Secure adn Contained Access for Everybody, at Anytime

927 views
928 views

Published on

Mr. Moustakis' presentation for IDC IT Security Roadshow 2013

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
927
On SlideShare
0
From Embeds
0
Number of Embeds
387
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Intro: They are part of what could be referred to as the mobile workforce revolution, and that revolution is occurring as we speak.. Key Points:IDC has noted expectations that we’ll see 1.3 billion mobile workers by 2015, accounting for close to 40% of the entire global workforce. (37.2% of the workforce.) (Are there data points more specific to executive adoption/use—numbers, growth rates?)Transition:So why execs? Because they are the ones driving this revolution 
  • Intro: Research proves that executives are the force of change. Key Points:Execs and managers are the ones driving organizations to adopt non-standard devices, because they are seeing the value in their own lives now. Illustration/Anecdotes/Proof: We’ve seen this at Citrix. Our own CEO Mark Templeton has pushed for this type of mobility because he is on the go all the time and he needs to stay productive.Transition: While supporting all mobile workers is important for the business, our view is that you need to make the requirements of your highest impact employees an immediate priority. Here’s why..
  • Intro: Here are some data points that demonstrate how quickly things are moving. Key Points:First, the sheer number of devices that employees use is exploding. Nearly two-thirds of workers use 3 or more separate devices every day, and the number keeps growing. And the device types employees are demanding are changing rapidly as well, from the old expectation of work PCs, to the demand for access from home computers, to today’s reality of more workers wanting to work more effectively using their mobile devices and tablets.Then there is the shift of work time away from the office. Increasingly, the borders of “work time” and “work place” are disappearing. Employees want and need the ability to do their work at the times and places of their choosing. Today, almost 80% of the workforce must work outside of the office at least 1 day or more per week.Illustration/Anecdotes/Proof: (Prompt a discussion of examples of different user groups that can be more productive and efficient when they have the devices they need and they can work from wherever… sales teams, executives, doctors, attorneys, etc.)Transition: But we at Citrix recognize that adapting to these fundamental shifts is truly challenging for a CIO and an IT department.
  • First and foremost, let’s take a look at the current state of mobile from the end users perspective. I don’t care if you’re in engineering, IT, sales, or finance, I think most people can relate to this picture. Don’t get me wrong, we’ve come a long way from being dependent on a desktop or laptop for every task, but at times it feels like you need a decision tree or decoder ring to know exactly which device you’ll need to have in order to accomplish a specific tasks. The truth is that only the thrill seekers are going to take the chance of bringing just their tablet along for a business trip. Most of us are still going to haul the laptop along just in case.
  • And so users are still on the quest for the freedom to access all their apps and data from any of their devices. They want to feel confident that they can experience work and life their way.
  • Now, things change a bit if you’re in IT. For as much as they’d like to deliver on this promise, mobile presents some big challenges. Multiple mobile operating systems, multiple platforms along with a whole new universe of applications to understand and contend with. And that’s just part of it…
  • IT is still beholden to the same security and compliance requirements that they had before all of these new devices and apps were introduces. The reality is that mobile just makes things harder. For starters, it’s just easier to lose or get these devices stolen. In fact, 70 million smartphones were lost or stolen in 2011 alone and only 7% of those devices were recovered*. And if just one of those devices leads to a data breach, you’re looking at an average of $7.2 million in recovery costs**. From a compliance perspective, IT now has to consider device ownership and privacy laws in different countries, not to mention the regulatory requirements that get introduced in certain vertical markets.*February 10, 2012, Tabtimes.com, Doug Drinkwater** Morgan Stanley Market Trends
  • Now if just one of these perspectives were pertinent we wouldn’t really be having this discussion, would we? No. We must balance the needs of security and compliance along while giving users the freedom they need to experience work and life in harmony.
  • All users are not created equal. Some of your users are granted significantly more trust.
  • There are basically two classes of “Privileged Users” – Privileged Business Users and Privileged IT UsersHistorically, businesses have implemented a set of policy, process and application level controls to mitigate the risk posed by trusted business users. For example there are policies for background checks, and requirement for two signatures financial transactions over a certain threshold amount, etc.Unfortunately in many cases the Privileged IT users have not received the attention they deserve – especially since they often have unfettered and even anonymous access to network devices holding your critical data assets.
