Download - Privileged Access Management (PAM)
Harnessing Privileged Access Management (PAM) to Defend Core Digital Assets Against a Breach
By Dan Blum, Doug Moench and Doug SimmonsOctober 16, 2015
1Copyright (c) 2015 Security Architects, LLC
Today’s Speakers
Copyright (c) 2015 Security Architects, LLC 2
Expert in security, privacy, cloud computing and identity managementEx-Gartner Golden Quill award-winning VP and Distinguished AnalystFounding partner of Burton Group
CISSP specializing in Security and Risk Management strategies and architectures, identity management solutions, and federation technologies. Over 30 years experience documenting current state environments and developing recommendations for improving infrastructure.
Dan BlumPrincipal Consultant
Doug MoenchSenior IAM and Security Consultant
Doug SimmonsPrincipal Consultant
Focuses on IT security, risk management and IAM. Has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.
Why PAM?
Copyright (c) 2015 Security Architects, LLC 3
Source: Information is Beautiful (Breach visualizations)
Many of these could have been
prevented or delayed
Copyright (c) 2015 Security Architects, LLC 4
A Clear and Present Danger…
Common attack paths
At least make the attackers
work for it!
Are too bloody
easy
About Us
• We are a consulting firm dedicated to helping organizations plan, specify and develop security programs, policies and technology solutions.
Copyright (c) 2015 Security Architects, LLC 5
About Us
ClientsEnterprise Security TeamsCloud service providers (CSPs)Other Audiences
Areas of Expertise
CloudSecurity
Identity andPrivacy
EndpointSecurity
CyberSecurity
Copyright (c) 2015 Security Architects, LLC 6
Our Services
SecurityAssessments
Security Architectures
CustomConsulting
Security Workshops
Consulting Services
Copyright (c) 2015 Security Architects, LLC 7
What is PAM?
• Privileged Account Management (PAM)
A set of technologies that allow organizations to identify, secure, and monitor accounts that have elevated privileges in order to minimize risks and ensure compliance.
PAM is also sometimes referred to as:Privileged User Management Privileged Identity ManagementPrivileged Access Management
Privileged Accounts are theOil that Lubricates IT
Copyright (c) 2015 Security Architects, LLC 8
Root and admin
Network admin
Domain admin
DBA
Other “superusers”
Shared accounts
Service accounts*
What they’re forNOS devicesDNS/DHCP serversFirewallsRouters, and switches
Domain controllersVirtual machine adminIaaSDatabases, applications
What they do
Love them or hate them you can’t run IT without them
Operations: start/stop services, run jobs, or generate reports
Configuration, updates, maintenance, patches, tuning, troubleshooting
Develop applications, administer applications connect applications
* For apps!
Copyright (c) 2015 Security Architects, LLC 9
PAM Business Drivers
• Reduce risk of breaches:
• Compliance drivers– Maintain internal control
• PAM specifically mentioned in PCI DSS, SOX, NERC/CIP, and some local/regional regulations
– Simplify auditing and reporting – Detect/prevent Separation-Of-Duties (SOD) violations
Core Features
Password vault
Fine-grain privilege control
Session manager
Application credential management
Copyright (c) 2015 Security Architects, LLC 10
Ancillary ServicesDiscovery ServicesRole ManagementPolicy EngineLogging and Auditing
Platform flexibilityPhysical and virtual platformsLocal or cloud-basedRemote session protocols
Holds PAM accounts, managed credentials, policies, logs
Other considerations
Availability and performance
11
PAM Architecture Pattern
Copyright (c) 2015 Security Architects, LLC
12
Password Vault
• Contains accounts for privileged users• Contains policies for managed
resources• Encrypts and stores passwords, SSH
keys, policies and logs• Allows users to check-out/reserve a
credential• Changes credentials on managed
resources after use• Provides management console for
centralized policy administration• Deployed as software on a physical
server, virtual machine, or appliance
Copyright (c) 2015 Security Architects, LLC
Privileged User and Admin Credentials
Vault Admins
Passwords/SSH Keys
Must be hardened!Must maintain high availability!
Copyright (c) 2015 Security Architects, LLC 13
Session Manager
• Session management mechanisms to control access to resources
• Enables monitoring, logging, and recording of administrative activities
• Role management and policy enforcement capabilities, SOD rules
• Generate alerts for policy exceptions
• Emergency access mechanisms to bypass normal operations when needed.
