SlideShare a Scribd company logo

2013 12 18 webcast - building the privileged identity management business case

Download as PPTX, PDF
P
pmcbrideva1

How to build a business case for Privileged Identity Management, Privileged Access Control Projects and Technology

Technology
1 of 25
Webcast: Building the Privileged Identity Management Business Case Patrick McBride Vice President of Marketing Xceedium
Agenda  Who Are Privileged Users & Why Should You Care?  How Are The Risks Changing?  How to Build a Privileged Identity Management Business Case  Introducing Xceedium Xsuite® Next Generation Privileged Identity Management © Copyright 2013, Xceedium, Inc. 2
Privileged Identity Management © Copyright 2013, Xceedium, Inc. 3
Privileged Insiders Cause Real Damage Insider Threat – Abbreviated Wall of Shame  A former employee at the U.S. subsidiary of Japanese pharma Shionogi plead guilty to deleting 15 businesscritical VMware host systems, costing the company $800,000.  An IT employee at Bank of America admitted that he hacked the bank’s ATMs to dispense cash without recording the activity.  A contract programmer fired by Fannie Mae was convicted of planting malicious code intended to destroy all data on nearly 5,000 internal servers.  A Goldman Sachs programmer was found guilty of stealing computer code for high frequency trading from the investment bank when he left to join a startup.  A Utah computer contractor pleaded guilty to stealing about $2 million from four credit unions for which he © Copyright 2013, Xceedium, Inc. worked. 4
Who Are Privileged Users? On Premise VMware Administrator Employees/Partners Microsoft Office 365 Administrator • • • • Systems Admins Network Admins DB Admins Application Admins Apps AWS Administrator Public Cloud Employees Systems/NW/DB/A pplication Admins Internet Partners Apps Systems/NW/DB/Application Admins Unauthorized User Hacker (Malware/APT) © Copyright 2013, Xceedium, Inc. 5
How Bad is the Insider Threat? Percentage of Participants Who Experienced an Insider Incident Source: 2013 US State of Cybercrime Survey CSO Magazine, USSS, CERT & Deloitte (501 respondents) © Copyright 2013, Xceedium, Inc. 6
Insider Threat Statistics  Insiders the top source of breaches in the last 12 months; 25% of respondents said a malicious insider was the most common way a breach occurred. (Forrester)  33.73% of respondents find insider crimes likely to cause to more damage to an organization than external attacks (31.34%) (CERT Insider Threat Center)  "...insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records." (Open Security Foundation)  "Insiders continue to be a threat that must be recognized as part of an organization’s enterprise-wide risk assessment." (CERT Insider Threat © Copyright 2013, Xceedium, Inc. 7
Building Blocks for a PIM Business Case Beware of the perfect business case  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have Best to…” Practice Reminder… “Make it your own” © Copyright 2013, Xceedium, Inc. 8
Return on Investment It will save us money…  Investment X (Process & Technology) = Cost Savings Y  Beware of spreadsheet trap!  Is a logic argument good © Copyright 2013, Xceedium, Inc. 9
Return on Investment Password Management ROI Calculation Total Passwords * Number of Changes/Year (most organizations require monthly or quarterly changes) * Time to Change (some number of seconds) = Time Savings (per annum). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) This does not factor in any savings for the ability to enforce password composition (strong passwords). There may not be much savings for this, but it does save time in audits (we’ll cover that later). © Copyright 2013, Xceedium, Inc. 10
Return on Investment Single Sign-on ROI Calculation **Time Savings per Login (some number of seconds) * Total Logins = Time Savings (over some period of time). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) **The time the systems administrator saved by being able to SSO to the target, versus looking up a password (passwords should be different for each target system and hard to guess, no?) © Copyright 2013, Xceedium, Inc. 11
Return on Investment Shortening Investigations ROI Calculation Investigations: Time Savings per incident (some number of days) * Number of Incidents to Investigate = Time Savings (in days/year). Annual Cost Savings = Time savings (in days) * Security Investigator/day (fully loaded) Spot Checks: **Time Savings per spot check (in hours) * Number of Spot-Checks * Sys Admin Cost/Hour = Total Cost Savings. **With active monitoring and alerting, one could also argue you can reduce the total number of spot-checks. For example only do them when there is a key triggering event–such as when a sys admin leaves the organization, or when you fire a contractor or service provider. © Copyright 2013, Xceedium, Inc. 12
Return on Investment …and more Federated Identity vs. Islands of Identity Simplified Audits © Copyright 2013, Xceedium, Inc. 13
