17. Risk Reduction
Best Practices for Managing Privileged User Risks
1. Create a process for on/off boarding privilege
users
• Background checks
• Ensure policy review & training
• Periodic (ongoing) entitlement reviews
2. Implement Least Privilege (least everything)
• Least device access
• Least functional access (Console, CLI, FTP)
• Least command execution (“drop”, “telnet”, “reboot”)
3. Implement strong authentication
• Strengthen legacy UID and password mechanism
• Implement two or three factor authentication
4. Separate authentication from authorization
(entitlements)
•
Remove direct end-point access
5. Protect privileged account credentials
17
18. Risk Reduction
Best Practices for Managing Privileged User Risks
6. No anonymous activity - ensure privileged
sessions can be “attributed” to a specific
individual (not just an IP address or
shared account)
7. Implement extra protections for the most
critical assets/privileged accounts (e.g.,
management consoles)
8. Alert on violations (proactive controls),
Lock out account/session on violations
9. Log & record EVERYTHING (Forensics)
10. Mind the Virtualization API Gap
18
We have had lost of questions recently….. Likely driven by some notable incidents
There is no such thing as the perfect business case for PIM (or other security tools). Early mentor.. Don’t let perfection get in the way of getting something done…Make it your own and tailor to your organization in general and your audience in particularRemember, the weight any of these building blocks carries is different for any given individual or organization, so build accordingly.
Some modern privileged identity management tools provide a full range of capabilities and can help organizations enforce multiple security controls. So there may be multiple features that can save your organization time (money).
Enterprise organization need a Next Generation Privileged Identity Management Platform – enabling them to protect and manage systems and privileged users across hybrid environments…all from a single point of control.Xsuite enforces a comprehensive set of controls – enabling customers “control and audit all privileged access” wherever you systems may be located. Xsuite simplifies the management and audit reporting with a Unified Policy Management capability and full high definition recordings of user sessions.Xsuite comes in three different appliance “flavors” A hardware appliance, an OVF virtual appliance that runs on VMware vSphere and an AWS AMI (Amazon Machine Instance) that runs on Amazon EC2 – EACH OF THESE APPLIANCES CAN PROTECT AND MANAGE ACROSS HYBRID ENVIRONMENTS.
Comprehensive Integrated ControlsDescription:Full spectrum of controls for prevention, detection and response/forensics in a single, integrated solutionControls are turned on as needed and managed at the group or individual levelEnforces least privilege, separation of duties and role-based access controlBenefit:Comprehensive protection for enterprise customersFlexibility to support multiple use cases and configurationsImproved security and compliance - no need to implement/manage point productsControls work Across Hybrid EnvironmentsDescription:Ability to secure and protect servers and other IT infrastructure wherever it reside Benefit:Enables a simplified transition to cloud computing and hybrid-cloud architecturesCost savingsImproved IT/Business AgilityUnified Policy ManagementDescription:Controls users and access to devices through a single policy-management regimeBenefit:Reduced total cost of ownershipClarity regarding which controls are in place and for whom – reduces gaps in protection Ensures proper compliance documentation for auditorsProtection for Management Consoles and Guest SystemsDescription:Unlike other vendors Xsuite protects the end systems and the new, VERY POWERFUL management consoles present with virtualization and public cloud platformsBenefit:Significantly Improved securityIntegration with VMware, AWS and Microsoft Office 365Description:Actual API level integration with the key virtualization/cloud platforms – other PIM vendors are just “cloud washing” or just saying they do cloud when they have not done the heavy lifting integration required to do it completely or correctly.Benefit:Improved securityReduced cost of operationsControl and Auditing of AWS management APIsDescription:Ability to protect this potentially high-risk portion of the “management plane”Benefit:Improved securityArchitected for dynamic, elastic cloud environmentsDescription:Things like auto discovery AND auto provisioning enable the system to keep up -- even in highly dynamic cloud and virtual environmentsBenefit:Automated protection – new infrastructure automatically protectedReduced cost of ownership – Xsuite does not require an army of administrators to manage policiesDeployment Choice:Description:Choose from HW or Virtual ApplianceAppliance model – plugged into the network – no software to set up, configure and deployNo software required on each target systemBenefit:Simplified set up, faster Time to Value and reduced Total Cost of OwnershipSuperior Performance & Scalability Description:Active/active clustering support is built into the systemBenefit:High performance, availability and reliabilityIntegration with existing systems and infrastructureDescription:Integration with key security and network management infrastructure:AD/LDAPX.509/PKIAuthentication systems (Radius, PIV/CAC, etc.)SIEM & log managementSNMPIntegration with AWS: Amazon Web Service Identity and Access Management (IAM) – enabling federated identity so that organizations can leverage existing Active Directory and LDAP implementations and group definitions to provide granular access and “separation of duties” for the Amazon Management Console Account and its critical administrative functions.Ability to automatically discover and provision servers with policies – this is a must in the highly elastic cloud environment where organizations can spin up tens or even hundreds of servers almost instantaneously. Benefit:Leverage current investments to improve security and reduce operational costsStrong authentication integration ensures the “keys to the kingdom” are well protectedEnsures that IT Security and SOC team members know about important events in real timeEnable organizations to take advantage of the dynamic nature and “elasticity” of cloud computing in a secure and efficient mannerHighly Certified SolutionDescription:Xceedium solutions meet the highest levels of security regulations in programs such as:FIPS 140-2, Level 2 Compliant – Level 3 compliant with HSM supportCommon Criteria, EAL 4+ CertifiedU.S. DOD Unified Command Approved Products List (UC/APL)Benefit:We take security as seriously as you do. You can rest assured that your systems maintain the highest levels of protectionGovernment customers can select Xsuite for their most critical systems