2013 12 18 webcast - building the privileged identity management business case


Published on

How to build a business case for Privileged Identity Management, Privileged Access Control Projects and Technology

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We have had lost of questions recently….. Likely driven by some notable incidents
  • There is no such thing as the perfect business case for PIM (or other security tools). Early mentor.. Don’t let perfection get in the way of getting something done…Make it your own and tailor to your organization in general and your audience in particularRemember, the weight any of these building blocks carries is different for any given individual or organization, so build accordingly.
  • Some modern privileged identity management tools provide a full range of capabilities and can help organizations enforce multiple security controls. So there may be multiple features that can save your organization time (money).
  • Enterprise organization need a Next Generation Privileged Identity Management Platform – enabling them to protect and manage systems and privileged users across hybrid environments…all from a single point of control.Xsuite enforces a comprehensive set of controls – enabling customers “control and audit all privileged access” wherever you systems may be located. Xsuite simplifies the management and audit reporting with a Unified Policy Management capability and full high definition recordings of user sessions.Xsuite comes in three different appliance “flavors” A hardware appliance, an OVF virtual appliance that runs on VMware vSphere and an AWS AMI (Amazon Machine Instance) that runs on Amazon EC2 – EACH OF THESE APPLIANCES CAN PROTECT AND MANAGE ACROSS HYBRID ENVIRONMENTS.
  • Comprehensive Integrated ControlsDescription:Full spectrum of controls for prevention, detection and response/forensics in a single, integrated solutionControls are turned on as needed and managed at the group or individual levelEnforces least privilege, separation of duties and role-based access controlBenefit:Comprehensive protection for enterprise customersFlexibility to support multiple use cases and configurationsImproved security and compliance - no need to implement/manage point productsControls work Across Hybrid EnvironmentsDescription:Ability to secure and protect servers and other IT infrastructure wherever it reside Benefit:Enables a simplified transition to cloud computing and hybrid-cloud architecturesCost savingsImproved IT/Business AgilityUnified Policy ManagementDescription:Controls users and access to devices through a single policy-management regimeBenefit:Reduced total cost of ownershipClarity regarding which controls are in place and for whom – reduces gaps in protection Ensures proper compliance documentation for auditorsProtection for Management Consoles and Guest SystemsDescription:Unlike other vendors Xsuite protects the end systems and the new, VERY POWERFUL management consoles present with virtualization and public cloud platformsBenefit:Significantly Improved securityIntegration with VMware, AWS and Microsoft Office 365Description:Actual API level integration with the key virtualization/cloud platforms – other PIM vendors are just “cloud washing” or just saying they do cloud when they have not done the heavy lifting integration required to do it completely or correctly.Benefit:Improved securityReduced cost of operationsControl and Auditing of AWS management APIsDescription:Ability to protect this potentially high-risk portion of the “management plane”Benefit:Improved securityArchitected for dynamic, elastic cloud environmentsDescription:Things like auto discovery AND auto provisioning enable the system to keep up -- even in highly dynamic cloud and virtual environmentsBenefit:Automated protection – new infrastructure automatically protectedReduced cost of ownership – Xsuite does not require an army of administrators to manage policiesDeployment Choice:Description:Choose from HW or Virtual ApplianceAppliance model – plugged into the network – no software to set up, configure and deployNo software required on each target systemBenefit:Simplified set up, faster Time to Value and reduced Total Cost of OwnershipSuperior Performance & Scalability Description:Active/active clustering support is built into the systemBenefit:High performance, availability and reliabilityIntegration with existing systems and infrastructureDescription:Integration with key security and network management infrastructure:AD/LDAPX.509/PKIAuthentication systems (Radius, PIV/CAC, etc.)SIEM & log managementSNMPIntegration with AWS: Amazon Web Service Identity and Access Management (IAM) – enabling federated identity so that organizations can leverage existing Active Directory and LDAP implementations and group definitions to provide granular access and “separation of duties” for the Amazon Management Console Account and its critical administrative functions.Ability to automatically discover and provision servers with policies – this is a must in the highly elastic cloud environment where organizations can spin up tens or even hundreds of servers almost instantaneously. Benefit:Leverage current investments to improve security and reduce operational costsStrong authentication integration ensures the “keys to the kingdom” are well protectedEnsures that IT Security and SOC team members know about important events in real timeEnable organizations to take advantage of the dynamic nature and “elasticity” of cloud computing in a secure and efficient mannerHighly Certified SolutionDescription:Xceedium solutions meet the highest levels of security regulations in programs such as:FIPS 140-2, Level 2 Compliant – Level 3 compliant with HSM supportCommon Criteria, EAL 4+ CertifiedU.S. DOD Unified Command Approved Products List (UC/APL)Benefit:We take security as seriously as you do. You can rest assured that your systems maintain the highest levels of protectionGovernment customers can select Xsuite for their most critical systems
