CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
•
3 j'aime•767 vues
The document discusses the need for next-generation role-based access control and privilege management to address business challenges faced by IT, including dynamic demands, scale, compliance requirements, and fragmented identities. It notes how regulatory frameworks like NIST 800-53 set baseline security policies around identity and access management. The document then outlines how Centrify's products provide unified identity, access, and privilege policy controls across distributed environments to meet these challenges and requirements through tight integration with Active Directory.
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (11)
Similaire à CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
Similaire à CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege (20)
Plus de CloudIDSummit
Plus de CloudIDSummit (20)
Dernier
Dernier (20)
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control and Privilege
- 1. © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Managing the Keys to the Kingdom Next-‐Gen Role-‐based Access Control and Privilege
- 2. 2 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • Business has more dynamic demands on IT • Time and scale – need it now, on-‐demand • Form factor and location – On-‐prem, virtualized, cloud • Manual and domain-‐specific configuration (startup/teardown) • Compliance and best practices – assurance & accountability • Fragmented identity – infrastructure, administrators, users • “silos” of access policies and diffuse controls Business Challenges for IT
- 3. 3 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Regulatory Compliance is Not an Option NIST 800-‐53 sets the baseline security policies which most other regulations reference for identity and access management specific controls: • Identity & Authentication (IA) • Uniquely identify and authenticate users • Employ multifactor authentication • Access Control (AC) • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management • Audit & Accountability (AU) • Capture in sufficient detail to establish what occurred, the source, and the outcome • Configuration Management (CM) • Develop/maintain a baseline configuration • Automate enforcement for access restrictions and audit the actions • Systems & Communications (SC) • Boundary Protection • Transmission Integrity and Confidentiality • Cryptographic Key Establishment and Management including PKI Certificates
- 4. 4 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • Unified identity, access, privilege policy controls • Consistency across deployments • Distributed enforcement • Ensure availability, No single point of failure • Unified visibility • Accountability • Triage and remediation • Automation • Speed and consistency of deployment • Accuracy, compliance, best practices Dynamic Real-‐time IT is Required
- 5. 5 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Active Directory • Active Directory provides the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-‐Domain, multi-‐Forest configurations • Kerberos-‐based authentication and authorization infrastructure provides SSO • Security administration is centralized and delegated • Centralized account & group management natively supports separation of duties • Group Policy enforcement of security settings • User accounts are centralized in one system • Simplifying authentication and password policy enforcement • Automation simplifies deployment and integration Active Directory Provides the IdM Foundation EngineeringWebFarm Accounting Operations
- 6. 6 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. IT Support Requires Separation of Duties • Separation of Duties is especially important in managing privileges for a multi-‐tier support organization with vendor support • Elevated rights are required to support these systems • Front line has minimal rights, escalating to the next tier with elevated privileges. • Security Operations Center • SOC staff provide 7x24 monitoring of all administrative activities • SOC staff have limited rights to alert and escalate on security violations Tier 1 Tier 2 Tier 3 Vendor Security Operations Center Escalation Process to the next Tier Monitoring Least Rights -> More Rights
- 7. 7 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • While the most powerful accounts must be protected from misuse, Admins and DBAs require the privileges of these accounts to perform their duties • System Administrators need root or local admin rights to manage their systems • Help Desk need minimal access and privilege rights to identify issues and escalate • Database Admins need oracle account privileges to perform their duties • Web Admins need root privileges to start/stop the web server and manage the webroot docs • Cloud Server Admins need access and privileges across dynamic server environments Let’s see how this works across 4 different real world customer scenarios Role-‐based Privileged Access
- 8. 8 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • This customer wanted to establish an environment where no one has access to any system at steady state, access and privileges are granted upon approved requests • All system accounts such as root and local admins are locked down • Users will login with their AD account only if granted permission • Default access rights for all systems is set to deny login • Access and privileges are granted for approved requests only, automated by their IdM workflow system leveraging Active Directory groups • The solution established a centralized access and privilege management system • Granting access based on AD group membership • Granting specific rights based on user Role Use Case – Request based Access and Privilege