  • Redefining the PerimeterThe old school M&M security model (hard on the outside and soft in the center) is dead. The classic security perimeter concept is dying as “anywhere network access” and mobile device access becomes the new norm. Enterprises are implementing a defense in depth strategy.New Trust Model NeededDefense in depth is fine but new business realities requires enterprises to revise their trust models.WikiLeaks made it abundantly clear that organizations must pay attention to the trust and associated access granted to “privileged insiders”. In addition to employees, there are many new “privileged insiders”. New business models have introduced “trusted” third parties while changes in IT support models have introduced contractors, consultants, vendors, outsourcers and managed service providers to the list of “privilege insiders”.Spearfishing Attacks Targeting Privileged UsersHackers are specifically targeting employees with privileged account access – spearfishing attacks are often aimed at uncovering administrative passwords that allow attackers to gain a significant foothold in the network, avoid detection and cover their tracksIncreasingly Stringent Compliance and Audit RequirementsAs a result of WikiLeaks and other notable insider breeches, regulators and auditors are paying attention and requiring: Proactive controls be required for privileged accounts and passwordsThat privileged user activities are connected to individuals (not shared admin account passwords)Continuous monitoring for users who access critical infrastructure and/or sensitive/regulated dataThe ability to easily prove compliance with these requirements is of paramount importance to resource strapped IT security organizations
  • Insider threat remains a clear and present danger while the ramifications of an insider breach are expensive.In a 2011 Study or large enterprises by the Ponemon Institute, 30% of the organizations experienced an attack from a “Malicious Insider”While the “Malicious Insider” breaches were not the most common attack these organizations experienced they were the most costly and time consuming breaches to resolve – bottom chart – taking on average over 45 days to remedy. This only accounts for the very direct cost of investigating/cleaning up for a breach. It does not include direct financial loss or fines associated with the breach. It also does not factor in other soft costs such as the cost of a tarnished brand and loss of reputation.
  • There are alternatives Do It Yourself methods organizations have used to address privileged user threat. The chart lists technologies that some of our customers have tried to leverage alone or in conjunction with one another. None of provides the full set of essential capabilities required to mitigate this threat. These are all partial solutions. Even when knit together it is not a comprehensive solution and it become a very expensive method of controlling privileged user access and providing the proof to auditors that you are protecting key data from “privileged insiders” threat.We have multiple examples of this, but one large financial services customer – as noted in the quote – made a real attempt to cobble together multiple technologies to address this risk but it was expensive, unmanageable and did not cover everything they needed.
  • This simplified use case example details the essential controls Unisystems Secure Remote Access Delivery Services provides to mitigate the threat privileged insiders pose.In this scenario an IT employee requires access to the server to perform some maintenance.Explain each control:Vault Passwords – The first step is to change and vault critical passwords (so they don’t show up in spreadsheets) and so privileged users no longer have direct and uncontrolled access to devicesPositively ID User – Employee logs onto Unisystems Secure Remote Access forcing a positive user identification – Our solution supports integration with directories, single-sign-on and two factor ID systemsWhite List/Least Privileged Access – the employee is presented a list of ONLY the servers and network devices they are explicitly authorized to accessCommand Filtering – the commands the employee is enabled to perform can be constrained as requiredSession Monitoring/Recording – all activities are logged and the policy can be set to record the full sessionLeapfrog Prevention – prevent the user from jumping from the authorized device to unauthorized devices.Attributed Use of Shared Privileged Account – even thought the user may be logged in as “root” our solution knows which user was logged in.Complete Activity Logging - all of this activity is logged in a tamper proof log database – Session recordings can be viewed liked a DVR like skip ahead to policy violations.
  • These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
  • These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
  • These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
  • These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
  • These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
  • Intro: Citrix has the proven expertise and best practices to help you work through these considerations.Key Points:Citrix has the proven expertise and best practices to help you work through these considerations.And we can help you assess, design and deploy an exec mobility solution that will meet the requirements of your most challenging users, helping you think through:Assess: We’ll help you as you to do an assessment thedevices,apps, mobility and security requirements of your mobile execs. With this, we can help define a technology roadmap.Design:Citrix can also help put together a well-documented design that allows you to install, configure and build a solution that leverages your organization’s infrastructure. To do this, you need to be thinking about what hardware and infrastructure is required and what can you leverage, etc, what’s the operations and support design, such as SLAs, Staff required, support agreements required, etc.. And we can design for Test & QA, making sure that Scalability,Performance,Security,Functionality,Usability and Interoperability are covered.Deploy: And lastly, we can help you build, test and rollout a solution in an effectivemanner to ensure that back-end systems and processes are there. This includes User Training / Education / How To guidance, independent analysis & verification of the design implementation, a pilot, and a phased rollout. Transition: We also built the content to help you go through your executive mobility journey…
  • Intro: The way Citrix looks at executive mobility is this…Key Points:Mobility helps high-value professionals to put their skills and creativity to work more effectively, in more ways, to achieve the best results for the business. Citrix executive mobility solutions empower executives of the future with the mobility they need today with:Wherever, whenever productivityThe best device in any scenarioFace-to-face contact across the globe andHealthier work-life balanceWrap-Up the Presentation: Establish clear next steps and objective of the next meeting.Who is in the room and who is not in the room? Who can serve as a sponsor or be the influencers? Who is it that is most interested?Would they be interested in an assessment – come in to understand their requirements in more detail (devices, users, apps, etc)Technical presentation – other people not there who need to delve into the details of any of the products?POC?Meeting – higher-level group – maybe do a demo in the technologyBring this brochure back to them and see if we can get into another meeting to show them the technology in action.
