Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Solvit identity is the new perimeter


Published on

Identity is the ‘New’ Perimeter
Cristi Iliescu, Technical Director, SolvIT Networks

Published in: Technology
  • Be the first to comment

Solvit identity is the new perimeter

  1. 1. Identity is the ‘New’ Perimeter Technical Director, SolvIT Networks Cristi Iliescu
  2. 2.  Short overview on security evolution  Current trends and challenges  Pragmatic solutions for security implementation  SolvIT and CA Technologies short overview AGENDA 2 Copyright © 2013 CA. All rights reserved.
  3. 3. 1st Generation Gates, Guns, Guards Management Time 2nd Generation Reactive Security 3rd Generation Security as an Enabler 4th Generation Proactive Security and Accountability Evolution of Security Copyright © 2013 CA. All rights reserved. USER 5th Generation IT Service Security
  4. 4. CLOUD COMPUTING SOCIAL NETWORK BIG DATA ANALYTICS MOBILE DEVICE INTERNET OF THINGS Blurring of work & personal brought on by Consumerization of IT Trends impacting security 4 Copyright © 2013 CA. All rights reserved. Externalization of the business Sensitive data and applications – accessible anytime, anywhere Loss of Identity Control Loss of Data Control
  5. 5. Traditional Enterprise with Network Perimeter 5 Copyright © 2013 CA. All rights reserved. Cloud Apps/Platforms & Web Services SaaS Enterprise Apps On Premise Mobile employee Customer Partner User Internal Employee …and remote employees …and cloud applications …and external users VPN Network Perimeter GOOGLE
  6. 6. Traditional Enterprise with Network Perimeter 6 Copyright © 2013 CA. All rights reserved. Cloud Apps/Platforms & Web Services SaaS Enterprise Apps On Premise Mobile employee Customer Partner User Internal Employee …and remote employees …and cloud applications …and external users Network Perimeter is gone! GOOGLE
  7. 7. security threats as we know them are changing The traditional dangers IT security teams have been facing - and overcoming - for years are being replaced by a far more hazardous, advanced form of attacks: Advanced Persistent Threats The financial impact of a threat cannot be underestimated. RSA SecurID Hack In 2011, an APT compromised the systems containing information about RSA SecurID two-factor authentication tokens, including the values the company uses to generate one- time passwords.1 Operation Aurora Hackers stole sensitive intellectual property, including source code, from Google, Adobe, and other high-profile companies using highly sophisticated, well-coordinated techniques.2
  8. 8. how an Advanced Persistent Threat works Nearly every APT follows four phases: Reconnaissance 1 An investigation into the organization’s weaknesses, which often includes domain queries and port and vulnerability scans. Initial Entry 2 Discovered exposures are exploited and a foothold in the target network is established using sophisticated technical methods or social engineering techniques, such as spear phishing. Escalation of Privileges 3 Following initial penetration, hackers work to acquire more rights and gain control over additional systems - and install a “back door” that makes future access easier. Continuous Exploitation 4 Once control has been established, the assailant will be able to continuously identify, compromise and exploit sensitive data. And since the third and fourth stages often occur over a matter of years, detecting an APT can be incredibly difficult. Copyright © 2013 CA. All rights reserved.
  9. 9. A defense-in-depth strategy extends traditional perimeter and system security with identity and access management tools, providing protection against APTs across all four phases of the attack. Reconnaissance Initial Entry Perimeter security Server hardening Capture and review server and device audit logs Anti-virus Escalation of Continuous Privileges Exploitation Shared account management Least privilege access Session recording Unexpected andPhishing protection externalized security Virtualization security Employee education Identity management and governance Advanced authentication Data controls 07 Copyright © 2013 CA. All rights reserved.
  10. 10. CA Security defense-in-depth is the key to stopping APTs Successful protection against APTs should complement traditional perimeter and What’s needed, then, is “defense-in-depth,” a strategy that complements traditional security solutions with such identity and access management capabilities as: infrastructure security measures, so the organization is able to: • Make the initial penetration difficult • Reduce the potential for privilege escalation in the event an account is compromised • Limit the damage that can be done by a compromised account • Detect suspicious activity early in the intrusion attempt • Gather the information forensic investigators need to determine what damage occurred, when and by whom shared account management least privilege access session recording server hardening Centralized Web Security virtualization security identity management and governance advanced authentication data controls Copyright © 2013 CA. All rights reserved.
  11. 11.  Carefully protecting user identities is an essential step in minimizing the effectiveness of an APT attack. To this end, identity management and governance functionality must be able to:  Provision Identities and account based on strict security policies and approval process  De-provision and de-authorize identities as soon as an individual leaves the company  Find and remove orphaned, or unused, identities Identity Management and Governance
