigura2on   New  compliance  requirements   Dynamic  environment  leads  to  oversights   Easy  copying  of  virtual  machines   Virtual  Sprawl   Posi0ves   Nega0ves/Risks   What  happens  when  an   organiza0on  goes  virtual?   Copyright  ©  2013  CA.  All  rights  reserved.  13  
  • 14. New  class  of  privileged  iden00es  on  the  hypervisor   14   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 15. Greater  impact  of  aPack  or  misconfigura0on   15   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 16. New  compliance  requirements   NIST  SP  800-­‐125:  Guide  to  Security   for  Full  Virtualiza0on  Technologies     Payment  Card  Industry  (PCI)  PCI-­‐DSS   2.0,  Virtualiza0on  Guidelines   16   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 17. Dynamic  environment  can  lead  to  oversights   17   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 18. Copying  a  virtual  machine  image  is  equivalent  to  stealing  a   server  from  a  datacenter   18   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 19. Virtual  Sprawl   19   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 20. Securing  virtual  environments  requires  “the   fundamentals”  as  well  as  a  game-­‐changing  capability   Least  Privilege   Access   Infrastructure   Hardening   Shared  Account   Management   User  Ac0vity   Repor0ng   Virtualiza0on-­‐Aware   Automa0on  of     Security  Controls   New!   Security  fundamentals  that  now  need  to   be  applied  to  the  hypervisor   20   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 21. 21   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  • 22. The  need  for  Privileged  Iden0ty  Governance   Orphaned  Accounts   Reduce  Audit  Burden   Gain  Visibility  into  Privileged   Account  Usage   Privilege  Creep   22   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 23. Address  these  needs  by  combining  governance,   management  and  monitoring  capabili0es   Priv.  Iden0ty  Governance   Privileged  Iden0ty  Mgmt.   User  Ac0vity  Repor0ng   §  User  Mgmt.   §  Workflow   §  Cer2fica2on   §  Fine-­‐grained   access  controls   §  Shared  account   management   §  Video  recording   §  Analy2cs  and   searchability   ID   Gov.   23   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 24. What  Privileged  Iden0ty  Governance  can  tell  you   How  can  they   get  access?   How  to  control   access   What  was   accessed  and   when?   What  can   people  access?   24   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 25. Iden0ty  Governance  and  Role  Management   Iden0ty   Governance   Role   Management   Monitor  access  rights  with  reports/dashboards   Discover  and  propose  poten2al  roles  based  on   access  paSerns  and  organiza2onal  characteris2cs   Establish  centralized  segrega2on  of  du2es  and  other   business  and  regulatory  iden2ty  policies   Discover  business  structure  and  turn  millions  of   access  rights  into  100’s  of  roles   Adapt  model  as  business  changes   Automate  en2tlements  cer2fica2on  for  users,  roles   and  resources   25   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 26. Use  analy0cs  to  iden0fy  privileged  users   26   Copyright  ©  2013  CA.  All  rights  reserved.   Iden00es   Systems  
  • 27. Users  IDs  should  be  correlated  to  iden0fy  mul0ple  IDs   belonging  to  the  same  person  –  and  cleaned  up!   Russ.Miller   MILLERR   RMIL04   RBM102   Name:  Russell  Miller   Employee  ID:  rmiller123   Loca2on:  Boston   Etc.   1   Audit  Privilege  Quality   2   Detect  Excep2ons   3   Unique  ID  correla2on   4   Clean-­‐up   27   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 28. Cer0fica0on    should  include  usage  informa0on  to  iden0fy   suspicious  ac0vi0es   28   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 29. How  you  can  get  there!     Collect  Account  &   En0tlement  Info   Analyze  IDs   &   En0tlements   Administer   &  Control   Accounts   Audit  &   Cer0fy   Accounts   Steps  to  Govern  Privileged  Iden00es   29   Copyright  ©  2013  CA.  All  rights  reserved.   System   Accounts   Service   Accounts   Shared   Accounts   Named   Accounts  
  • 30. The  business  value  of  Privileged  Iden0ty  Governance   Prevent  breaches  due  to  improper  Admin  ac2ons   or  data  exposure     Reduce  the  burden  of  audit  and  compliance  efforts     Improve  efficiency  of  iden2ty  compliance  &   processes         Gain  visibility  into  administrator  access  and  actual   usage   2   3   1   4   30   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 31. 31   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  • 32. Social  media  accounts  are  privileged  iden00es!   32   Copyright  ©  2013  CA.  All  rights  reserved.   Insider  Threat   External  Threat  
  • 33. 33   Confusion  between  personal  and  corporate  TwiPer   accounts  –  controls  are  needed!   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 34. 34   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  • 35. Ques0ons?   35   Copyright  ©  2013  CA.  All  rights  reserved.  
  • 36. Appendix  
  • 37. Legal  No0ce   Copyright  ©  2013  CA.    All  rights  reserved.  Linux®  is  the  registered  trademark  of  Linus  Torvalds  in  the  U.S.  and  other  countries.    All   trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respec2ve  companies.  No  unauthorized  use,   copying  or  distribu2on  permiSed.         37   Copyright  ©  2013  CA.  All  rights  reserved.