Your SlideShare is downloading. ×
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege


Published on

David McNeely, Director of Product Management, Centrify …

David McNeely, Director of Product Management, Centrify
Privilege users are the great and powerful in your IT organization. But has the practice of sharing privileged credentials gone too far? Sharing of broad and unmanaged administrative rights equates to security and compliance vulnerabilities. Implementing policies for role-based access and privilege management are a start, but when it comes to securing your most valuable company assets what’s next? Attend this session and learn about a comprehensive security approach that spans best practices for managing privilege identity access from the data center to the cloud, monitoring and auditing for compliance, and a new model for securing access to systems both at the network and OS layer – all based on roles.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Managing  the  Keys  to  the  Kingdom   Next-­‐Gen  Role-­‐based  Access  Control  and  Privilege  
  • 2. 2   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  Business  has  more  dynamic  demands  on  IT   •  Time  and  scale  –  need  it  now,  on-­‐demand   •  Form  factor  and  location  –  On-­‐prem,  virtualized,  cloud   •  Manual  and  domain-­‐specific  configuration  (startup/teardown)   •  Compliance  and  best  practices  –  assurance  &  accountability   •  Fragmented  identity  –  infrastructure,  administrators,  users   •  “silos”  of  access  policies  and  diffuse  controls   Business  Challenges  for  IT  
  • 3. 3   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Regulatory  Compliance  is  Not  an  Option   NIST  800-­‐53  sets  the  baseline  security  policies  which  most  other  regulations  reference   for  identity  and  access  management  specific  controls:   •  Identity  &  Authentication  (IA)   •  Uniquely  identify  and  authenticate  users       •  Employ  multifactor  authentication   •  Access  Control  (AC)   •  Restrict  access  to  systems  and  to  privileges   •  Enforce  separation  of  duties  and  least-­‐privilege  rights  management   •  Audit  &  Accountability  (AU)   •  Capture  in  sufficient  detail  to  establish  what  occurred,  the  source,     and  the  outcome       •  Configuration  Management  (CM)   •  Develop/maintain  a  baseline  configuration   •  Automate  enforcement  for  access  restrictions  and  audit  the     actions   •  Systems  &  Communications  (SC)   •  Boundary  Protection   •  Transmission  Integrity  and  Confidentiality   •  Cryptographic  Key  Establishment  and  Management  including     PKI  Certificates  
  • 4. 4   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  Unified  identity,  access,  privilege  policy  controls   •  Consistency  across  deployments   •  Distributed  enforcement   •  Ensure  availability,  No  single  point  of  failure   •  Unified  visibility   •  Accountability   •  Triage  and  remediation   •  Automation   •  Speed  and  consistency  of  deployment   •  Accuracy,  compliance,  best  practices   Dynamic  Real-­‐time  IT  is  Required  
  • 5. 5   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Active Directory •  Active  Directory  provides  the  foundation  for  Enterprise  security   •  Highly  distributed,  fault  tolerant  directory  infrastructure  designed  for  scalability   •  Supports  large  Enterprises  through  multi-­‐Domain,  multi-­‐Forest  configurations   •  Kerberos-­‐based  authentication  and  authorization  infrastructure  provides  SSO   •  Security  administration  is  centralized  and  delegated     •  Centralized  account  &  group  management  natively  supports  separation  of  duties   •  Group  Policy  enforcement  of  security  settings   •  User  accounts  are  centralized  in  one  system     •  Simplifying  authentication  and  password  policy  enforcement   •  Automation  simplifies  deployment  and  integration   Active  Directory  Provides  the  IdM  Foundation   EngineeringWebFarm Accounting Operations
  • 6. 6   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   IT  Support  Requires  Separation  of  Duties   •  Separation  of  Duties  is  especially  important  in  managing  privileges  for  a  multi-­‐tier   support  organization  with  vendor  support     •  Elevated  rights  are  required  to  support  these  systems   •  Front  line  has  minimal  rights,  escalating  to  the  next  tier  with  elevated  privileges.     •  Security  Operations  Center   •  SOC  staff  provide  7x24  monitoring  of  all  administrative  activities     •  SOC  staff  have  limited  rights  to  alert  and  escalate  on  security  violations   Tier 1 Tier 2 Tier 3 Vendor Security Operations Center Escalation Process to the next Tier Monitoring Least Rights -> More Rights