  12. 12.  Identity Administration and Provisioning – Automate the creation and management of user identities – And their access rights to applications and data – Delegate user administration – Manage entitlements – Provide user self service capabilities CA IdentityMinder 12 October 3, 2013 Security Management Copyright © 2008 CA. All rights reserved.
  13. 13. CA Identity Minder – How it works 1. Account, entitlement or password change requests sent either through automated feeds, requests from delegated administrators or users. 2. CA IdentityMinder initiates an approval workflow, determines impact to targets systems and initiates changes on impacted target systems 3. Changes to target systems are automatically executed 4. All changes are audited and reviewed by security and audit personnel CA Identity Lifecycle Management Copyright © 2009 CA Process Steps CA Role & Compliance Manager
  14. 14. Any server that hosts sensitive information must be configured in a way that protects it from being compromised by an APT. This should include:  Access should not be treated as an “all or nothing” decision. Instead, individuals should be given the credentials required to accomplish their assigned tasks. (least privelege access)  Limit the number of people who have access to privileged accounts by providing emergency account access (shared account management)  Tracking what actions are being performed by privileged accounts is a critical (session recording) Server Protection
  15. 15.  Using a firewall to control communications, restrict packets and block unsecure protocols  Employing application whitelisting to allow only explicitly specified executions and installations  Defining a specific set of actions for high-risk applications  Preventing changes to log files  Monitoring the integrity of key files  Controlling access to files and processes Server Protection (part 2)
  16. 16. CA Control Minder 16
  17. 17.  Access to privileged accounts is often “all or nothing”—an unnecessary security risk that leads to users with more privileges than they need.  Manage privileged user access after login. Control what access users have based on their individual identity, even when using a shared administrative account.  Reduces risk by providing administrators with only the minimum privileges they need to do their jobs. Fine-Grained Access Controls 17
  18. 18. Shared Account Password Management  Privileged accounts, such as ‘root’ on UNIX and ‘Administrator’ on Windows, are often shared, reducing accountability.  Control access to privileged, administrative accounts with password storage and automatic login capabilities. This is the starting point for most privileged identity  Reduces the risk of unauthorized users gaining access to privileged accounts. Prevents password sharing. 18
  19. 19.  Track all user actions to determine what occurred and “who did what” in an investigation. Not all user activities are recorded and many applications do not produce logs, reducing accountability and making forensic investigations difficult.  Makes it simple to find out “who did what” in a forensic investigation, using an understandable video instead of searching through incomprehensible log files. User Activity Reporting / Video Session Recording 19
  20. 20.  Managing user accounts and access on individual UNIX and Linux servers is an administrative burden that can lead to errors and oversights.  Authenticate users on UNIX and Linux systems to Microsoft Active Directory.  Automatic user login for Unix/linux  Integration with Windows Event Log UNIX Authentication Bridging 20
  21. 21.  Virtualization adds a new infrastructure layer that must be secured—the hypervisor.  Manage privileged users on VMware, while providing virtualization-aware automation of security controls on virtual machines. Virtualization adds a new infrastructure layer that must be secured—the hypervisor. 21
  22. 22. Two-factor authentication and risk-based evaluations help to protect against the initial penetration of an APT by denying or detecting inappropriate access attempts. To be as effective as possible, advanced authentication capabilities should include: • Software-based, two-factor credentials that vary by device • Versatile authentication methods that can be matched to a specific scenario • Rules that adjust to protect against different APT tactics • Device identification, geo-location, IP blacklisting and case management for suspicious activities • The ability to step up authentication when stronger identity assurance is required Advanced Authentication and Centralized Web Access 22 Copyright © 2013 CA. All rights reserved.
  23. 23. Application Layer User Store Operating System Security Layer  High security administration costs  Expensive coding and maintenance  Poor user experience  No centralized security enforcement  No standardized security process  No central auditing capability EmployeesEmployees Administrators PartnersExecutives Customers End Users Web security administration the current state 23 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved. Intranet JDoe Active Directory E-Commerce John Doe A23JJ4 LDAP SCM JD456912 Oracle OID ERP / HR PKI Cert Oracle RDBMS Portal John Doe SQL 2008 Partner Extranet Johnd SunONE LDAP CMS John_D Siemens DirX