  • 2013 12 18 webcast - building the privileged identity management business case

    1. 1. Webcast: Building the Privileged Identity Management Business Case Patrick McBride Vice President of Marketing Xceedium
    2. 2. Agenda  Who Are Privileged Users & Why Should You Care?  How Are The Risks Changing?  How to Build a Privileged Identity Management Business Case  Introducing Xceedium Xsuite® Next Generation Privileged Identity Management © Copyright 2013, Xceedium, Inc. 2
    3. 3. Privileged Identity Management © Copyright 2013, Xceedium, Inc. 3
    4. 4. Privileged Insiders Cause Real Damage Insider Threat – Abbreviated Wall of Shame  A former employee at the U.S. subsidiary of Japanese pharma Shionogi plead guilty to deleting 15 businesscritical VMware host systems, costing the company $800,000.  An IT employee at Bank of America admitted that he hacked the bank’s ATMs to dispense cash without recording the activity.  A contract programmer fired by Fannie Mae was convicted of planting malicious code intended to destroy all data on nearly 5,000 internal servers.  A Goldman Sachs programmer was found guilty of stealing computer code for high frequency trading from the investment bank when he left to join a startup.  A Utah computer contractor pleaded guilty to stealing about $2 million from four credit unions for which he © Copyright 2013, Xceedium, Inc. worked. 4
    5. 5. Who Are Privileged Users? On Premise VMware Administrator Employees/Partners Microsoft Office 365 Administrator • • • • Systems Admins Network Admins DB Admins Application Admins Apps AWS Administrator Public Cloud Employees Systems/NW/DB/A pplication Admins Internet Partners Apps Systems/NW/DB/Application Admins Unauthorized User Hacker (Malware/APT) © Copyright 2013, Xceedium, Inc. 5
    6. 6. How Bad is the Insider Threat? Percentage of Participants Who Experienced an Insider Incident Source: 2013 US State of Cybercrime Survey CSO Magazine, USSS, CERT & Deloitte (501 respondents) © Copyright 2013, Xceedium, Inc. 6
    7. 7. Insider Threat Statistics  Insiders the top source of breaches in the last 12 months; 25% of respondents said a malicious insider was the most common way a breach occurred. (Forrester)  33.73% of respondents find insider crimes likely to cause to more damage to an organization than external attacks (31.34%) (CERT Insider Threat Center)  "...insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records." (Open Security Foundation)  "Insiders continue to be a threat that must be recognized as part of an organization’s enterprise-wide risk assessment." (CERT Insider Threat © Copyright 2013, Xceedium, Inc. 7
    8. 8. Building Blocks for a PIM Business Case Beware of the perfect business case  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have Best to…” Practice Reminder… “Make it your own” © Copyright 2013, Xceedium, Inc. 8
    9. 9. Return on Investment It will save us money…  Investment X (Process & Technology) = Cost Savings Y  Beware of spreadsheet trap!  Is a logic argument good © Copyright 2013, Xceedium, Inc. 9
    10. 10. Return on Investment Password Management ROI Calculation Total Passwords * Number of Changes/Year (most organizations require monthly or quarterly changes) * Time to Change (some number of seconds) = Time Savings (per annum). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) This does not factor in any savings for the ability to enforce password composition (strong passwords). There may not be much savings for this, but it does save time in audits (we’ll cover that later). © Copyright 2013, Xceedium, Inc. 10
    11. 11. Return on Investment Single Sign-on ROI Calculation **Time Savings per Login (some number of seconds) * Total Logins = Time Savings (over some period of time). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) **The time the systems administrator saved by being able to SSO to the target, versus looking up a password (passwords should be different for each target system and hard to guess, no?) © Copyright 2013, Xceedium, Inc. 11
    12. 12. Return on Investment Shortening Investigations ROI Calculation Investigations: Time Savings per incident (some number of days) * Number of Incidents to Investigate = Time Savings (in days/year). Annual Cost Savings = Time savings (in days) * Security Investigator/day (fully loaded) Spot Checks: **Time Savings per spot check (in hours) * Number of Spot-Checks * Sys Admin Cost/Hour = Total Cost Savings. **With active monitoring and alerting, one could also argue you can reduce the total number of spot-checks. For example only do them when there is a key triggering event–such as when a sys admin leaves the organization, or when you fire a contractor or service provider. © Copyright 2013, Xceedium, Inc. 12
