SlideShare a Scribd company logo

Privileged Access Management (PAM)

Download as PPTX, PDF
D
danb02

This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers: - PAM definitions, core features and specific security and compliance drivers - The PAM market landscape and major vendors - How to integrate PAM with identity management, service ticketing and monitoring - Avoiding availability and performance issues

Internet
1 of 23
Harnessing Privileged Access Management (PAM) to Defend Core Digital Assets Against a Breach By Dan Blum, Doug Moench and Doug Simmons October 16, 2015 1Copyright (c) 2015 Security Architects, LLC
Today’s Speakers Copyright (c) 2015 Security Architects, LLC 2 Expert in security, privacy, cloud computing and identity management Ex-Gartner Golden Quill award-winning VP and Distinguished Analyst Founding partner of Burton Group CISSP specializing in Security and Risk Management strategies and architectures, identity management solutions, and federation technologies. Over 30 years experience documenting current state environments and developing recommendations for improving infrastructure. Dan Blum Principal Consultant Doug Moench Senior IAM and Security Consultant Doug Simmons Principal Consultant Focuses on IT security, risk management and IAM. Has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.
Why PAM? Copyright (c) 2015 Security Architects, LLC 3 Source: Information is Beautiful (Breach visualizations) Many of these could have been prevented or delayed
A Clear and Present Danger… Copyright (c) 2015 Security Architects, LLC 4 Common attack paths At least make the attackers work for it! Are too bloody easy
About Us • We are a consulting firm dedicated to helping organizations plan, specify and develop security programs, policies and technology solutions. Copyright (c) 2015 Security Architects, LLC 5 About Us Clients Enterprise Security Teams Cloud service providers (CSPs) Other Audiences Areas of Expertise Cloud Security Identity and Privacy Endpoint Security Cyber Security
Our Services Security Assessments Security Architectures Custom Consulting Security Workshops Consulting Services 6Copyright (c) 2015 Security Architects, LLC
What is PAM? • Privileged Account Management (PAM) Copyright (c) 2015 Security Architects, LLC 7 A set of technologies that allow organizations to identify, secure, and monitor accounts that have elevated privileges in order to minimize risks and ensure compliance. PAM is also sometimes referred to as: Privileged User Management Privileged Identity Management Privileged Access Management
Privileged Accounts are the Oil that Lubricates IT Copyright (c) 2015 Security Architects, LLC 8 Root and admin Network admin Domain admin DBA Other “superusers” Shared accounts Service accounts* What they’re for NOS devices DNS/DHCP servers Firewalls Routers, and switches Domain controllers Virtual machine admin IaaS Databases, applications What they do Love them or hate them you can’t run IT without them Operations: start/stop services, run jobs, or generate reports Configuration, updates, maintenance, patches, tuning, troubleshooting Develop applications, administer applications connect applications * For apps!
PAM Business Drivers • Reduce risk of breaches: • Compliance drivers – Maintain internal control • PAM specifically mentioned in PCI DSS, SOX, NERC/CIP, and some local/regional regulations – Simplify auditing and reporting – Detect/prevent Separation-Of-Duties (SOD) violations Copyright (c) 2015 Security Architects, LLC 9
Core Features Password vault Fine-grain privilege control Session manager Application credential management Copyright (c) 2015 Security Architects, LLC 10 Ancillary Services Discovery Services Role Management Policy Engine Logging and Auditing Platform flexibility Physical and virtual platforms Local or cloud-based Remote session protocols Holds PAM accounts, managed credentials, policies, logs Other considerations Availability and performance
PAM Architecture Pattern 11 Copyright (c) 2015 Security Architects, LLC
Password Vault • Contains accounts for privileged users • Contains policies for managed resources • Encrypts and stores passwords, SSH keys, policies and logs • Allows users to check-out/reserve a credential • Changes credentials on managed resources after use • Provides management console for centralized policy administration • Deployed as software on a physical server, virtual machine, or appliance Copyright (c) 2015 Security Architects, LLC 12 Privileged User and Admin Credentials Vault Admins Passwords/SSH Keys Must be hardened! Must maintain high availability!
