Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

Pre-Con Ed: Privileged Identity Governance:
Are You Certifying Privileged User Access?
Robert Marti
SCX207E
SECURITY
Product Marketing
CA Technologies

2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of This Presentation

Abstract
Many organizations have a solution to control the access and actions of privileged
users. But that’s not enough for a complete privileged user management solution—you
must also govern access to make sure that only the correct users have elevated
privileges, and that they have only the privileges that they need. In this session, you
will get an in-depth understanding of how you can reduce your risk through this
capability unique to CA.
Robert Marti
CA Technologies
Product Marketing,
Manager

Agenda
BUSINESS CHALLENGES
INTRODUCING PRIVILEGED IDENTITY GOVERNANCE
SOLUTION OVERVIEW
USE CASES
SUCCESS STORY
1
2
3
4
5

Privileged Identity and Access Are
Most Frequently Exploited Attack Vectors
71%
of users say they
have access to data
they shouldn’t.
80%
of IT Professionals say
their company does not
enforce least privilege.
80%
of all breaches utilize
lost, stolen, or weak
credentials.
60%
of all malware uses
privilege escalation
or stolen credentials.

BIGGEST CYBER ATTACKS
EXPLOIT PRIVILEGED ACCESS
Creating An Expanding Radius of Data Loss
DROPBOX
68M Records
LINKEDIN
167M Records
YAHOO
500M Records
EQUIFAX
150M Records
TUMBLR
65M Records

Excessive Access Causes
Embarrassing Fraud Cases
Loses 40G of source
code for core products
Adobe
Discloses personal data
for 25M customers
AT&T Call Center
Rogue trader aggregates
privileges for a $7.8B loss
Société Général
Excessive Access
CORRUPTS
PRIVILEGED Access
CORRUPTS ABSOLUTELY

77%
The Reason This is Happening:
Pattern is Repeatable
77% attacks
Internal Credentials
30%
28%
Executives &
Administrators
End-users with
Excessive privileges
GAIN

ACCESS/EXPAND
ELEVATE
PRIVILEGE
STEAL
DATA

THE KILL CHAIN
Identity is the most
frequently exploited
attack vector

•HITECH
•GDPR
•FATCA
•FATCA
•PSD2
•HSPD
•HIPAA
•POPI
•201 CMR 17
•OAIC
•CalOPPA
•AADHAR
•PCI DSS
•FFIEC
Where Companies Have Not Self-Regulated
Others Have Imposed Requirements
THE GLOBAL
WEB OF PRIVACY
COMPLIANCE

So It Is Not Just a Technology Problem
It Is a Privileged Governance Problem
Privileged Access Request
Streamline the request, audit and
fulfillment of privileged users.
Certify Privileged
Access
Provide audit reporting and
manager attestation of user
access to privileged accounts.
De-provision Privileged
Access
When users separate from the
company, remove or disable the
associated privileged accounts.
Remediate Excessive Access
Take workflow driven action to
remove excessive access.

Challenges to the Business
Issues With Legacy IAM Solutions
64%
of enterprises
have no IAM
monitoring tools
AS A RESULT:
LEGACY IAM
SOLUTIONS:
Focused on
protecting
on-premise
applications
72%
of enterprises
do not do
access review or
certification
Were highly
customizable
and required
specialists
62%
of enterprises
have no access
request process
in place
Had significant
costs to deploy,
configure, and
maintain

Our Privileged Identity Management Solution
Leverages a Defense in Depth Approach
INTEGRATED
OVERLAPPING
CONTROLS TO
REDUCE RISK
Privileged
Identity Management
Reducing audit risk and
achieving least privilege
Advanced
Authentication
Preventing account
takeover with multifactor
credentials
Threat Analytics
for PAM
Monitoring privileged
activities for abnormal
usage/behaviors
PAM Server Control
Locking down file
systems and server
resources
Privileged Access
Manager
Securing privileged
access and preventing
lateral motion

‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Introducing
CA
Privileged
Access
Manager
§ Role-based and fine-grained access control
over privileged accounts
§ Privileged user credential protection
§ Monitor, audit and record privileged sessions
§ Multifactor authentication, single sign-on, and
federation support
§ Support security and privacy regulations
#CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Lower Total Cost
of Ownership
Faster Time
to Value
Hybrid Environment
Support
Performance at
Scale

Why Is Privileged Access Governance
Needed?
The Situation Today
§ Privileged Access Management (PAM) is mostly a standalone
solution that implements critical security and compliance controls
managing and monitoring use of sensitive access.
§ In most cases, it is separated from the corporate Identity Management.
The Outcome
§ Lack of overall visibility to “who has access to what.”
§ Missing approval and auditing information for “why access was granted.”
§ Inability to enforce consistent identity policies such as Segregation Of Duties.
§ No risk analysis for overall user access.
§ Fragmented compliance with regulatory requirements (examples: ISO27002 sections
8.1.2 “ownership of assets” and 9.2.5 “review of access rights”).

‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Introducing
CA
Identity
Suite
§ Self-service identity portal
§ Business-friendly entitlements catalog
§ Proactive analytics
§ Deployment Xpress
§ Audit and compliance streamlining
Privileged Identity
Compliance
Privileged Identity
Lifecycle Management
Improved Privileged
Access Security
COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED

CA Identity Suite
Integration With CA Privileged Access Manager
How it integrates
§ Provides “out-of-the-box” connector for CA
PAM
What is does
§ Manages PAM Accounts and their assignments
to Roles, Groups, & Devices (provisioning and
de-provisioning)
§ Supports for local and LDAP/AD accounts
§ Supports for granular assignment including
start/end dates, scoping and policies

CA Identity Suite & CA PAM Integration
Requesting Privileged Access
What it does
§ Easy-to-use “shopping cart” experience for
requesting PAM permissions
§ Workflow approvals for submitted requests
§ Risk analysis of a combined privileged and
non-privileged access
§ Segregation of duties compliance check
§ Automated provisioning fulfillment

Requesting Access to Privileged Account

Evaluating Risk Associated With Requested Account

Requesting Access to Privileged Account

Certifying Privileged Access
CA PAM Account
certification
Update HR
reports
Mitigate
access risk
What It Does
§ Automated collection of access permissions
via CA Identity Suite connector
§ Provides “out-of-the-box” user and access
certification processes for CA PAM
§ Easily identifies users with excessive access
§ Enriches experience with last login and
usage logs
§ Automated removal of access permissions
that are rejected by approvers

CA Identity Suite and CA PAM Integration
Reviewing and Certifying Privileged Access

OFFBOARDINGONBOARDING
PROVISIONING
SELF-SERVICE
ACCESS REQUESTS
RISK ANALYSIS
DEPROVISIONING
Privileged Identity Governance
Summary of Capabilities
CERTIFICATION
FULL
PRIVILEGED
IDENTITY
LIFECYCLE
MANAGEMENT

Case Study

The Business Challenge:
Source Code Governance at CA Technologies
3,000 engineers are using
over 12 major source code
management tools.
Access audits were a drain
on people and money.
Compliance audits took
more than 20,000 employee
hours.
OUR GOAL:
Govern access to
source code and
improve productivity
and the overall user
experience
OUR CHALLENGE:
Manual process that
was extremely costly

The Solution:
CA Identity Governance
• All access reviews are now
performed via automation.
• Incorrect access is quickly
remediated.
• IP controls are much easier to
execute, and…
• Frequent Engineering personnel
changes can be handled quickly
while still enforcing strong security
over the source code.
CA Identity
GovernanceEngineers
(>3,000)
Manager
Certifies
Access
Auditor
Validates
Certification
Source Code
Repositories
(>5,000)
Requests
access
Access
granted
CA Identity Governance validates access rights to nearly 5,000
source code repositories across all source management tools.

The Results:
Significant Time & Cost Savings
75%
75% reduction
in audit time via
automated data
collection for
compliance audits
90%
90% drop
in administrative
overhead
Engineers love the new
world-class source code
management ecosystem
Orphan source code access
quickly identified and removed
Saved thousands of hours
of employee time thanks
to automated certification

Recommended Sessions
SESSION # TITLE DATE/TIME
ABC123DE Magna consectet at lor ipustie modolore 11/16/2016 at 10:00 am
FGH456IJ Magna consectet at lor ipustie modolore 11/17/2016 at 11:00 am
FGH456IJ Magna consectet at lor ipustie modolore 11/18/2016 at 12:00 pm

The Results:
A Closer Look at the Savings
0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
FY14 FY15 FY16 FY17
PERSON YEARS Savings in Source Code Attestation

Must See Demos
Security
Starts
With
Identity
Security Content
Area
Demo
Name
Name
Location
Control
High Value
Access
Manage
Your
Software
Risk
Let’s Talk
Upgrades
Deliver
Frictionless
Access
Security Content
Area
Security Content
Area
Security Content
Area
Security Content
Area

Questions?

Stay connected at communities.ca.com
Thank you.

Security
For more information on Security,
please visit: http://cainc.to/CAW17-Security

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

More Related Content

What's hot

Similar to Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

More from CA Technologies

Recently uploaded

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?