Risk Reduction It will make our systems and data safer…  Impact of a Loss  Key Risks PIM Can Mitigate © Copyright 2013, Xceedium, Inc. 14
Risk Reduction Impact of a Loss…  Hard dollar financial losses – theft of cash and financial instruments  Intellectual property loss – theft of strategic plans, inventions, important corporate data, etc.  Reduced/deferred revenue – the operational impact caused by network and system outages stemming from a breach  Fines – fines imposed by regulators  Contractual losses – financial penalties imposed by customers through contracts or lawsuits  Recovery Cost – the cost of investigating and cleaning up from a breach (a recent Ponemon Institute study notes it takes an average of 44 days–and multiple employees–to Calculating an actual dollar figure for potential loss is difficult to impossible. recover from a breach by an insider) © Copyright 2013, Xceedium, Inc. 15
Risk Reduction Key Risks PIM Can Mitigate…  Lost or stolen privileged account credentials  Unauthorized administrative access to systems  Ability to “land and move laterally”  Over-privileged  Anonymous use of privileged accounts  Inability to enforce least privilege for critical systems  Minimal or missing forensic data for investigating and adjudicating insider threat cases © Copyright 2013, Xceedium, Inc. 16
Risk Reduction Best Practices for Managing Privileged User Risks 1. Create a process for on/off boarding privilege users • Background checks • Ensure policy review & training • Periodic (ongoing) entitlement reviews 2. Implement Least Privilege (least everything) • Least device access • Least functional access (Console, CLI, FTP) • Least command execution (“drop”, “telnet”, “reboot”) 3. Implement strong authentication • Strengthen legacy UID and password mechanism • Implement two or three factor authentication 4. Separate authentication from authorization (entitlements) • Remove direct end-point access 5. Protect privileged account credentials 17
Risk Reduction Best Practices for Managing Privileged User Risks 6. No anonymous activity - ensure privileged sessions can be “attributed” to a specific individual (not just an IP address or shared account) 7. Implement extra protections for the most critical assets/privileged accounts (e.g., management consoles) 8. Alert on violations (proactive controls), Lock out account/session on violations 9. Log & record EVERYTHING (Forensics) 10. Mind the Virtualization API Gap 18
Increased Regulatory and Auditor Scrutiny  New requirements around privileged/administrative users • FISMA/NIST 800 53(r4) • PCI/DSS • NERC Critical Infrastructure Protection • HIPAA, SOX, etc. • International Security/Privacy © Copyright 2013, Xceedium, Inc. 19
NIST 800-125 “Guide to Security for Full Virtualization Technology” Restrict and protect administrator access to the virtualization solution • “The security of the entire virtual infrastructure relies on the security of the virtualization management system” • “…start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only.” • “Secure each management interface, whether locally or remotely accessible.” • “For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.” © Copyright 2013, Xceedium, Inc. 20
Building Blocks for a PIM Business Case Beware of the perfect business case!  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have to…” © Copyright 2013, Xceedium, Inc. 21
Next Generation PIM Requirements 1. Comprehensive/Integrated Control Set 2. Protect Systems, Applications, Consoles Across Hybrid-Cloud 3. June 2013 Architected Specifically for Highly Dynamic Public/Private Clouds © Copyright 2013, Xceedium, Inc. 22
Introducing Xsuite® Next Generation Privileged Identity Management New Hybrid Enterprise Traditional Data Center Virtualized Data Center Public Cloud - IaaS VMware Console Mainframe, Windows, Linux, Unix, Networking AWS Console & APIs SaaS Applications Office 365 Console Control and Audit All Privileged Access • • • • Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on • • • • Role-Based Access Control Prevent Leapfrogging Monitor & Record Sessions Full Attribution Unified Policy Management Identity Integration Hardware Appliance Enterprise-Class Core OVF Virtual Appliance © Copyright 2013, Xceedium, Inc. AWS AMI 23
What Sets Xsuite Apart? Next Generation Privileged Identity Management  Xsuite is the Only Platform With: • Comprehensive, integrated controls enforced across hybrid environments • Unified policy management • Protection for management consoles and guest systems • Integration with VMware, AWS and Microsoft Office 365 • Control and Auditing of AWS management API calls • Architected for dynamic, elastic cloud environments • Deployment Choice: hardware, OVF or AMI appliances  Superior Performance & Scalability  Integration With Existing Systems and Infrastructure  Most Highly Certified Solution Available © Copyright 2013, Xceedium, Inc. 24
Contact Us 2214 Rock Hill Road, Suite 100 Herndon, VA 20170 Phone: 866-636-5803 info@xceedium.com @Xceedium @pmcbrideva1 facebook.com/xceedium © Copyright 2013, Xceedium, Inc. 25