Session Manager • Session management mechanisms to control access to resources • Enables monitoring, logging, and recording of administrative activities • Role management and policy enforcement capabilities, SOD rules • Generate alerts for policy exceptions • Emergency access mechanisms to bypass normal operations when needed. Copyright (c) 2015 Security Architects, LLC 13 • Roles • Policies • SOD Rules • Filters • ACLs Logging and Recording Roles Policies SOD Rules Filters ACLs SOC Monitoring Session Management RDP, SSH, VNC, PCoIP, NX Privileged Users Admins Target Resources (Network, Systems)
Fined-Grained Privilege Control • Establish more granular filters to limit administrative activities. • Often includes agents installed within clients or target servers (similar to desktop management or AD Bridge tools). Copyright (c) 2015 Security Architects, LLC 14 Target Infrastructure Resources (Network, Systems) Server agent to enforce Fine-grained privileges Privileged Users Admins Client agent for some apps (i.e. Active Directory)
Application Credential Manager • Identify, store, and rotate application credentials and SSH keys in the password vault • Eliminate the need to hard-code authentication information – Use a simple API call instead • May support caching to minimize performance impacts • Commonly supported interfaces and protocols include: – HTTP and HTTPS – SOAP/XML – Java – VBScript – C/C++ – PowerShell Copyright (c) 2015 Security Architects, LLC 15 Applications UserID/ Password SSH Keys Other credential Target Resources (Network, Systems) API Password Vault Local Cache Local Cache Local Cache Secure Key Exchange PW/Key Rotation API Call
PAM Market Landscape • Relatively small niche, but growing rapidly ~$500 million annually, 32% rate • Market leaders (in share + core features) • More market players around the world • Differentiators High availability, platform + multi-tenancy support, workflow integration and SoD features, credential management, SIEM integration, session recording features Copyright (c) 2015 Security Architects, LLC 16 Beyond Trust CA CyberArk Dell Lieberman Software Exceedium
The PAM Map Copyright (c) 2015 Security Architects, LLC 17 Hitachi ID Systems BeyondTrust CA, Centrify Dell, Enforcize, IBM, Lieberman, ManageEngine, Micro Focus, Observe IT, Oracle, SecureLink, Thypotics, Xceedium CyberArk Raz-Lee Security Pitbull Software Wallix Osirium Balait MasterSAM Applecross SSH Communications Security NRI Secure * Some names shortened, or omitted for space * Source: Gartner list of 2015 PAM vendors Arcon
Deploying PAM: Key Issues • Getting and keeping stakeholder buy-in • Creating high availability, disaster recovery and “break glass” procedures that work • Integrating with identity, workflow and monitoring infrastructures • Phasing in functionality on your schedule rather than the vendors • Locking in favorable professional services and product support Copyright (c) 2015 Security Architects, LLC 18
Getting and Keeping Stakeholder Buy-in “Nobody implements our product because they want to. They do it because someone is telling them they have to.” – Philip Lieberman, in an informal conversation with us, about 4 years ago Recommendations – Follow ALL recommendations in coming slides to make PAM as transparent as possible for IT and the business – Involve IT and business stakeholders and representatives from all affected teams in project phasing and process development – Develop a communications and support package for all privileged users and administrators that will be affected Copyright (c) 2015 Security Architects, LLC 19
Maintain High Availability • Eliminate single points of failure • Deploy high-availability password vault – Active-active or active-passive failover, stretch cluster or PAM- replication across sites – Create and test DR plans • Estimate and measure usage, size appropriately, utilize with load balancers for all PAM components • Have “break glass” processes to keep IT running in the event any part of PAM fails • Prevent or detect any abuse of “back doors” Copyright (c) 2015 Security Architects, LLC 20
Other Critical Recommendations • Thoroughly plan and design integration with identity, workflow and monitoring infrastructures • Phase in functionality on your schedule, not the vendor’s sales quotas – Calibrate phasing to your infrastructure maturity level • Lock in favorable professional services and product support terms Copyright (c) 2015 Security Architects, LLC 21
Conclusion • PAM deployments can range from basic password vaults to advanced application hardening, session monitoring and analytics • Although the market is relatively mature, few enterprises have deployed the technology outside niches to their full IT environment • Don’t over-reach or you’ll get thrown on the defensive with internal constituencies • The good news: An effective PAM deployment is likely to resolve some of your audit and compliance issues – as well as prevent many breach scenarios Copyright (c) 2015 Security Architects, LLC 22
Open Q&A Security Architects, LLC http://security-architects.com info@security-architects.com +1 (301) 585-4717 Copyright (c) 2015 Security Architects, LLC 23