  • Intro: The way Citrix looks at executive mobility is this…Key Points:Mobility helps high-value professionals to put their skills and creativity to work more effectively, in more ways, to achieve the best results for the business. Citrix executive mobility solutions empower executives of the future with the mobility they need today with:Wherever, whenever productivityThe best device in any scenarioFace-to-face contact across the globe andHealthier work-life balanceWrap-Up the Presentation: Establish clear next steps and objective of the next meeting.Who is in the room and who is not in the room? Who can serve as a sponsor or be the influencers? Who is it that is most interested?Would they be interested in an assessment – come in to understand their requirements in more detail (devices, users, apps, etc)Technical presentation – other people not there who need to delve into the details of any of the products?POC?Meeting – higher-level group – maybe do a demo in the technologyBring this brochure back to them and see if we can get into another meeting to show them the technology in action.
  • Secure adn Contained Access for Everybody, at Anytime

    1. 1. Secure and Contained Access for Everybody, at Anytime Anastasios Moustakis, Senior Solution Architect Uni Systems Copyright 2013 1
    2. 2. Agenda• The Challenging Environment of Secure Access • Security Trends, User & IT Requirements• Uni Systems Secure Access Solution Overview• Implementation Approach• Success Stories
    3. 3. 1.3 Billion Mobile workers by 2015 Mobile Worker Population – IDC, Jan 2012
    4. 4. C-Suite 42%The top 3 groups driving support for non-standard devices VPs & Directors 43% are in management Managers 27% Consumerization of IT Study. April 2011, IDC
    5. 5. “How many “How many days a different computing devices week on average do you do you use on a daily basis?” work outside the office?”Family PC | Work PC | Personal Laptop | Tablet | Smartphone 42% 0 21% 34% 1-2 52% 16% 3-4 15% 6% 2% 5 12% 1 2 3 4 5+ Global BYOD Index - Survey of Corporate Employees February 2011, Citrix Systems
    6. 6. How Users Feel Today
    7. 7. User NeedsFreedom to access all their apps and data from any of their devices
    8. 8. For Enterprise IT,any device access, presents big challenges
    9. 9. IT Needsto meet security and compliance requirements
    10. 10. But the needs of users and IT must be balanced
    11. 11. “Privileged Insiders” are granted more trust
    12. 12. Who are “Privileged Insiders”Well Controlled Not So Much? Mobile/Any device Highly Trusted Business Highly Trusted IT Users: Users Systems, Database, Network Administrators
    13. 13. The Changing Security Landscape• Redefining the Perimeter• New Trust Model Needed• Spearfishing Attacks Targeting Privileged Users• Increasingly Stringent Compliance and Audit Requirements“The biggest issue facing informationsecurity professionals is that our traditionaltrust model is broken.” Forrester Research
    14. 14. Frequency & Cost of Insider Breaches 30 % of large enterprise customers experienced a malicious insider breach Average days to resolve Source: Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies (Ponemon Institute, 2011)14
    15. 15. Challenges for Secure Access• Increasing Compliance, Audit Requirements and Security Mandates• Changing Trust Model• 3rd Party and Employees - No differentiation• Remote or Internal and Mobility- Disappearing perimeter – “Remote” an obsolete term• User and Asset / System Policy - Policy does not intersect• Movement to Centralized Computing• Operational Efficiency and Reduced Cost• Virtualized Servers/Desktops, Cloud - Landscape Change
    16. 16. Traditional Solutions have Limitations Issues NW focus, not user/app level accessFirewalls controlVPNs + Jump Box Hard to audit, difficult to manage Complicated ACLs, NW Layer OnlyRouters End-user focusedActive Directory No inside access control, containmentNAC Risks are amplifiedVirtual DesktopSIEM/Log Mgmt Reactive, lacks data for privileged “insider”
    17. 17. Uni Systems answer: “Zero Trust” via Layered Protection Attributed Use of Shared Privileged Account Leapfrog Prevention Session Monitoring/Recording Command Filtering Whitelist/Blacklist White List/ Least Privilege Access Positively ID The User Vault Server A: Tamper-proof ID: abc123 Log PW: xyz$21 Server B:Complete Activity Logging ID: cde234Policy Violation Logging with DVR-Like Playback and Skip PW:eie10$
    18. 18. Solution Scope• Provision of a System that will offer: • Configurable, • Secure, • Recordable, and • Fully Controllable• Secure Local & Remote or Mobile Access for: • Privileged Users, (internal or 3rd party) • Employees and • Business Partners 18