Recommended

What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Enterprise Management Associates
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aBibhuti Kr Jha +91-9810016292
 
Identity Management Over the Horizon: What’s New and What’s Next
Identity Management Over the Horizon: What’s New and What’s NextIdentity Management Over the Horizon: What’s New and What’s Next
Identity Management Over the Horizon: What’s New and What’s NextENow Software
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 

Recommended

What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlSecureAuth
 
Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Pragmatic Identity and Access Management: Secure Your Business without Breaki...
Pragmatic Identity and Access Management: Secure Your Business without Breaki...Enterprise Management Associates
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
Open iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aOpen iam technicalarchitecture-v3-a
Open iam technicalarchitecture-v3-aBibhuti Kr Jha +91-9810016292
 
Identity Management Over the Horizon: What’s New and What’s Next
Identity Management Over the Horizon: What’s New and What’s NextIdentity Management Over the Horizon: What’s New and What’s Next
Identity Management Over the Horizon: What’s New and What’s NextENow Software
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Identity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsIdentity and Access Management - Data modeling concepts
Identity and Access Management - Data modeling conceptsAlain Huet
 
IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery Prof. Jacques Folon (Ph.D)
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementJulie Beuselinck
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a serviceDell World
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 

More Related Content

What's hot

Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionCA API Management
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIBM Security
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0Ganesh Prasad
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementJulie Beuselinck
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementRyan Gallavin
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management StrategyNetIQ
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will failIBM Security
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a serviceDell World
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 

What's hot (20)

IDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENT
 
Identity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT MissionIdentity Management for the 21st Century IT Mission
Identity Management for the 21st Century IT Mission
 
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
CA Technologies and Deloitte: Unleash and Protect your Business with Identity...
 
Digital documents & e-discovery
Digital documents & e-discovery Digital documents & e-discovery
Digital documents & e-discovery
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
50 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 050 data principles for loosely coupled identity management v1 0
50 data principles for loosely coupled identity management v1 0
 
Paradigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access ManagementParadigmo specialised in Identity & Access Management
Paradigmo specialised in Identity & Access Management
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
 
Building an Effective Identity Management Strategy
Building an Effective Identity Management StrategyBuilding an Effective Identity Management Strategy
Building an Effective Identity Management Strategy
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
5 reasons your iam solution will fail
5 reasons your iam solution will fail5 reasons your iam solution will fail
5 reasons your iam solution will fail
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 

Similar to 2013 12 18 webcast - building the privileged identity management business case

Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_referencesMaarten Werff
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planetVincent Kwon
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
Secure Your Business 2009
Secure Your Business 2009Secure Your Business 2009
Secure Your Business 2009RCioffi
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 

Similar to 2013 12 18 webcast - building the privileged identity management business case (20)

Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Ibm q radar_blind_references
Ibm q radar_blind_referencesIbm q radar_blind_references
Ibm q radar_blind_references
 
Security solutions for a smarter planet
Security solutions for a smarter planetSecurity solutions for a smarter planet
Security solutions for a smarter planet
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
Secure Your Business 2009
Secure Your Business 2009Secure Your Business 2009
Secure Your Business 2009
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 

