DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga Nov2011


Published on

Presentation from "DSS" organized ITSEC conference on 24th of November, RIga, Latvia.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DSS - ITSEC conf - Centrify - Identity Control and Access Management - Riga Nov2011

  1. 1. CentrifyCentralizing the Control, Security and Audit of UNIX, Linux and Mac Systems Barry Scott Technical Director Centrify EMEA barry.scott@centrify.com +44 7770 430 007
  2. 2. Agenda• Introduction• The Centrify Vision• Access Governance and Centralisation• Automated Security Enforcement • Protect Systems • Authorize Privilege • Audit Systems• Centrify Solutions© 2004-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 2
  3. 3. The Centrify VisionControl, Secure and Audit Access to Cross-Platform Systems and Applications Centrify the Enterprise Leverage infrastructure you already own – Active Directory – to: Control Secure Audit What users can access User access and privileges What the users did
  4. 4. Identity Management Today Active Directory Windows PC’s and Servers Exchange Server Unix / Linux / Mac / Enterprise & Web Applications© 2004-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 4
  5. 5. Identity Management with Centrify Active Directory Windows PC’s and Servers Exchange ServerCentralised Identity and Access Management with Centrify• ALL identity and privilege information stored, managed and audited in Active Directory• No Additional Identity Store or Server, therefore no synchronisation of identities• Leverage existing infrastructure and Best Practices in AD© 2004-2008 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 5
  6. 6. Banking and Finance – We’ve done it before…• Very large and time-sensitive projects • Touching systems that contain critical and strategic information assets – the ―Crown Jewels‖• All customers undertook a deep and comprehensive competitive and technical evaluation with Centrify winning on each occasion due to our technical superiority, ease of deployment and simplicity. • “During our technical evaluation and score-carding process involving 6 vendors, Centrify came top in 14 out of 15 technical score-card categories. The vendor ranked second was a considerable way behind Centrify both technically and from an ease of deployment perspective due to Centrify’s unique zoning capabilities” • “We were able to deploy and join to Active Directory up to 500 systems per night with Centrify once our architectural design was complete.” • “During our PoC, it was very evident that Centrify Suite is built on a common architecture and code base, whereas other solutions we tested were clearly a bunch of acquired technologies loosely glued together with the only integration points being marketing !”© 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 6
  7. 7. Recurring Regulatory Requirements and Audit Points• Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Sharing of generic *nix accounts with powerful (very often root) DirectControl privileges, by a number of individuals, resulting in a lack of accountability due to the use of shared passwords • Password aging is typically not enforced on many privileged and non- DirectControl privileged user accounts in a *nix environment • Password complexity checks are very rarely implemented on *nix DirectControl systems resulting in insecurities from a system access perspective • Activities undertaken by IT Staff as the ―root‖ user (as well as other DirectControl privileged users; DBA’s etc) are typically not logged or captured DirectAudit resulting in a lack of audit trail resulting in failed audits as they relate to regulatory and compliance requirements© 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 7
  8. 8. Recurring Regulatory Requirements and Audit Points• Common recurring Regulatory Requirements and Audit Points we are helping our customers address: • Privileged users will typically be assigned privileged accounts which DirectAuthorize very often lack any control over what commands or actions they are allowed to undertake on the *nix systems • The ability to undertake account recertification as well as a process DirectControl to enforce account recertification is typically not implemented but is DirectAuthorize a requirement for audit and regulatory compliance • Where a separate directory has already been implemented for the DirectControl management of identities in the *nix environment, synchronization of accounts and creation and deletion of accounts on *nix servers does not always complete successfully or in a timely manner, thus resulting in inconsistences in relation to system access.© 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 8
  9. 9. Access Governance Starts with Centralization Centralize Security, Identity and Access Management within Active Directory Identity Consolidation Privileged Access Management • De-duplicate identity infrastructure • Associate privileges with individuals• Get users to login as themselves / SSO • Enforce ―least access & least privileges‖ • Single security policy definition • Audit privileged user activities • Single point of administrative control • Isolate systems & encrypt data-in-motion dba SysAdmin root DBAs websa Users Groups Unix Profiles User Roles Security Policies Active Directory-based Security Infrastructure Protecting Systems. Authorizing Privileges. Auditing Activities.© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 9