Recommended

Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
Lance Peterman
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
Lance Peterman
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
Ryan Gallavin
 

Recommended

Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
Lance Peterman
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
Lance Peterman
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
Ryan Gallavin
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
IBM Sverige
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
IBM Security
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
Prof. Jacques Folon (Ph.D)
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
Forescout Technologies Inc
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
SecureAuth
 
Microsoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with RunpipeMicrosoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with Runpipe
Runpipe
 

More Related Content

What's hot

Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
IBM Sverige
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
Eberly Wilson
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
IBM Security
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
Prof. Jacques Folon (Ph.D)
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
Forescout Technologies Inc
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 

What's hot (20)

Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - Portfolio
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Identity Access Management (IAM)
Identity Access Management (IAM)Identity Access Management (IAM)
Identity Access Management (IAM)
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 

Similar to Privileged Access Management (PAM)

Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
SecureAuth
 
Microsoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with RunpipeMicrosoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with Runpipe
Runpipe
 
Challenges of Mobile HR framework and program
Challenges of Mobile HR framework and programChallenges of Mobile HR framework and program
Challenges of Mobile HR framework and program
Jinen Dedhia
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptx
Arrow ECS UK
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
WSO2
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Technologies
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps Era
Mike Kavis
 
Best Practices for Identity Management Projects
Best Practices for Identity Management ProjectsBest Practices for Identity Management Projects
Best Practices for Identity Management Projects
Hitachi ID Systems, Inc.
 
Microsoft Private Cloud Computing
Microsoft Private Cloud ComputingMicrosoft Private Cloud Computing
Microsoft Private Cloud Computingvncson
 
Les DSI face au Tsunami Cloud
Les DSI face au Tsunami Cloud Les DSI face au Tsunami Cloud
Les DSI face au Tsunami Cloud
Club Alliances
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
Kaali Dass PMP, PhD.
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
PECB
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
IBM
 
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
Greg Makowski
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalAndrew White
 
Expectations in DRAAS from CSP
Expectations in DRAAS from CSPExpectations in DRAAS from CSP
Expectations in DRAAS from CSP
Continuity and Resilience
 
MultiValue Gets SaaS-y
MultiValue Gets SaaS-yMultiValue Gets SaaS-y
MultiValue Gets SaaS-y
Rocket Software
 
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Symantec Brasil
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Glen Roberts, CISSP
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
kanimozhin
 

Similar to Privileged Access Management (PAM) (20)

Modern Architectures
Modern ArchitecturesModern Architectures
Modern Architectures
 
Microsoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with RunpipeMicrosoft Power Platform Governance with Runpipe
Microsoft Power Platform Governance with Runpipe
 
Challenges of Mobile HR framework and program
Challenges of Mobile HR framework and programChallenges of Mobile HR framework and program
Challenges of Mobile HR framework and program
 
Introduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptxIntroduction to Symantec Endpoint Management75.pptx
Introduction to Symantec Endpoint Management75.pptx
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
CA Unified Infrastructure Management for z Systems: Get a Holistic View of Yo...
 
Monitoring in the DevOps Era
Monitoring in the DevOps EraMonitoring in the DevOps Era
Monitoring in the DevOps Era
 
Best Practices for Identity Management Projects
Best Practices for Identity Management ProjectsBest Practices for Identity Management Projects
Best Practices for Identity Management Projects
 
Microsoft Private Cloud Computing
Microsoft Private Cloud ComputingMicrosoft Private Cloud Computing
Microsoft Private Cloud Computing
 
Les DSI face au Tsunami Cloud
Les DSI face au Tsunami Cloud Les DSI face au Tsunami Cloud
Les DSI face au Tsunami Cloud
 
Embedding Security in IT Projects
Embedding Security in IT ProjectsEmbedding Security in IT Projects
Embedding Security in IT Projects
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
Powering Real­time Decision Engines in Finance and Healthcare using Open Sour...
 
Brighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - finalBrighttalk understanding the promise of sde - final
Brighttalk understanding the promise of sde - final
 
Expectations in DRAAS from CSP
Expectations in DRAAS from CSPExpectations in DRAAS from CSP
Expectations in DRAAS from CSP
 
MultiValue Gets SaaS-y
MultiValue Gets SaaS-yMultiValue Gets SaaS-y
MultiValue Gets SaaS-y
 
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
Be Aware Webinar – Office 365 Seguro? Sym, Cloud!
 