  24. 24.  Reduced security administration costs  Minimized coding and maintenance  Much improved user experience  Centralized security enforcement  Standardized security process  Unified central auditing CA SiteMinder Cloud/Outsourced services Standards based Federation Centralized Administration of Web access with CA SiteMinder 24 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved. Siemens DirX Oracle OID SunONE LDAP Oracle RDBMS Active Directory SQL 2008LDAP Application Layer User Store Operating System Security Layer Intranet E-Commerce Portal ERP / HR CMS Partner Extranet SCM EmployeesEmployees Administrators PartnersExecutives Customers End Users
  25. 25.  Restrict access by user, role, groups, dynamic groups, or exclusions  Fine-grained authorization at the file, page, or object level  Determine access based on location, time, & authentication context  Send static, dynamic (SQL queries), or profile attributes in responses  Redirect users based on type of authentication or authorization failure policy-based authorization 25 Copyright © 2013 CA. All rights reserved. SITEMINDER RESPONSE CUSTOMIP ADDRESSTIMEUSER IDENTITY OR ROLE SITEMINDER RULE SITEMINDER VARIABLES What? Who? Optional Conditions Action Action that Results from Processing External Factors Network Restriction Time Restriction Is the User Included or Excluded? Describes the Resource Being Accessed Request Characteristics SiteMinder Policy
  26. 26. Authentication Management Broad Support for Authentication Systems & Technologies Methods  Passwords  Two factor tokens  X.509 certificates  Passwords over SSL  Smart cards  SAML & WS-Federation/ADFS  Combination of methods  Forms-based  Custom methods  Full CRL & OCSP support  Biometric devices Management  Authentication Levels  Type of authentication for given application  Directory chaining  Configured fallbacks to other authentication schemes  SSO Zones
  27. 27. Web access control and advanced authentication Capabilities 1. Authentication 2. Single sign-on 3. Policy-based authorization 4. Auditing and reporting 5. Web service security 6. Identity federation Customer Citizen Employee Partner Websites Back-end Transactions Audit Logs Partner Website 1 2 3 4 5 6 Benefits  Improved user experience  Reduced risk  Greater administrative efficiency  Increased agility
  28. 28. Since the end goal of any APT is to steal sensitive information, having firm control over this data is a core component of a successful defense. To safeguard these assets, data must be: • Classified according to sensitivity and type - at access, in use, in motion,at rest, etc. • Controlled as it is transferred between sources, such as email and physical drives Information Control 28 Copyright © 2013 CA. All rights reserved.
  29. 29. Data Loss Prevention 29 Copyright © 2013 CA. All rights reserved.
  30. 30. Identity Aware Policies 30 Copyright © 2013 CA. All rights reserved.
  31. 31. a holistic approach to security reduces risk The concept of defense-in-depth is an essential component of any proactive, holistic APT protection strategy. The techniques supporting this approach work in concert to enable you to build and apply a security model that allows or denies actions based on business rules, data sensitivity and specific types of behavior. Because this model can be applied uniformly across platforms and separated from operating system security, it provides an effective means of preventing and detecting APTs. As such, defense in-depth helps your organization stay one step ahead of APTs and reduce the effects such an attack can have on the business and its employees, customers and partners.
  32. 32. about the solutions from CA Technologies CA security solutions are comprised of a broad, comprehensive and integrated suite of capabilities that simplifies operations and reduces the total cost of management across cloud, on-premise, virtual, physical, distributed and mainframe environments - helping you significantly increase business agility. Unlike traditional solutions, the CA suite controls not only user identities and the availability of critical IT resources, but also access to sensitive information assets. This provides more layers of security than conventional solutions - and helps to reduce the risk of breaches, minimize information loss and simplify compliance audits. These offerings are complemented by a range of cloud-based identity services, which give you the flexibility to deploy security services how and when you choose, so you can adopt cloud or hybrid models in a way that fits your unique needs. The CA Identity and Access Management suite covers the following areas: • Identity Management and Governance • Privileged Identity Management and Virtualization Security • Advanced Authentication • Data Protection • Cloud Security • Secure Single Sign-On and Access Management 13
  33. 33. Company Introduction Market Entry •April 27, 2005 in Bucharest, Romania Strategic Positioning • Leading provider of IT Management & Security and Business Solutions International Positioning Representative offices in: •Bucharest, Romania •Belgrade, Serbia •Sofia, Bulgaria •Chisinau, Republic of Moldova Main Markets •Europe and Middle East Registration Number J40/7907/2005 VAT Number RO 17534593 Facts •25 highly qualified IT specialists with more than 150 certifications •Experience in large projects implementation •More than 60 clients in 9 countries over the years
  34. 34. Republic of Moldova Greece Bulgaria Turkey Romania Serbia References (1) Banking
  35. 35. Telecom Romania Grecia Industry Romania Serbia Greece References (2)
  36. 36. Government & Public Administration Republic of Moldova Bulgaria Saudi Arabia Cyprus Romania Serbia Insurance Romania References (3)
  37. 37. questions & answers