Slide 1

Copyright 2015 Centrify Corporation. All Rights Reserved. 1 Single Identity Multiple services how do I stay compliant? Wade Tongen NA Commercial SE Manager Wade.tongen@centrify.com

Slide 2

Copyright 2015 Centrify Corporation. All Rights Reserved. 2 Overview of Todays Environment Common Themes of Todays Standards Identity Topics The New Perimeter Controlling Privileged Access Accountability for Privileged Actions Agenda

Slide 3

Copyright 2015 Centrify Corporation. All Rights Reserved. 3 The Modern IT Enterprise The Business of IT Staff Security Infrastructure BudgetEmployees SaaS Outsourced IT Infrastructure as a Service

Slide 4

Copyright 2015 Centrify Corporation. All Rights Reserved. 4 Desktops Data Center Apps Data Center Servers + + + and Harder to Manage as Infrastructure Evolves Cloud (IaaS & PaaS)Cloud (SaaS)MobileBig Data ID

Slide 5

Copyright 2015 Centrify Corporation. All Rights Reserved. 5 Core Challenges in Managing Privileged Identity Disgruntled IT Worker Holds Company Hostage Disgruntled IT Worker Holds Company Hostage Snowden Used Low-Cost Tool to Scrape N.S.A. Snowden Used Low-Cost Tool to Scrape N.S.A. Massive Retailer Identity Theft Threats & Breaches Over-Privileged Users APTs & Malware Insider Threats Data Center Heterogeneity SOX PCI FISMA NIST 800-53 HIPAA Regulations Modern Enterprise

Slide 6

Copyright 2015 Centrify Corporation. All Rights Reserved. 6 Regulations Share Common Tenants No matter the standard the many themes are common Generic Accounts are Bad Have users access the services/applications as themselves vs administrator or root or SA or oracle Have a Least Privileged Model If there is not a business need for the access/right they should not have it Accountability for Actions Essential for privileged actions Lock down shared accounts When there is not another option

Slide 7

Copyright 2015 Centrify Corporation. All Rights Reserved. 7 Identity Management Needs to be Holistic

Slide 8

Copyright 2015 Centrify Corporation. All Rights Reserved. 8 The Common/Weakest Link

Slide 9

Copyright 2015 Centrify Corporation. All Rights Reserved. 9 Identity at Center of Cyber Attacks ID END USERS PRIVILEGED USERS

Slide 10

Copyright 2015 Centrify Corporation. All Rights Reserved. 10 Cloud (IaaS & PaaS)Big Data Unify Identity Management Stores Were Possible Desktops Data Center Apps Data Center Servers Cloud (SaaS) Mobile ID MS AD or LDAP ID Reduced Identity Footprint ID

Slide 11

Copyright 2015 Centrify Corporation. All Rights Reserved. 11 The Case for a Reduced Identity Footprint Users are and will continue to be the weak link In the security chain The more the identities the more likely: Weaker passwords Same password Store on a sticky note Store In a spreadsheet Store in a browser without institutional control Use a personnel password product

Slide 12

Copyright 2015 Centrify Corporation. All Rights Reserved. 12 The Traditional Thought was the Firewall was the Perimeter This approach was much better before: Explosion of virtualization Mobile workforce SaaS offerings Elastic environments

Slide 13

Copyright 2015 Centrify Corporation. All Rights Reserved. 13 IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITYIDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY IDENTITY The Paradigm Shift Means the Identity is the New Perimeter Authenticate Determine Access Enforce Policies Track

Slide 14

Copyright 2015 Centrify Corporation. All Rights Reserved. 14 So Where Do We Consolidate? MS Windows: Use SSPI (Security Support Provider Interface) Built into MS applications Leverages Kerberos or NTLM to provide a single identity External trusts are possible between environments

Slide 15

Copyright 2015 Centrify Corporation. All Rights Reserved. 15 So Where Do We Consolidate? UNIX/Linux: Utilize the PAM authentication Trust the OS for authentication Use GSSAPI (Generic Security Services Application Program Interface) Supported by open source and commercial vendors Leverages Kerberos or NTLM to provide a single identity External trusts are possible between environments

Slide 16

Copyright 2015 Centrify Corporation. All Rights Reserved. 16 So Where Do We Consolidate? Applications: Utilize the PAM Authentication Trust the OS for authentication Use SSPI & GSSAPI (Generic Security Services Application Program Interface) In the Data Center Leverages Kerberos or NTLM In the Cloud Leverage SAML and OAuth

Slide 17

Copyright 2015 Centrify Corporation. All Rights Reserved. 17 So Where Do We Consolidate? Infrastructure: Routers Switches Appliances Typically accessed via CLI or web interface for local accounts External protocols such as: Radius LDAP

Slide 18

Best Practices for Controlling Privileged Identity

Slide 19

Copyright 2015 Centrify Corporation. All Rights Reserved. 19 Path to Reducing Identity-related Risk for Privileged Users Privileged Accounts Least privilege access Single identity source Limited # of privileged accounts (root, local admin, service accounts) Individual Accounts Many privileged passwords Individual identities with unstructured access Many identity silos Optimized Risk Profile Poor Risk Profile

Slide 20

Copyright 2015 Centrify Corporation. All Rights Reserved. 20 Two Main Ways to Control Privileged Identities Super User Privilege Management (SUPM) Assigning the privilege to user or groups at the OS or device level Shared Account Password Management (SAPM) Assigning a user to temporarily have access to accounts such as: Root Administrator SA Oracle DATA CENTER SERVERS

Slide 21

Copyright 2015 Centrify Corporation. All Rights Reserved. 21 Super User Privilege Management OS Level Can grant granularity to the individual executables UNIX/Linux sudo & 3 rd Party Tools Take extra precautions if the tool modifies the kernel Windows - MS GPO & 3 rd party tools A single cross-platform architecture across would be easiest to deploy Applications Typically defined in the application but try externalize the authentication Appliance Typically configured in the context of the device DATA CENTER SERVERS

Slide 22

Copyright 2015 Centrify Corporation. All Rights Reserved. 22 Shared Account Privilege Management Typically this is implemented by using a vaulted password in an appliance, virtual appliance, or service The password is checked out/in or provided without the user knowing the password A complete log of who had access to which privileged account and when Some typical needs for this are: Break Glass Loss of Connectivity Appliances that do not support external authentication Service Accounts DATA CENTER SERVERS

Slide 23

Copyright 2015 Centrify Corporation. All Rights Reserved. 23 to Enable Maximum Security for Privileged Users Privileged Accounts Check out account password Log in as shared account Attribute account use to individual Log in as yourself Elevate privilege when needed Attribute activity to individual Centrify manages identity for both individual and Privileged accounts for maximum security + IT efficiency and Individual Accounts Core Rule: Get users to log in as themselves, while maximizing control of privileged accounts

Slide 24

Accountability for Privileged Actions

Slide 25

Copyright 2015 Centrify Corporation. All Rights Reserved. 25 Auditing & Compliance Privileged session monitoring (PSM) for Linux, UNIX and Windows and appliances No anonymous activity with complete session record All activity associated to a single identity across all platforms User session auditing with video and searchable event records Must scale to tens of thousands of systems; data stored in SQL database Satisfies regulatory mandates including PCI, HIPAA, SOX and ISO A single audit store across individual and privileged access Network Monitoring Privileged Access Security Perimeter Firewall Report and Replay Privileged Sessions DATA CENTER SERVERS

Slide 26

Copyright 2015 Centrify Corporation. All Rights Reserved. 26 Thank You