  10. 10. Centralized Management Presents Challenges Centralization Corresponding Challenges Goals • Legacy namespace is complex and different across many systems • Centralized UNIX Identities • Individual system differences make centralization difficult • Establishing a global namespace • Access rights are typically • Limited access granted where needed granted too broadly • Locked down privileged accounts • Granting privileges requires a simple way to create and • Privileges granted to individual users manage the policies • Audit privileged activities • Integration with existing management processes© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 10
  11. 11. Infrastructure as a Service Brings More, New ChallengesAdoption of IaaS is growing in the Enterprise • Yankee Group says 24% are using IaaS, 60% are planning to use in 12 months • Adoption trends are first in Development, then QA/Test, eventually to ProductionSecurity remains the primary issue blocking Enterprise use • Cloud Security Alliance identified 7 threats to cloud computing • Gartner identified privileged user access as the #1 cloud computing riskThe Challenges to Enterprise-use inexpensive public IaaS are veryfamiliar • Cloud server security is left to the customer • Cloud server templates have common privileged accounts and passwords • Cloud servers are typically deployed on public networks with dynamic IP addresses • Access controls and activity auditing are left to the customer • Applications hosted on these servers don’t enable end user single sign-on access© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 11
  12. 12. The Solution is to Automate Security Enforcement By Leveraging Active Directory as the centralized security infrastructureProtect Systems • Group Policy enforces system security policies • IPsec based network protection policies Protect • AD management of privileged accountsAuthorize Privileges • AD-based unique identity Audit • Role-based access and privilege • AD enforces separation of dutiesAudit Activities • Audit all user activity Authorize • Report on access rights and privilegesResulting in automated security for the Enterprise© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 12
  13. 13. Leverage Active Directory to Automate Security Enforcement PROTECT SYSTEMS© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 13
  14. 14. Active Directory-based Computer IdentityActive Directory services provide the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-Forest, multi-Domain configurations • Kerberos-based authentication and authorization infrastructure providing SSOComputer systems join Active Directory • Establishing individual computer accounts for each system • Automatically enrolling for PKI certificates and establishing Enterprise trust • Enabling authorized Active Directory Users to login, online & offline • Controlling user authentication for both interactive and network logins HR Field Ops© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 14
  15. 15. Security Policies Auto-Enforced by Group PolicyConsistent security and configuration policies need to be enforced on allWindows, UNIX, Linux and Mac systems • Group Policy is automatically enforced at system join to Active Directory • Group Policy defines standard baseline and periodically reapplies it • User Group Policy is enforced at user loginGroup Policies enforce: • System authentication configuration • System Banner settings • Screen Saver & Unlock policies • SSH policies control remote access security • Firewall policies control machine access • Mac OS X specific policies control the system and user’s environment© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 15
  16. 16. Prevent Data Breaches from External Threats• IPsec Transport Mode isolates the entire enterprise, preventing access by rogue or untrusted computers and users — reducing the attack surface• Network-level access controls are much more important when: • Enterprise network boundaries become porous as they include wireless and grow exponentially • Users’ work becomes more virtual, accessing corporate resources from mobile / remote locations• Software- and policy-based approach lets you avoid an expensive VLAN and network router ACLs approach Trusted Corporate Network Rogue Computer Managed Managed Computers Computer© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 16
  17. 17. Isolate Sensitive Servers & Protect Data-in-MotionIPsec authentication policies logically isolate sensitive servers independent ofphysical network location • Sensitive information systems are isolated based on PKI identities and AD group membershipIPsec encryption protects data-in-motion without modifying older applications • Enforce peer-to-peer, network-layer encryption for applications that transport sensitive information AH ESP IP Header Protected Data ESP Trailer Header Header Encrypted Authenticated Encryption Each packet is encrypted preventing attackers from seeing any sensitive information© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 17
