Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Tech Talk: Privileged Account Management Maturity Model

1 338 vues

Publié le

Tech Talk: Privileged Account Management Maturity Model

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Tech Talk: Privileged Account Management Maturity Model

  1. 1. World® ’16 Tech Talk: How Do You Measure Up? A Maturity Model for Privileged Access Management Shawn W. Hank – Sr. Principal Consultant, Cybersecurity CA Technologies SCT41T SECURITY
  2. 2. 2 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD © 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies. The content provided in this CA World 2016 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA. For Informational Purposes Only Terms of this Presentation
  3. 3. 3 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Abstract As security and risk professionals increasingly focus on the need for privileged access management within their organizations, a number of questions arise. Are critical functions being addressed? Are the appropriate processes and management oversight in place? How can the overall privileged access management program be improved? What areas need more focus to improve program effectiveness? In this session, we’ll discuss a privileged access management maturity model – focused on key technology, process, and management activities and capabilities – that security teams can use to baseline their privileged access management program and identify areas for improvement and future refinement. Shawn W. Hank CA Technologies, Inc. Sr. Principal Consultant Cybersecurity
  4. 4. 4 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD The risk and potential for security breaches exist anywhere there are privileged accounts. Privileged Accounts are everywhere; ergo potential vectors of compromise exist everywhere. Your Privileged Accounts Are valuable Targets! And they are a critical component of your overall security posture. Privileged Accounts Grow in Numbers Everyday. They exist in all layers of any organizations IT stack: - Infrastructure - Front End - Middleware - Backend Existing Models of Managing Privileged Accounts Fall Short. Every Major Breach Has Involved A Privileged Account Privileged Account Management Facts
  5. 5. 5 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Maturity – Level 0/1
  6. 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas – Level 1 § Examples – root, oradba, sapadmin, cisco enable, Windows local admin, named admin accounts, SaaS/IaaS/PaaS admin accounts § Why – If you control access to the accounts as well as their passwords, you can control privileged actions and who can make them § Hint – Public discussions about monitoring and audit are a big deterrent of unwanted behavior Privileged Users / Shared Accounts
  7. 7. 7 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Maturity – Level 1/2
  8. 8. 8 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas – Level 2 § Examples – SIEM, Network Monitoring, Change Management, Session Recording, Analytics § Why – Proactive vs. Reactive § Hint – Automated remediation is faster than human action. Think SecOps or DevSecOps Activity Monitoring
  9. 9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas – Level 2/3 § Examples – COTS applications, application & middleware Servers, DevOps (CI and/or Orchestration) Systems, Scheduled Tasks, Batch Jobs, Scripts § Why – Our experience tells us there are 5 to 7 times as many application accounts as there are human, interactive accounts. The threat is larger in this context. § Hint – Start small and build over time, incorporating with SDLC Service & Application Accounts
  10. 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas – Level 3/4 § Examples – CA Identity Suite, CA Identity Service, Oracle IAM, SailPoint, IBM Security Identity Manager § Why – PAM solutions should not provision accounts. – Integration with IDM tools allows for programmatic provisioning and removal of accounts and credentials as well as certification and accreditation when needed. Identity Management Integration
  11. 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas Level 3/4 § Examples – CA PAM SC, Symantec CSP, Dell UPM, PowerBroker, ViewFinity § Why – PAM focus has been primarily on the server side of the equation. – Most privileged accounts compromises happened on client endpoint systems (i.e., managed and unmanaged laptops, etc.) – Moving the PAM function closer to the user environment (aka endpoint) is a logical progression. Fine Grained Controls
  12. 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Privileged Access Management Maturity Model Level 0 Level 1 Ad Hoc / Manual Level 2 Baseline Level 3 Managed Level 4 Advanced Privileged User/Shared Accounts Not managing or rotating credentials Manual Controls For Privileged Accounts Basic Vault Structured Controls Account Inventory SDLC Integration Credential Vault w/ RBAC Central Password Policies Account Discovery MFA Password-less (SAML/OAUTH/TGS) Cloud/SaaS/SDN & HSM Integration Service & Application Accounts No knowledge of Application accounts Ad Hoc Application Account Management Hard Coded Passwords Manual Application Account Management Centralized A2A Mgmt. No Hardcoded Creds. REST API Integration Governed A2A DevOps Integration Monitoring & Threat Detection No monitoring of account usage Ad Hoc Audit & Controls Activity Monitoring Decentralized logging SIEM Integration Account Attribution SNMP Alerting Session Recording Meta-Data Service Desk Workflow & Analytics Integration Identity Management Integration Manual provision, no certification or accreditation Manual Process For Privileged Access Automated Privileged Identity Mgmt. Integrated Privileged Access Requests Basic Governance Fully Delegated Administration Governed Privileged Access w/SoD Fine-grained Controls/SoD Non existent Open Source Tools and Scripts Decentralized Tools (Silos) Command Filtering Restricted Shell Leap Frog Prevention Centrally Managed Kernel Interceptor with Cred Vault Integration
  13. 13. 13 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Do you have a record of credential access? - The 5 W's: Who, What, When, Where, Why? Questions to Consider How is privileged account access granted? Do you have an inventory of Privileged Accounts? - Interactive & Programmatic? Are privileged accounts included in the SDLC process? - for 3rd Party Developers and Contractors? How do you grant emergency access to privileged accounts? How to you track the usage of privileged accounts? If yes, how often are you rotating privileged account credentials? Do you have a policy and process for rotating privileged account credentials? Do you require a change ticket for privileged account use? Do you have SoD for privileged accounts? - How is SoD enforced? What is the current certification process for privileged accounts? How are new privileged accounts created? - What does the workflow look like? What is your approach for managing privileged accounts that live in the cloud? - IaaS, PaaS, Saas? Is Multi-Factor Authentication a requirement to access privileged accounts? Is privileged account access monitored for suspicious activity? Are fine-grained controls in place to restrict the scope of privileged accounts? - How is this managed?
  14. 14. 14 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD PAM Focus Areas – Level 3/4 ADVANCED Review Redefine Optimize
  15. 15. 15 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Privileged Account Management Maturity Model Whether you haven't started, have just begun, or are in the throes of a Privileged Access Management project, there are several items to consider. It is our hope that the framework we have provided here will start a discussion and assist you as you move forward. Let us know how we can help! Summary
  16. 16. 16 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Recommended Sessions SESSION # TITLE DATE/TIME SCT39T PAM for Hybrid Enterprises 11/17/2016 at 1:45 pm SCT36T Real-time Identity Analytics 11/16/2016 at 3:00 pm SCT43T Threat Analytics for PAM 11/17/2016 at 4:30 pm
  18. 18. 18 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD Security For more information on Security, please visit: http://cainc.to/EtfYyw