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Ch...
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 

Recently uploaded

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 

Recently uploaded (20)

How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 

Privileged Access Management (PAM)

  • 1. Harnessing Privileged Access Management (PAM) to Defend Core Digital Assets Against a Breach By Dan Blum, Doug Moench and Doug Simmons October 16, 2015 1Copyright (c) 2015 Security Architects, LLC
  • 2. Today’s Speakers Copyright (c) 2015 Security Architects, LLC 2 Expert in security, privacy, cloud computing and identity management Ex-Gartner Golden Quill award-winning VP and Distinguished Analyst Founding partner of Burton Group CISSP specializing in Security and Risk Management strategies and architectures, identity management solutions, and federation technologies. Over 30 years experience documenting current state environments and developing recommendations for improving infrastructure. Dan Blum Principal Consultant Doug Moench Senior IAM and Security Consultant Doug Simmons Principal Consultant Focuses on IT security, risk management and IAM. Has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.
  • 3. Why PAM? Copyright (c) 2015 Security Architects, LLC 3 Source: Information is Beautiful (Breach visualizations) Many of these could have been prevented or delayed
  • 4. A Clear and Present Danger… Copyright (c) 2015 Security Architects, LLC 4 Common attack paths At least make the attackers work for it! Are too bloody easy
  • 5. About Us • We are a consulting firm dedicated to helping organizations plan, specify and develop security programs, policies and technology solutions. Copyright (c) 2015 Security Architects, LLC 5 About Us Clients Enterprise Security Teams Cloud service providers (CSPs) Other Audiences Areas of Expertise Cloud Security Identity and Privacy Endpoint Security Cyber Security
  • 7. What is PAM? • Privileged Account Management (PAM) Copyright (c) 2015 Security Architects, LLC 7 A set of technologies that allow organizations to identify, secure, and monitor accounts that have elevated privileges in order to minimize risks and ensure compliance. PAM is also sometimes referred to as: Privileged User Management Privileged Identity Management Privileged Access Management
  • 8. Privileged Accounts are the Oil that Lubricates IT Copyright (c) 2015 Security Architects, LLC 8 Root and admin Network admin Domain admin DBA Other “superusers” Shared accounts Service accounts* What they’re for NOS devices DNS/DHCP servers Firewalls Routers, and switches Domain controllers Virtual machine admin IaaS Databases, applications What they do Love them or hate them you can’t run IT without them Operations: start/stop services, run jobs, or generate reports Configuration, updates, maintenance, patches, tuning, troubleshooting Develop applications, administer applications connect applications * For apps!
  • 9. PAM Business Drivers • Reduce risk of breaches: • Compliance drivers – Maintain internal control • PAM specifically mentioned in PCI DSS, SOX, NERC/CIP, and some local/regional regulations – Simplify auditing and reporting – Detect/prevent Separation-Of-Duties (SOD) violations Copyright (c) 2015 Security Architects, LLC 9
  • 10. Core Features Password vault Fine-grain privilege control Session manager Application credential management Copyright (c) 2015 Security Architects, LLC 10 Ancillary Services Discovery Services Role Management Policy Engine Logging and Auditing Platform flexibility Physical and virtual platforms Local or cloud-based Remote session protocols Holds PAM accounts, managed credentials, policies, logs Other considerations Availability and performance
  • 11. PAM Architecture Pattern 11 Copyright (c) 2015 Security Architects, LLC
  • 12. Password Vault • Contains accounts for privileged users • Contains policies for managed resources • Encrypts and stores passwords, SSH keys, policies and logs • Allows users to check-out/reserve a credential • Changes credentials on managed resources after use • Provides management console for centralized policy administration • Deployed as software on a physical server, virtual machine, or appliance Copyright (c) 2015 Security Architects, LLC 12 Privileged User and Admin Credentials Vault Admins Passwords/SSH Keys Must be hardened! Must maintain high availability!
  • 13. Session Manager • Session management mechanisms to control access to resources • Enables monitoring, logging, and recording of administrative activities • Role management and policy enforcement capabilities, SOD rules • Generate alerts for policy exceptions • Emergency access mechanisms to bypass normal operations when needed. Copyright (c) 2015 Security Architects, LLC 13 • Roles • Policies • SOD Rules • Filters • ACLs Logging and Recording Roles Policies SOD Rules Filters ACLs SOC Monitoring Session Management RDP, SSH, VNC, PCoIP, NX Privileged Users Admins Target Resources (Network, Systems)