  18. 18. Leverage Active Directory to Automate Security Enforcement AUTHORIZE PRIVILEGES© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 18
  19. 19. Active Directory Centralizes Account Management • UNIX Account administration leverages centralized Active Directory processes and automation • Account and authentication policies are enforced on all systems Existing Identity Management SolutionsActive Directory Users and Computers MMC Admin Console Provisioning APIs/Tools Unix Command Line Interface Active Directory-based Security Infrastructure © 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 19
  20. 20. Centralize The Most Complex UNIX EnvironmentsZones uniquely simplifies the integration and centralized management ofcomplex UNIX identity and access permissions into Active Directory • Only solution designed from the ground up to support migration of multiple UNIX environments and namespaces into a common Directory • Zones provides unique ability to manage UNIX identity, UNIX access rights and delegated administrationCentrify supports native AD delegation for separation of duties • Zones create natural AD boundaries for delegated UNIX administration of a group of systems through AD access controls on UNIX Zone objectsSeamlessly integrate administration into existing IDM systems • AD Group membership controls the provisioning of UNIX profiles granting access and privileges • IDM systems simply manage AD Group Membership in order to control the environment Engineering Finance HR Retail Active Directory-based Security Infrastructure© 2004-2011. CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 20
  21. 21. Ensure Separation of Administrative DutiesSeparation of AD and Unix Admins • User’s Unix profile are stored independent of AD UNIX User object Administration Zone Administrator • Unix Admins don’t need rights to manage AD User objects, only Unix profiles HR ZoneSeparation of Unix Departmental Admins • Each Zone is delegated to the appropriate Unix Admin • Unix Admins only need rights to manage Unix profiles within their own Zone Fred Joan Active Directory AD & Windows Administration© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 21
  22. 22. Least Access is Enforced Through Zones• System Access is denied unless explicitly granted• Access is granted to a Zone (a logical group of systems)• Users’ UNIX Profiles within a Zone are linked to the AD User Administration Zone Accounting Zone HR Zone Field Ops Zone fredt fthomas jlsmith joans joans UID = 10002 UID = 31590 UID = 61245 UID = 4226 UID = 200 Fred Joan AD Users, Computers & Groups Active Directory One Way Trust© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 22
  23. 23. Active Directory-based User LoginSmartcard login policies are also enforced • DirectControl for OS X supports CAC or PIV smartcard login to Active Directory granting Kerberos tickets for SSO to integrated services • Users configured for Smartcard interactive login only are not allowed to login with a password, however Kerberos login after smartcard is allowedKerberos provides strong mutualauthentication to Servers after desktopsmartcard login© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 23
  24. 24. Lock Down Privileged AccountsLockdown privileged and service accounts within Active Directory • Online authentication requires AD-based password validation • Offline authentication uses the local cached account • Passwords are synchronized to local storage for single user mode loginLeverage role-based privilege grants to root rooteliminate risks exposed by these accounts • Eliminating need to access privileged accounts • Enables locking down these account passwords UNIX_root Active Directory© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 24
  25. 25. Associate Privileges with Named IndividualsCentralized role-based policy management • Create Roles based on job duties • Grant specific access and elevated privilege rights • Eliminate users’ need to use privileged accounts Roles Backup Operator Rights • Secure the system by granularly controlling how the Availability • Maintenance window only user accesses the system and what he can do Backup PAM Access Operator • ssh loginUnix rights granted to Roles Privileged Commands • tar command as root • Availability – controls when a Role can be used Restricted Environment • Only specific commands • PAM Access – controls how users access UNIX system interfaces and applications • Privilege Commands – grants elevated privileges Resources HR Zone where needed • Restricted Shell - controls allowed commands in the user’s environment© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 25
  26. 26. Grant Privileged Commands to Users via Roles• Web Admins are assigned root privileges for specific Apache management operations© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 26