    13. 13. Return on Investment …and more Federated Identity vs. Islands of Identity Simplified Audits © Copyright 2013, Xceedium, Inc. 13
    14. 14. Risk Reduction It will make our systems and data safer…  Impact of a Loss  Key Risks PIM Can Mitigate © Copyright 2013, Xceedium, Inc. 14
    15. 15. Risk Reduction Impact of a Loss…  Hard dollar financial losses – theft of cash and financial instruments  Intellectual property loss – theft of strategic plans, inventions, important corporate data, etc.  Reduced/deferred revenue – the operational impact caused by network and system outages stemming from a breach  Fines – fines imposed by regulators  Contractual losses – financial penalties imposed by customers through contracts or lawsuits  Recovery Cost – the cost of investigating and cleaning up from a breach (a recent Ponemon Institute study notes it takes an average of 44 days–and multiple employees–to Calculating an actual dollar figure for potential loss is difficult to impossible. recover from a breach by an insider) © Copyright 2013, Xceedium, Inc. 15
    16. 16. Risk Reduction Key Risks PIM Can Mitigate…  Lost or stolen privileged account credentials  Unauthorized administrative access to systems  Ability to “land and move laterally”  Over-privileged  Anonymous use of privileged accounts  Inability to enforce least privilege for critical systems  Minimal or missing forensic data for investigating and adjudicating insider threat cases © Copyright 2013, Xceedium, Inc. 16
    17. 17. Risk Reduction Best Practices for Managing Privileged User Risks 1. Create a process for on/off boarding privilege users • Background checks • Ensure policy review & training • Periodic (ongoing) entitlement reviews 2. Implement Least Privilege (least everything) • Least device access • Least functional access (Console, CLI, FTP) • Least command execution (“drop”, “telnet”, “reboot”) 3. Implement strong authentication • Strengthen legacy UID and password mechanism • Implement two or three factor authentication 4. Separate authentication from authorization (entitlements) • Remove direct end-point access 5. Protect privileged account credentials 17
    18. 18. Risk Reduction Best Practices for Managing Privileged User Risks 6. No anonymous activity - ensure privileged sessions can be “attributed” to a specific individual (not just an IP address or shared account) 7. Implement extra protections for the most critical assets/privileged accounts (e.g., management consoles) 8. Alert on violations (proactive controls), Lock out account/session on violations 9. Log & record EVERYTHING (Forensics) 10. Mind the Virtualization API Gap 18
    19. 19. Increased Regulatory and Auditor Scrutiny  New requirements around privileged/administrative users • FISMA/NIST 800 53(r4) • PCI/DSS • NERC Critical Infrastructure Protection • HIPAA, SOX, etc. • International Security/Privacy © Copyright 2013, Xceedium, Inc. 19
    20. 20. NIST 800-125 “Guide to Security for Full Virtualization Technology” Restrict and protect administrator access to the virtualization solution • “The security of the entire virtual infrastructure relies on the security of the virtualization management system” • “…start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only.” • “Secure each management interface, whether locally or remotely accessible.” • “For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.” © Copyright 2013, Xceedium, Inc. 20
    21. 21. Building Blocks for a PIM Business Case Beware of the perfect business case!  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have to…” © Copyright 2013, Xceedium, Inc. 21
    22. 22. Next Generation PIM Requirements 1. Comprehensive/Integrated Control Set 2. Protect Systems, Applications, Consoles Across Hybrid-Cloud 3. June 2013 Architected Specifically for Highly Dynamic Public/Private Clouds © Copyright 2013, Xceedium, Inc. 22
    23. 23. Introducing Xsuite® Next Generation Privileged Identity Management New Hybrid Enterprise Traditional Data Center Virtualized Data Center Public Cloud - IaaS VMware Console Mainframe, Windows, Linux, Unix, Networking AWS Console & APIs SaaS Applications Office 365 Console Control and Audit All Privileged Access • • • • Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on • • • • Role-Based Access Control Prevent Leapfrogging Monitor & Record Sessions Full Attribution Unified Policy Management Identity Integration Hardware Appliance Enterprise-Class Core OVF Virtual Appliance © Copyright 2013, Xceedium, Inc. AWS AMI 23
    24. 24. What Sets Xsuite Apart? Next Generation Privileged Identity Management  Xsuite is the Only Platform With: • Comprehensive, integrated controls enforced across hybrid environments • Unified policy management • Protection for management consoles and guest systems • Integration with VMware, AWS and Microsoft Office 365 • Control and Auditing of AWS management API calls • Architected for dynamic, elastic cloud environments • Deployment Choice: hardware, OVF or AMI appliances  Superior Performance & Scalability  Integration With Existing Systems and Infrastructure  Most Highly Certified Solution Available © Copyright 2013, Xceedium, Inc. 24
    25. 25. Contact Us 2214 Rock Hill Road, Suite 100 Herndon, VA 20170 Phone: 866-636-5803 info@xceedium.com @Xceedium @pmcbrideva1 facebook.com/xceedium © Copyright 2013, Xceedium, Inc. 25