  • 14. Fined-Grained Privilege Control • Establish more granular filters to limit administrative activities. • Often includes agents installed within clients or target servers (similar to desktop management or AD Bridge tools). Copyright (c) 2015 Security Architects, LLC 14 Target Infrastructure Resources (Network, Systems) Server agent to enforce Fine-grained privileges Privileged Users Admins Client agent for some apps (i.e. Active Directory)
  • 15. Application Credential Manager • Identify, store, and rotate application credentials and SSH keys in the password vault • Eliminate the need to hard-code authentication information – Use a simple API call instead • May support caching to minimize performance impacts • Commonly supported interfaces and protocols include: – HTTP and HTTPS – SOAP/XML – Java – VBScript – C/C++ – PowerShell Copyright (c) 2015 Security Architects, LLC 15 Applications UserID/ Password SSH Keys Other credential Target Resources (Network, Systems) API Password Vault Local Cache Local Cache Local Cache Secure Key Exchange PW/Key Rotation API Call
  • 16. PAM Market Landscape • Relatively small niche, but growing rapidly ~$500 million annually, 32% rate • Market leaders (in share + core features) • More market players around the world • Differentiators High availability, platform + multi-tenancy support, workflow integration and SoD features, credential management, SIEM integration, session recording features Copyright (c) 2015 Security Architects, LLC 16 Beyond Trust CA CyberArk Dell Lieberman Software Exceedium
  • 17. The PAM Map Copyright (c) 2015 Security Architects, LLC 17 Hitachi ID Systems BeyondTrust CA, Centrify Dell, Enforcize, IBM, Lieberman, ManageEngine, Micro Focus, Observe IT, Oracle, SecureLink, Thypotics, Xceedium CyberArk Raz-Lee Security Pitbull Software Wallix Osirium Balait MasterSAM Applecross SSH Communications Security NRI Secure * Some names shortened, or omitted for space * Source: Gartner list of 2015 PAM vendors Arcon
  • 18. Deploying PAM: Key Issues • Getting and keeping stakeholder buy-in • Creating high availability, disaster recovery and “break glass” procedures that work • Integrating with identity, workflow and monitoring infrastructures • Phasing in functionality on your schedule rather than the vendors • Locking in favorable professional services and product support Copyright (c) 2015 Security Architects, LLC 18
  • 19. Getting and Keeping Stakeholder Buy-in “Nobody implements our product because they want to. They do it because someone is telling them they have to.” – Philip Lieberman, in an informal conversation with us, about 4 years ago Recommendations – Follow ALL recommendations in coming slides to make PAM as transparent as possible for IT and the business – Involve IT and business stakeholders and representatives from all affected teams in project phasing and process development – Develop a communications and support package for all privileged users and administrators that will be affected Copyright (c) 2015 Security Architects, LLC 19
  • 20. Maintain High Availability • Eliminate single points of failure • Deploy high-availability password vault – Active-active or active-passive failover, stretch cluster or PAM- replication across sites – Create and test DR plans • Estimate and measure usage, size appropriately, utilize with load balancers for all PAM components • Have “break glass” processes to keep IT running in the event any part of PAM fails • Prevent or detect any abuse of “back doors” Copyright (c) 2015 Security Architects, LLC 20
  • 21. Other Critical Recommendations • Thoroughly plan and design integration with identity, workflow and monitoring infrastructures • Phase in functionality on your schedule, not the vendor’s sales quotas – Calibrate phasing to your infrastructure maturity level • Lock in favorable professional services and product support terms Copyright (c) 2015 Security Architects, LLC 21
  • 22. Conclusion • PAM deployments can range from basic password vaults to advanced application hardening, session monitoring and analytics • Although the market is relatively mature, few enterprises have deployed the technology outside niches to their full IT environment • Don’t over-reach or you’ll get thrown on the defensive with internal constituencies • The good news: An effective PAM deployment is likely to resolve some of your audit and compliance issues – as well as prevent many breach scenarios Copyright (c) 2015 Security Architects, LLC 22
  • 23. Open Q&A Security Architects, LLC http://security-architects.com info@security-architects.com +1 (301) 585-4717 Copyright (c) 2015 Security Architects, LLC 23