  27. 27. Role Assignments Ensure Accountability AD Users & GroupsRole Assignment Fred Joan Backup • Active Directory Users are assigned to a Role, eliminating ambiguity, ensuring accountability • Active Directory Groups can be assigned to a Role, Roles simplifying management Backup Operator Rights Availability • User assignment can be date/time limited – enabling • Maintenance window only Backup temporary rights grants PAM Access Operator • ssh login Privileged Commands • tar command as rootAssignment Scope Restricted Environment • Only specific commands • Roles apply to all computers within a Zone/Department • Users within a Role can be granted Rights to Resources HR Zone Computers serving a specific Role (DBA -> Oracle) • Assignment can be defined for a specific Computer© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 27
  28. 28. Leverage Active Directory to Automate Security Enforcement AUDIT ACTIVITIES© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 28
  29. 29. System Logs and Events Provide Visibility Show me accounts not used in last 90 days. • Syslog rollup brings in operational intelligence from Are there any systems where Centrify is not connected? other systems, apps, SIEM, security devices, etc. How long was a user in a role? Metrics and Alerts Active Local and AD User AccountsData Config files Directory Authentication Attempts Centrify Zone and Role Assignments*NIX Syslog /etc/passwd Centrify Health and Configuration Dashboards and Reports I want to see all failed login attempts. • Shows changes in AD, *nix login attempts, Windows login Are there any newly created local accounts on my server? attempts, Centrify agent health, etc. Who zone-enabled this user? © 2004-2011. CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 29
  30. 30. High Definition Visibility Provided by Session Recording • Establish User accountability • Tracks all user access to systems • Centrally search captured sessions © 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 30
  31. 31. Reporting Simplified with Centralized ManagementAuthorization and Access Reports can be centrally created:  Reporting on user account properties  Detailing user role assignments and privilege command rights  Showing user access rights to computersActive Directory basedreporting  Reports are generated on live, editable AD information  Administrators can take snapshots of a report© 2004-2011 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 31
  32. 32. Centrify Solutions and theChallenges They Address
  33. 33. Centrify Products… Delivered as the Centrify Suite EXPRESS STANDARD ENTERPRISE PLATINUMDirectManage Single Sign-OnCentralized Management and For ApplicationsAdministration With all editions you can purchase SSO modules for:DirectControl • Apache & J2EE web appsConsolidate Identities andCentralize Authentication • SAP NetWeaver & GUI • DB2DirectAuthorize Centrify-EnabledRole-based Authorization andPrivilege Management Open Source Tools All editions also include free, Centrify-enabled versions of:DirectAudit • OpenSSHDetailed Auditing of User SessionActivity for Windows, UNIX & Linux • PuTTY • Kerberized FTP and Telnet • SambaDirectSecureServer Isolation and Protectionof Data-in-Motion
  34. 34. Solutions that Centrify DeliversCompliance and Audit • Auditing and reporting (SOX, PCI, Meet Strict Security & Audit Req’s FISMA, HIPAA, Basel II, etc.)Security  Enforce system security policies SOX /JSOX PCI DSS  Enforce ―least access‖ • Risk mitigation & security of users with privileged access  Lock down privileged accountsOperational Efficiency  Enforce separation of duties Microsoft Active Directory +  Associate privileges with individuals FISMA Centrify HIPAA • Leverage existing architecture • Leverage investments in Active Directory  Audit privileged user activities tools, skill sets and processes  Protect sensitive systems • Consolidate ―islands of identity‖ • Deliver single sign-on for IT and end-users  Encrypt data-in-motion Basel II. ...? FFIEC • Enable new computing models such as virtualization, cloud and mobile
  35. 35. Centrify Solutions Enforce Security Best Practices  Enforce system security policies  Enforce ―least access‖ Sarbanes-Oxley Federal Act Section 404 Information Security  Associate privileges with individuals Management Act  Lock down privileged accounts  Enforce separation of dutiesHealth Insurance Basel II. FFIEC Portability andAccountability Act Information Security Booklet  Audit privileged user activities  Protect sensitive systems National Industrial Payment Card Industry Data  Encrypt data-in-motionSecurity Program Security StandardOperating Manual © 2004-2010 CENTRIFY CORPORATION. ALL RIGHTS RESERVED. SLIDE 35
  36. 36. Learn More and Evaluate Centrify YourselfWEB SITE www.centrify.comTECHNICAL VIDEOS & MORE www.centrify.com/resourcesSUPPORTED PLATFORMS www.centrify.com/platformsREQUEST AN EVAL www.centrify.com/trialFREE SOFTWARE www.centrify.com/expressCONTACT US www.centrify.com/contactPHONE Worldwide: +1 (408) 542-7500 Europe: +44 (0) 1344 317950
  37. 37. Thank You