Recently uploaded

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

2013 12 18 webcast - building the privileged identity management business case

  • 1. Webcast: Building the Privileged Identity Management Business Case Patrick McBride Vice President of Marketing Xceedium
  • 2. Agenda  Who Are Privileged Users & Why Should You Care?  How Are The Risks Changing?  How to Build a Privileged Identity Management Business Case  Introducing Xceedium Xsuite® Next Generation Privileged Identity Management © Copyright 2013, Xceedium, Inc. 2
  • 3. Privileged Identity Management © Copyright 2013, Xceedium, Inc. 3
  • 4. Privileged Insiders Cause Real Damage Insider Threat – Abbreviated Wall of Shame  A former employee at the U.S. subsidiary of Japanese pharma Shionogi plead guilty to deleting 15 businesscritical VMware host systems, costing the company $800,000.  An IT employee at Bank of America admitted that he hacked the bank’s ATMs to dispense cash without recording the activity.  A contract programmer fired by Fannie Mae was convicted of planting malicious code intended to destroy all data on nearly 5,000 internal servers.  A Goldman Sachs programmer was found guilty of stealing computer code for high frequency trading from the investment bank when he left to join a startup.  A Utah computer contractor pleaded guilty to stealing about $2 million from four credit unions for which he © Copyright 2013, Xceedium, Inc. worked. 4
  • 5. Who Are Privileged Users? On Premise VMware Administrator Employees/Partners Microsoft Office 365 Administrator • • • • Systems Admins Network Admins DB Admins Application Admins Apps AWS Administrator Public Cloud Employees Systems/NW/DB/A pplication Admins Internet Partners Apps Systems/NW/DB/Application Admins Unauthorized User Hacker (Malware/APT) © Copyright 2013, Xceedium, Inc. 5
  • 6. How Bad is the Insider Threat? Percentage of Participants Who Experienced an Insider Incident Source: 2013 US State of Cybercrime Survey CSO Magazine, USSS, CERT & Deloitte (501 respondents) © Copyright 2013, Xceedium, Inc. 6
  • 7. Insider Threat Statistics  Insiders the top source of breaches in the last 12 months; 25% of respondents said a malicious insider was the most common way a breach occurred. (Forrester)  33.73% of respondents find insider crimes likely to cause to more damage to an organization than external attacks (31.34%) (CERT Insider Threat Center)  "...insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records." (Open Security Foundation)  "Insiders continue to be a threat that must be recognized as part of an organization’s enterprise-wide risk assessment." (CERT Insider Threat © Copyright 2013, Xceedium, Inc. 7
  • 8. Building Blocks for a PIM Business Case Beware of the perfect business case  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have Best to…” Practice Reminder… “Make it your own” © Copyright 2013, Xceedium, Inc. 8
  • 9. Return on Investment It will save us money…  Investment X (Process & Technology) = Cost Savings Y  Beware of spreadsheet trap!  Is a logic argument good © Copyright 2013, Xceedium, Inc. 9
  • 10. Return on Investment Password Management ROI Calculation Total Passwords * Number of Changes/Year (most organizations require monthly or quarterly changes) * Time to Change (some number of seconds) = Time Savings (per annum). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) This does not factor in any savings for the ability to enforce password composition (strong passwords). There may not be much savings for this, but it does save time in audits (we’ll cover that later). © Copyright 2013, Xceedium, Inc. 10
  • 11. Return on Investment Single Sign-on ROI Calculation **Time Savings per Login (some number of seconds) * Total Logins = Time Savings (over some period of time). Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded) **The time the systems administrator saved by being able to SSO to the target, versus looking up a password (passwords should be different for each target system and hard to guess, no?) © Copyright 2013, Xceedium, Inc. 11
  • 12. Return on Investment Shortening Investigations ROI Calculation Investigations: Time Savings per incident (some number of days) * Number of Incidents to Investigate = Time Savings (in days/year). Annual Cost Savings = Time savings (in days) * Security Investigator/day (fully loaded) Spot Checks: **Time Savings per spot check (in hours) * Number of Spot-Checks * Sys Admin Cost/Hour = Total Cost Savings. **With active monitoring and alerting, one could also argue you can reduce the total number of spot-checks. For example only do them when there is a key triggering event–such as when a sys admin leaves the organization, or when you fire a contractor or service provider. © Copyright 2013, Xceedium, Inc. 12
  • 13. Return on Investment …and more Federated Identity vs. Islands of Identity Simplified Audits © Copyright 2013, Xceedium, Inc. 13
  • 14. Risk Reduction It will make our systems and data safer…  Impact of a Loss  Key Risks PIM Can Mitigate © Copyright 2013, Xceedium, Inc. 14
