cyberark privilege as a service - cyber security summit

PRIVILEGE AS A SERVICE

Safeguarding Access In The Ever-Evolving Cloud

Alex Flores – Principal Solutions Engineer, Central US

THE CLOUD IS BEAUTIFUL– AND I.T. IS TRANSFORMING

Speed to

Market

ROI from

Innovative

Cloud Tech

Allure of

Modern

Automation

3

PRIVILEGE IS EVERYWHERE

POWERFUL CONSOLE ACCESS

Org Root

Account Root

Global Admin

Domain/Limited

Admin

Super Admin

Project Owner

RISE OF THE MACHINES

WHAT CAN BE DONE?

Discover, vault

and rotate these

credentials– and

protect with MFA

Control and

monitor sessions

using these creds

Take

programmatic

action against

anomalies

NATIVE ACCESS IS KEY TO SUCCESS

7

So allow users to leverage their own native

clients!

NO CODE CHANGES: MICROSERVICES

https://secretless.io

NO CODE CHANGES: OFF THE SHELF APPS

CYBERARK VAULT

WORKFUSION

CONTROL TOWER

CLIENT APP

CYBERARK PROVIDER

#REST API CALL#

Username = GetUserName()

Password = GetPassword()

Host = GetHost()

ConnectDatabase(Host, Username, Password)

HTTPS

RPA BOT

RPA VDI FARM

CLIENT APP

CLIENT APP

CLOUD LEAST PRIVILEGE

10

You need to be precise in all the three aspects:

Azure has more than

5,000 permissions!

The identity

The scope

The permission

11

SHADOW ADMINS – SUBSCRIPTION LEVEL

Permissions Actions permitted

Microsoft.Authorization/classicAdministrators/write Add new classic administrators

Microsoft.Authorization/roleAssignments/write Grant permissions

Microsoft.Authorization/roleDefinition/write Change permissions’ definitions

Microsoft.Authorization/elevateAccess/Action Elevate to user access admin

Microsoft.Authorization/roleDefinition/*

Sensitive wildcard character “*”Microsoft.Authorization/roleAssignments/*

Microsoft.Authorization/*/Write

Microsoft.Authorization/*

12

Scans Cloud Entities

Needs Read Only Access

Discovers Privileged Users

and Shadow Admins

https://github.com/cyberark/SkyArk

https://kobura.io

SkyArk – Free Cloud Security Tool

https://github.com/cyberark/SkyArk

https://kobura.io/

CYBERARK BLUEPRINT STAGES OVERVIEW

GOAL

RISK REDUCTION

STAGE 1

STAGE 2

STAGE 3

STAGE 4

STAGE 5

Secure privileged ids

that have the potential

to control an entire

environment

Focus on locking

down the most

universal technology

platforms

Build PAS into the

fabric of enterprise

security strategy and

application pipelines

Mature existing

controls and expand

into advanced

privileged access

security

Look for new

opportunities to

shore up privileged

access across the

enterprise

Critical Major Moderate

PREVENT

CREDENTIAL THEFT

STOP LATERAL &

VERTICAL MOVEMENT

LIMIT PRIVILEGE

ESCALATION & ABUSE

Foundational

Privileged Access

Management

Least Privilege App Secrets

Management

PAM CONTROLS & TECHNOLOGIES

IaaS Admins, Domain

Admins, VM &

Hypervisor, Windows

Server Local, MFA

CI/CD Consoles,

Workstation Local

Admin, Privileged

AD Users, *NIX Root

Cred boundaries,

*NIX Root Similar,

3rd Party Vendors,

Out of Band access,

Database Built-In

Admins

Web Apps (Top),

Business Apps

(Top), Network &

Infra Admins, Named

DBA

Web Apps (All),

Business Apps (All),

Mainframe Admins,

Windows Services

IT Admin

Workstations

Windows Servers,

All Workstations

Windows Servers,

*NIX Servers

3rd Party Security

Tools (via C3

Integrations)

3rd Party Business

Tools (via C3

Integrations)

Dynamic Apps

Static Apps

Static Apps (Adv)

THINGS TO CONSIDER

Consistency, Adoption, Visibility

• Multi-Cloud Console Access

• IaaS

• Cloud Shadow Admins

Free Things to Help

• SkyArk

• https://github.cyberark.com/skyark

• Kobura

• https://kobura.io

• CyberArk Conjur and Secretless

• https://conjur.org

• https://secretless.io

• Blueprint for PAS Success

• https://cyberark.com/blueprint

Thank you!

[email protected]

cyberark privilege as a service - cyber security summit

Documents