  • 7. 7   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  While  the  most  powerful  accounts  must  be  protected  from  misuse,  Admins  and  DBAs   require  the  privileges  of  these  accounts  to  perform  their  duties   •  System  Administrators  need  root  or  local  admin  rights  to  manage  their  systems   •  Help  Desk  need  minimal  access  and  privilege  rights  to  identify  issues  and  escalate   •  Database  Admins  need  oracle  account  privileges  to  perform  their  duties   •  Web  Admins  need  root  privileges  to  start/stop  the  web  server  and  manage  the  webroot  docs   •  Cloud  Server  Admins  need  access  and  privileges  across  dynamic  server  environments   Let’s  see  how  this  works  across  4  different  real  world  customer  scenarios   Role-­‐based  Privileged  Access  
  • 8. 8   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  This  customer  wanted  to  establish  an  environment  where  no  one  has  access  to  any   system  at  steady  state,  access  and  privileges  are  granted  upon  approved  requests   •  All  system  accounts  such  as  root  and  local  admins  are  locked  down   •  Users  will  login  with  their  AD  account  only  if  granted  permission   •  Default  access  rights  for  all  systems  is  set  to  deny  login   •  Access  and  privileges  are  granted  for  approved  requests  only,  automated  by  their  IdM   workflow  system  leveraging  Active  Directory  groups   •  The  solution  established  a  centralized  access  and  privilege  management  system   •  Granting  access  based  on  AD  group  membership   •  Granting  specific  rights  based  on  user  Role   Use  Case  –  Request  based  Access  and  Privilege  
  • 9. 9   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  Centralized  role-­‐based  policy  management     •  Create  Roles  based  on  job  duties   •  Grant  specific  access  and  elevated  privilege  rights   •  Eliminate  users’  need  to  use  privileged  accounts   •  Secure  the  system  by  granularly  controlling  how  the  user  accesses  the   system  and  what  he  can  do   •  Availability  controls  when  a  Role  and  it’s  Rights  can  be  used   •  Scoped  to  specific  systems  or  groups  of  systems   •  Linux  rights  granted  to  Roles   •  PAM  Access  –  controls  users  access  to  system  interfaces  and   applications   •  Privilege  Commands  –  dynamically  grants  privileges   •  Restricted  Shell  -­‐  controls  allowed  commands  in  the  shell   •  Windows  rights  granted  to  Roles   •  Session  Rights  –  Ability  to  elevate  privileges  for  a  session  (with  session   switching)   •  Application  Rights  –  Ability  to  run  an  application  with  privilege   •  Service  Rights  –  Ability  to  elevate  privilege  when  accessing  network   services  (ex.  MMC  from  one  machine  to  a  SQL  server)   Solution  –  Role-­‐based  Access  &  Privileges   Role Definition Backup Operator Role Availability •  Maintenance window only PAM Access •  ssh login Privileged Commands •  tar command as root Restricted Environment •  Only specific commands AD Users & Groups Backup Resources HR Computers IDM Manages AD Groups
  • 10. 10   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  This  customer  needed  to  establish  a  process  to  grant  contractors  the  rights  they   needed  on  specific  systems  without  giving  Admin  rights  across  all  Windows  Servers   •  Contractor  needs  access  to  several  systems  in  lab  and  production   •  Normally  IT  would  individually  approve  admin  actions  on  request   •  Or  depending  on  the  work,  the  contractor  may  have  been  granted  a  second  privileged   account  for  admin  duties  (typically  called  a  “dash  A”  account,  eg.  david.mcneely-­‐a)   •  Privileged  Windows  rights  needs  to  be  granted  to  specific  systems  and  not  the  entire  server   farm   •  The  solution  established  a  centralized  access  and  privilege  management  system   •  Granting  access  to  specific  Windows  Servers  based  on  AD  group  membership   •  Granting  specific  Windows  rights  based  on  user  Role   •  Simplifying  user  access  with  desktop  privilege  elevation  interface  for  remote  servers     Use  Case  –  Contractor  Privileges  for  Windows  
  • 11. 11   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Solution  –  Privilege  Elevation  for  Windows   •  Least  access  principles  require  that  privileges   only  be  available  “as  required”   •  i.e.  don’t  logon  in  as  Superman  if  you  only  need   to  be  Clark  Kent…   •  User  determines  when  he  is  going  to  elevate   privilege   •  User  can  open  a  desktop  session  for  select   role(s)  for  duration  of  session   •  User  can  select  role(s)  through  a  system  tray   application  for  adding/removing  roles  to  session   •  User  can  select  roles(s)  for  a  specific  application   at  launch  time  