- 9. 9 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • Centralized role-‐based policy management • Create Roles based on job duties • Grant specific access and elevated privilege rights • Eliminate users’ need to use privileged accounts • Secure the system by granularly controlling how the user accesses the system and what he can do • Availability controls when a Role and it’s Rights can be used • Scoped to specific systems or groups of systems • Linux rights granted to Roles • PAM Access – controls users access to system interfaces and applications • Privilege Commands – dynamically grants privileges • Restricted Shell -‐ controls allowed commands in the shell • Windows rights granted to Roles • Session Rights – Ability to elevate privileges for a session (with session switching) • Application Rights – Ability to run an application with privilege • Service Rights – Ability to elevate privilege when accessing network services (ex. MMC from one machine to a SQL server) Solution – Role-‐based Access & Privileges Role Definition Backup Operator Role Availability • Maintenance window only PAM Access • ssh login Privileged Commands • tar command as root Restricted Environment • Only specific commands AD Users & Groups Backup Resources HR Computers IDM Manages AD Groups
- 10. 10 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • This customer needed to establish a process to grant contractors the rights they needed on specific systems without giving Admin rights across all Windows Servers • Contractor needs access to several systems in lab and production • Normally IT would individually approve admin actions on request • Or depending on the work, the contractor may have been granted a second privileged account for admin duties (typically called a “dash A” account, eg. david.mcneely-‐a) • Privileged Windows rights needs to be granted to specific systems and not the entire server farm • The solution established a centralized access and privilege management system • Granting access to specific Windows Servers based on AD group membership • Granting specific Windows rights based on user Role • Simplifying user access with desktop privilege elevation interface for remote servers Use Case – Contractor Privileges for Windows
- 11. 11 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Solution – Privilege Elevation for Windows • Least access principles require that privileges only be available “as required” • i.e. don’t logon in as Superman if you only need to be Clark Kent… • User determines when he is going to elevate privilege • User can open a desktop session for select role(s) for duration of session • User can select role(s) through a system tray application for adding/removing roles to session • User can select roles(s) for a specific application at launch time
- 12. 12 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • This customer needed to be able to monitor DBA access to the database servers and attribute specific actions to the appropriate DBA • DBAs login to systems with their own accounts • They switch (su) to the Oracle account in order to do work on the database • The logs show that the Oracle user is accessing the database tables making it challenging to determine which user is responsible for individual actions • The Auditors also cannot see all actions which user is performing within the database application based on the current logging system • The solution provides user activity auditing that captures all user access • All login sessions and activity are recorded just as a video camera captures all activity at Point of Sale terminals • User activity along with session metadata is forwarded to SIEM solution for further analysis and alerting where auditors can then review the session recordings Use Case – Auditing DBA Access
- 13. 13 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • Address regulatory and audit requirements while reducing threat of insider attacks • Detailed capture of user activity – real-‐time surveillance of privileged systems • Establishes accountability and advances compliance reporting • Record and playback which users accessed which systems, what commands they executed, with what privilege, and exact changes made to key files and configurations • Automatically doc vendor procedures and mitigate personnel transitions or hand-‐offs Solution – Unified Session and Activity Auditing Collect Store and Archive SIEM Integration Search and Replay Session metadata and video capture Capture
- 14. 14 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • This customer needed to grant authorized user access to AWS Servers, but did not want to manage an independent IdM system for these servers • Users must authenticate to the company Active Directory before accessing any AWS Server • Internal IT manages this AD where the Cloud Server team does not have management rights • AWS Servers configured to require Kerberos-‐based login, refusing userid/password logins • They do not want to manage SSH keys, users gain access based on Kerberos tickets • Root accounts are configured with a randomized password that no one knows • Privileges are granted dynamically based on user role at login • The solution integrated these cloud servers into their existing AD environment to enable authorized users the rights to login with their existing AD account • Servers join to a new AD Forest which has a one-‐way trust with the internal AD • Authorized users are required to VPN to the company network in order to login • Cloud Servers require Kerberos ticket based authentication in order to gain access • Privileges are granted based on AD group memberships Use Case – Strong Auth to AWS Servers
- 15. 15 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. • Active Directory deployed in a federated configuration enforces centralized access policies on these dynamic environments • Taking control over security credentials and system policies • Supporting Separation of Duties between Hosting provider and the Enterprise • Enterprise-‐centric and automated security framework • Role-‐based access and privilege control • Single sign-‐on for applications • Audit all user activity for on-‐premise and cloud systems Internal Network DMZ Fred Joan AD & Windows Administration Solution – Extending AD to Cloud Servers One-way Trust with Internal AD
- 16. 16 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Summary Leverage your existing AD environment in order to manage the access and privileges across your on-‐premise or cloud server environment • Uniquely identify and authenticate users • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management • Capture session details to establish what occurred, the source, and the outcome • Automate enforcement for access restrictions and audit the actions • Establish centralized trust to ensure Kerberos is used for transmission integrity and confidentiality
- 17. © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary. Thank You D A V I D . M C N E E L Y @ C E N T R I F Y . C O M