    19. 19. Solution Essential Capabilities (1/2)• Enforce fine-grained Access Control on different type of users• Configurable multi-level authentication with time-based access rights• Protect applications and expose only the presentation layer• Contain privileged users to authorized resources and prevent leapfrogging 19
    20. 20. Solution Essential Capabilities (2/2)• Protect data and prevent leakage• Generate a detailed Audit Trail for proof of compliance and investigations• Record access sessions – video & CLI recording• Protect privileged user and application passwords• Eliminate the use of shared passwords for administrative accounts 20
    21. 21. Solution Architecture User Zone Secure Access Component Zone Trusted and Protected ZoneInternal/External/Mobile SSO, Password and 7 Internal Protected User Device 10 Shared Account Password Systems 1 Management Vault Any Device 8 Gateway Application / 3 Access Session and ICA Client User, Session- Control Desktop 2 based access USB Boot Desktop (SSL, Proxy Access control & DLP USB Secure Web (ICA)) 4 Browser Portal Web Video-like and CLI 5 Leapfrog prevention Interface Logging and Sandboxed Apps Sessions Recording Certificate Token Endpoint Token User Report & 11 Management Infrastructure Repository Workflow Desktop, Thin (MDM, USB (Hard, SMS) (A.D.) 6 db Server, Storage, Network, S Boot, Isolated client, Laptop, Mobile Browser) Workflow & Report Engine 9 ecurity Devices, Device, Smartphone 21
    22. 22. VendorsInternal/External/Mobile SSO, Password and Internal Protected User Device Shared Account Password Systems Management Vault Any Device Gateway Application / Access Session and ICA Client User, Session- Control (SSL, Desktop based access USB Boot Desktop Proxy (ICA)) Access control & DLP Token Portal Web Video-like and CLI Leapfrog USB Secure Web Interface Logging and prevention Browser Sessions Recording Certificate Sandboxed Apps Endpoint Token User Report & Management Infrastructure Repository Workflow (MDM, USB (Hard, SMS) (A.D.) db Desktop, Thin Boot, Isolated Server, Storage, Network, client, Laptop, Mobile Browser) Workflow & Report Engine Security Devices, Device, Smartphone 22
    23. 23. Implementation Approach (1/2)• Systems Integration Project• Modular Architecture• Based on: • Type of users – 3rd party privileged users, Business partners, Internal Administrators • Type and Number of internal protected systems • Type and Number of Services required (Applications, Desktops, Resources) • Type and Number of Endpoint Device usage • Integration points with existing systems (Workflow, Helpdesk, etc)
    24. 24. Implementation Approach (2/2)• Specific Methodology: • Analysis Phase: • Infrastructure Assessment and Readiness Evaluation • Proof of Concept • User Requirements – Application, Services, Resources, Policies • Design Phase: Infrastructure Design, Policies • Build & Test Phase • Roll-out Phase
    25. 25. Secure Access Solution with Uni SystemsThe proven expertise and practical guidance needed for success Assess Design Deploy Devices Documented solution design TrainingApps - Services Hardware and infrastructure Independent analysis/ verificationMobility - BYOD Operations and support Pilot Security Test and QA
    26. 26. Success Stories : TOP Telecom Provider Problem: Answer: • Consolidate & grant secure access to • Centralize access control across critical 3rd Party Administrators users with distinct missions • Different method of access • Ensure contained and auditable access • Points of Vulnerability • Meet federal compliance requirements • Absence of uniform management • Workflow driven operation Results: • Control over privileged users and critical infrastructure and assets • Tight control over who gets access to what, when and for how long • Contain users to authorized systems only • Audit quality logging for compliance“With the Uni Systems Secure Remote Access Solution we have an all-in-one solution for these higherrisk users which gives us the peace of mind that we are meeting our objectives to safeguard ournetwork and the sensitive information it contains.” Security Expert at Telecom Provider 26
    27. 27. Success Stories : Top Financial InstituteProblem: Provide secure access to hundreds of remote developers, administrators and auditors – no containment of users to authorized resources – IT resource intensive, cumbersome and ineffective access controls – no audit trail or ability to match controls to specific usersResults: A unified, easy to manage solution – hundreds of business critical 3rd parties now granted secure, controlled access – increased operational efficiency with a single solution – provided an audit trail for internal security requirements and external compliance mandates “What is so special about you --- ‘containment, containment, containment.’” VP Security officer, Top Financial Institution
    28. 28. Uni Systems empowering Secure Access of the future With the mobility and agility users need today
    29. 29. Thank you! www.unisystems.com

    ×