  • 12. 12   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  This  customer  needed  to  be  able  to  monitor  DBA  access  to  the  database  servers  and   attribute  specific  actions  to  the  appropriate  DBA   •  DBAs  login  to  systems  with  their  own  accounts   •  They  switch  (su)  to  the  Oracle  account  in  order  to  do  work  on  the  database   •  The  logs  show  that  the  Oracle  user  is  accessing  the  database  tables  making  it  challenging  to   determine  which  user  is  responsible  for  individual  actions   •  The  Auditors  also  cannot  see  all  actions  which  user  is  performing  within  the  database   application  based  on  the  current  logging  system   •  The  solution  provides  user  activity  auditing  that  captures  all  user  access   •  All  login  sessions  and  activity  are  recorded  just  as  a  video  camera  captures  all  activity  at   Point  of  Sale  terminals   •  User  activity  along  with  session  metadata  is  forwarded  to  SIEM  solution  for  further  analysis   and  alerting  where  auditors  can  then  review  the  session  recordings     Use  Case  –  Auditing  DBA  Access  
  • 13. 13   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  Address  regulatory  and  audit  requirements  while  reducing  threat  of  insider  attacks   •  Detailed  capture  of  user  activity  –  real-­‐time  surveillance  of  privileged  systems   •  Establishes  accountability  and  advances  compliance  reporting   •  Record  and  playback  which  users  accessed  which  systems,  what  commands  they  executed,   with  what  privilege,  and  exact  changes  made  to  key  files  and  configurations   •  Automatically  doc  vendor  procedures  and  mitigate  personnel  transitions  or  hand-­‐offs   Solution  –  Unified  Session  and  Activity  Auditing   Collect Store and Archive SIEM Integration Search and Replay Session metadata and video capture Capture
  • 14. 14   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  This  customer  needed  to  grant  authorized  user  access  to  AWS  Servers,  but  did  not   want  to  manage  an  independent  IdM  system  for  these  servers   •  Users  must  authenticate  to  the  company  Active  Directory  before  accessing  any  AWS  Server   •  Internal  IT  manages  this  AD  where  the  Cloud  Server  team  does  not  have  management  rights     •  AWS  Servers  configured  to  require  Kerberos-­‐based  login,  refusing  userid/password  logins   •  They  do  not  want  to  manage  SSH  keys,  users  gain  access  based  on  Kerberos  tickets   •  Root  accounts  are  configured  with  a  randomized  password  that  no  one  knows   •  Privileges  are  granted  dynamically  based  on  user  role  at  login   •  The  solution  integrated  these  cloud  servers  into  their  existing  AD  environment  to   enable  authorized  users  the  rights  to  login  with  their  existing  AD  account   •  Servers  join  to  a  new  AD  Forest  which  has  a  one-­‐way  trust  with  the  internal  AD   •  Authorized  users  are  required  to  VPN  to  the  company  network  in  order  to  login     •  Cloud  Servers  require  Kerberos  ticket  based  authentication  in  order  to  gain  access     •  Privileges  are  granted  based  on  AD  group  memberships   Use  Case  –  Strong  Auth  to  AWS  Servers  
  • 15. 15   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   •  Active  Directory  deployed  in  a  federated  configuration  enforces  centralized  access   policies  on  these  dynamic  environments   •  Taking  control  over  security  credentials  and  system  policies   •  Supporting  Separation  of  Duties  between  Hosting  provider  and  the  Enterprise   •  Enterprise-­‐centric  and  automated  security  framework   •  Role-­‐based  access  and  privilege  control   •  Single  sign-­‐on  for  applications   •  Audit  all  user  activity  for  on-­‐premise  and  cloud  systems   Internal Network DMZ Fred Joan AD & Windows Administration Solution  –  Extending  AD  to  Cloud  Servers   One-way Trust with Internal AD
  • 16. 16   ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Summary   Leverage  your  existing  AD  environment  in  order  to  manage  the  access  and  privileges   across  your  on-­‐premise  or  cloud  server  environment   •  Uniquely  identify  and  authenticate  users       •  Restrict  access  to  systems  and  to  privileges   •  Enforce  separation  of  duties  and  least-­‐privilege  rights  management   •  Capture  session  details  to  establish  what  occurred,  the  source,  and  the  outcome       •  Automate  enforcement  for  access  restrictions  and  audit  the  actions   •  Establish  centralized  trust  to  ensure  Kerberos  is  used  for  transmission  integrity  and   confidentiality  
  • 17. ©  2004-­‐2012.    Centrify  Corporation.    All  Rights  Reserved.  Confidential  and  Proprietary.   Thank  You   D A V I D . M C N E E L Y @ C E N T R I F Y . C O M