• Roles• Policies• SOD Rules• Filters• ACLs
Logging and
RecordingRoles
Policies
SODRules
Filters
ACLs
SOC Monitoring
Session Management
RDP, SSH, VNC, PCoIP, NX
Privileged Users Admins
Target Resources(Network, Systems)
Copyright (c) 2015 Security Architects, LLC 14
Fined-Grained Privilege Control
• Establish more granular filters to limit administrative activities.
• Often includes agents installed within clients or target servers (similar to desktop management or AD Bridge tools).
Target Infrastructure Resources
(Network, Systems)
Server agent to enforce
Fine-grained privileges
Privileged Users Admins
Client agent for some apps (i.e.
Active Directory)
Copyright (c) 2015 Security Architects, LLC
Application Credential Manager
• Identify, store, and rotate application credentials and SSH keys in the password vault
• Eliminate the need to hard-code authentication information
– Use a simple API call instead
• May support caching to minimize performance impacts
• Commonly supported interfaces and protocols include:
– HTTP and HTTPS– SOAP/XML – Java– VBScript– C/C++– PowerShell
15
Applications
UserID/Password
SSHKeys
Othercredential
Target Resources(Network, Systems)
APIPassword
Vault
Local Cache
Local Cache
Local Cache
Secure KeyExchange
PW/KeyRotation
API Call
Copyright (c) 2015 Security Architects, LLC 16
PAM Market Landscape
• Relatively small niche, but growing rapidly~$500 million annually, 32% rate
• Market leaders (in share + core features)
• More market players around the world • Differentiators
High availability, platform + multi-tenancy support, workflow integration and SoD features, credential management, SIEM integration, session recording features
Beyond TrustCACyberArk
DellLieberman SoftwareExceedium
Copyright (c) 2015 Security Architects, LLC 17
The PAM Map
Hitachi ID Systems
BeyondTrustCA, CentrifyDell, Enforcize,IBM, Lieberman,ManageEngine, Micro Focus,Observe IT, Oracle, SecureLink,Thypotics, Xceedium
CyberArkRaz-Lee Security
Pitbull Software
Wallix
OsiriumBalait
MasterSAMApplecross
SSH Communications Security
NRI Secure
* Some names shortened, or omitted for space* Source: Gartner list of 2015 PAM vendors
Arcon
Copyright (c) 2015 Security Architects, LLC 18
Deploying PAM: Key Issues
• Getting and keeping stakeholder buy-in• Creating high availability, disaster recovery and
“break glass” procedures that work• Integrating with identity, workflow and
monitoring infrastructures• Phasing in functionality on your schedule rather
than the vendors• Locking in favorable professional services and
product support
Copyright (c) 2015 Security Architects, LLC 19
Getting and Keeping Stakeholder Buy-in
“Nobody implements our product because they want to. They do it because someone is telling them they have to.”– Philip Lieberman, in an informal conversation with us, about 4 years ago
Recommendations– Follow ALL recommendations in coming slides to make PAM
as transparent as possible for IT and the business– Involve IT and business stakeholders and representatives
from all affected teams in project phasing and process development
– Develop a communications and support package for all privileged users and administrators that will be affected
Copyright (c) 2015 Security Architects, LLC 20
Maintain High Availability
• Eliminate single points of failure• Deploy high-availability password vault
– Active-active or active-passive failover, stretch cluster or PAM-replication across sites
– Create and test DR plans• Estimate and measure usage, size appropriately, utilize with
load balancers for all PAM components• Have “break glass” processes to keep IT running in the event
any part of PAM fails• Prevent or detect any abuse of “back doors”
Copyright (c) 2015 Security Architects, LLC 21
Other Critical Recommendations
• Thoroughly plan and design integration with identity, workflow and monitoring infrastructures
• Phase in functionality on your schedule, not the vendor’s sales quotas– Calibrate phasing to your
infrastructure maturity level• Lock in favorable professional
services and product support terms
Copyright (c) 2015 Security Architects, LLC 22
Conclusion
• PAM deployments can range from basic password vaults to advanced application hardening, session monitoring and analytics
• Although the market is relatively mature, few enterprises have deployed the technology outside niches to their full IT environment
• Don’t over-reach or you’ll get thrown on the defensive with internal constituencies
• The good news: An effective PAM deployment is likely to resolve some of your audit and compliance issues – as well as prevent many breach scenarios
Copyright (c) 2015 Security Architects, LLC 23
Open Q&A
Security Architects, LLChttp://[email protected]
+1 (301) 585-4717