  • 15. Risk Reduction Impact of a Loss…  Hard dollar financial losses – theft of cash and financial instruments  Intellectual property loss – theft of strategic plans, inventions, important corporate data, etc.  Reduced/deferred revenue – the operational impact caused by network and system outages stemming from a breach  Fines – fines imposed by regulators  Contractual losses – financial penalties imposed by customers through contracts or lawsuits  Recovery Cost – the cost of investigating and cleaning up from a breach (a recent Ponemon Institute study notes it takes an average of 44 days–and multiple employees–to Calculating an actual dollar figure for potential loss is difficult to impossible. recover from a breach by an insider) © Copyright 2013, Xceedium, Inc. 15
  • 16. Risk Reduction Key Risks PIM Can Mitigate…  Lost or stolen privileged account credentials  Unauthorized administrative access to systems  Ability to “land and move laterally”  Over-privileged  Anonymous use of privileged accounts  Inability to enforce least privilege for critical systems  Minimal or missing forensic data for investigating and adjudicating insider threat cases © Copyright 2013, Xceedium, Inc. 16
  • 17. Risk Reduction Best Practices for Managing Privileged User Risks 1. Create a process for on/off boarding privilege users • Background checks • Ensure policy review & training • Periodic (ongoing) entitlement reviews 2. Implement Least Privilege (least everything) • Least device access • Least functional access (Console, CLI, FTP) • Least command execution (“drop”, “telnet”, “reboot”) 3. Implement strong authentication • Strengthen legacy UID and password mechanism • Implement two or three factor authentication 4. Separate authentication from authorization (entitlements) • Remove direct end-point access 5. Protect privileged account credentials 17
  • 18. Risk Reduction Best Practices for Managing Privileged User Risks 6. No anonymous activity - ensure privileged sessions can be “attributed” to a specific individual (not just an IP address or shared account) 7. Implement extra protections for the most critical assets/privileged accounts (e.g., management consoles) 8. Alert on violations (proactive controls), Lock out account/session on violations 9. Log & record EVERYTHING (Forensics) 10. Mind the Virtualization API Gap 18
  • 19. Increased Regulatory and Auditor Scrutiny  New requirements around privileged/administrative users • FISMA/NIST 800 53(r4) • PCI/DSS • NERC Critical Infrastructure Protection • HIPAA, SOX, etc. • International Security/Privacy © Copyright 2013, Xceedium, Inc. 19
  • 20. NIST 800-125 “Guide to Security for Full Virtualization Technology” Restrict and protect administrator access to the virtualization solution • “The security of the entire virtual infrastructure relies on the security of the virtualization management system” • “…start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only.” • “Secure each management interface, whether locally or remotely accessible.” • “For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.” © Copyright 2013, Xceedium, Inc. 20
  • 21. Building Blocks for a PIM Business Case Beware of the perfect business case!  ROI - “It will save us money…”  Risk Reduction - “It will make our systems and data safer…”  Compliance - “Because we have to…” © Copyright 2013, Xceedium, Inc. 21
  • 22. Next Generation PIM Requirements 1. Comprehensive/Integrated Control Set 2. Protect Systems, Applications, Consoles Across Hybrid-Cloud 3. June 2013 Architected Specifically for Highly Dynamic Public/Private Clouds © Copyright 2013, Xceedium, Inc. 22
  • 23. Introducing Xsuite® Next Generation Privileged Identity Management New Hybrid Enterprise Traditional Data Center Virtualized Data Center Public Cloud - IaaS VMware Console Mainframe, Windows, Linux, Unix, Networking AWS Console & APIs SaaS Applications Office 365 Console Control and Audit All Privileged Access • • • • Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on • • • • Role-Based Access Control Prevent Leapfrogging Monitor & Record Sessions Full Attribution Unified Policy Management Identity Integration Hardware Appliance Enterprise-Class Core OVF Virtual Appliance © Copyright 2013, Xceedium, Inc. AWS AMI 23
  • 24. What Sets Xsuite Apart? Next Generation Privileged Identity Management  Xsuite is the Only Platform With: • Comprehensive, integrated controls enforced across hybrid environments • Unified policy management • Protection for management consoles and guest systems • Integration with VMware, AWS and Microsoft Office 365 • Control and Auditing of AWS management API calls • Architected for dynamic, elastic cloud environments • Deployment Choice: hardware, OVF or AMI appliances  Superior Performance & Scalability  Integration With Existing Systems and Infrastructure  Most Highly Certified Solution Available © Copyright 2013, Xceedium, Inc. 24
  • 25. Contact Us 2214 Rock Hill Road, Suite 100 Herndon, VA 20170 Phone: 866-636-5803 info@xceedium.com @Xceedium @pmcbrideva1 facebook.com/xceedium © Copyright 2013, Xceedium, Inc. 25

Editor's Notes

  1. We have had lost of questions recently….. Likely driven by some notable incidents
  2. There is no such thing as the perfect business case for PIM (or other security tools). Early mentor.. Don’t let perfection get in the way of getting something done…Make it your own and tailor to your organization in general and your audience in particularRemember, the weight any of these building blocks carries is different for any given individual or organization, so build accordingly.
  3. Some modern privileged identity management tools provide a full range of capabilities and can help organizations enforce multiple security controls. So there may be multiple features that can save your organization time (money).
  4. Enterprise organization need a Next Generation Privileged Identity Management Platform – enabling them to protect and manage systems and privileged users across hybrid environments…all from a single point of control.Xsuite enforces a comprehensive set of controls – enabling customers “control and audit all privileged access” wherever you systems may be located. Xsuite simplifies the management and audit reporting with a Unified Policy Management capability and full high definition recordings of user sessions.Xsuite comes in three different appliance “flavors” A hardware appliance, an OVF virtual appliance that runs on VMware vSphere and an AWS AMI (Amazon Machine Instance) that runs on Amazon EC2 – EACH OF THESE APPLIANCES CAN PROTECT AND MANAGE ACROSS HYBRID ENVIRONMENTS.
  5. Comprehensive Integrated ControlsDescription:Full spectrum of controls for prevention, detection and response/forensics in a single, integrated solutionControls are turned on as needed and managed at the group or individual levelEnforces least privilege, separation of duties and role-based access controlBenefit:Comprehensive protection for enterprise customersFlexibility to support multiple use cases and configurationsImproved security and compliance - no need to implement/manage point productsControls work Across Hybrid EnvironmentsDescription:Ability to secure and protect servers and other IT infrastructure wherever it reside Benefit:Enables a simplified transition to cloud computing and hybrid-cloud architecturesCost savingsImproved IT/Business AgilityUnified Policy ManagementDescription:Controls users and access to devices through a single policy-management regimeBenefit:Reduced total cost of ownershipClarity regarding which controls are in place and for whom – reduces gaps in protection Ensures proper compliance documentation for auditorsProtection for Management Consoles and Guest SystemsDescription:Unlike other vendors Xsuite protects the end systems and the new, VERY POWERFUL management consoles present with virtualization and public cloud platformsBenefit:Significantly Improved securityIntegration with VMware, AWS and Microsoft Office 365Description:Actual API level integration with the key virtualization/cloud platforms – other PIM vendors are just “cloud washing” or just saying they do cloud when they have not done the heavy lifting integration required to do it completely or correctly.Benefit:Improved securityReduced cost of operationsControl and Auditing of AWS management APIsDescription:Ability to protect this potentially high-risk portion of the “management plane”Benefit:Improved securityArchitected for dynamic, elastic cloud environmentsDescription:Things like auto discovery AND auto provisioning enable the system to keep up -- even in highly dynamic cloud and virtual environmentsBenefit:Automated protection – new infrastructure automatically protectedReduced cost of ownership – Xsuite does not require an army of administrators to manage policiesDeployment Choice:Description:Choose from HW or Virtual ApplianceAppliance model – plugged into the network – no software to set up, configure and deployNo software required on each target systemBenefit:Simplified set up, faster Time to Value and reduced Total Cost of OwnershipSuperior Performance & Scalability Description:Active/active clustering support is built into the systemBenefit:High performance, availability and reliabilityIntegration with existing systems and infrastructureDescription:Integration with key security and network management infrastructure:AD/LDAPX.509/PKIAuthentication systems (Radius, PIV/CAC, etc.)SIEM & log managementSNMPIntegration with AWS: Amazon Web Service Identity and Access Management (IAM) – enabling federated identity so that organizations can leverage existing Active Directory and LDAP implementations and group definitions to provide granular access and “separation of duties” for the Amazon Management Console Account and its critical administrative functions.Ability to automatically discover and provision servers with policies – this is a must in the highly elastic cloud environment where organizations can spin up tens or even hundreds of servers almost instantaneously. Benefit:Leverage current investments to improve security and reduce operational costsStrong authentication integration ensures the “keys to the kingdom” are well protectedEnsures that IT Security and SOC team members know about important events in real timeEnable organizations to take advantage of the dynamic nature and “elasticity” of cloud computing in a secure and efficient mannerHighly Certified SolutionDescription:Xceedium solutions meet the highest levels of security regulations in programs such as:FIPS 140-2, Level 2 Compliant – Level 3 compliant with HSM supportCommon Criteria, EAL 4+ CertifiedU.S. DOD Unified Command Approved Products List (UC/APL)Benefit:We take security as seriously as you do. You can rest assured that your systems maintain the highest levels of protectionGovernment customers can select Xsuite for their most critical systems