PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

Transcription

1 PCI DSS Compliance: The Importance of Privileged Management Marco Zhang

2 What is a privileged account? 2

3 Lots of privileged accounts Network Devices Databases Servers Mainframes Applications 3

4 Lots of people need access to them Admins Helpdesk Developers Vendors Applications 4

5 Difficult to provide individual accountability John Username Password Server 1 Administrator Pa$$word Server 1 Maxi Kelly 5

6 Huge security and compliance risk Very Powerful IT Admin - Deleted 15 virtualized machines that ran 88 servers IT Admin Stole patient records and test results IT Director Deleted files and software applications Systems Admin Took down 2000 servers 6

7 Additional Problems with Privileged Accounts Compliance often drives the need to know WHAT was done during certain privileged or sensitive access do you need to know exactly what as done by: Remote Vendors? Outsourced service providers? Developers granted access to production systems? Fire-call activities? User or admin accessing sensitive resources or applications (Financial/SOX servers, HR, etc.) 7

8 Deeper look at internal threats 8 Source: The 2015 Data Breach Investigations Report (DBIR)

9 PCI DSS controls around privileged accounts Limit access to cardholder data to only authorized users Ensure each user is uniquely identified and has explicit approval for only the least amount of data and privilege needed to perform their job role Enforce strong password management settings Track logging and recording of all privileged user activity Prevent the abuse of system accounts Secure audit logs 9

10 The Risks Controlling vendor access Enabling developer access Internal threats Issuance of credentials Separation of duties Limited rights for daily tasks Monitor and Audit Many, many more 10

11 Dell Privileged Account Management The Solution: Privileged Password Manager Lets the business solve the shared password accountability challenge Enforce control via simple workflows (requests and approvals) Audit trail of all password access for individual accountability Handles embedded password use-cases for applications and scripts Hardened physical appliance 11

12 Dell Privileged Account Management The Solution: Privileged Session Manager Lets the business answer the question: Who did what with their access? Provides session recording and playback Enforce control via simple workflows (requests and approvals) Hardened physical appliance 12

13 Support for all types of deployments Easy deployment High availability Decentralized Distributed 13

14 Beyond Privileged Management Need Management Need Governance 1. Eliminate password sharing 2. Enforce as leastprivileged model 3. Audit administrator activity 4. Assign individual accountability 5. Prove compliance 1. Privilege safe 2. Delegation (sudo, root, AD etc.) 3. Session audit and keystroke logging 4. Granular policy 5. Policy audit and session audit 1. One-action provisioning 2. Unified policy 3. Who should do it vs. who knows how to do it 4. Privileged identity not separated from regular identity 5. Easy attestation and reporting 1. Automated and unified request and fulfillment 2. Modeled approach to roles and rules 3. Power in the hands of LOB not IT 4. Unified namespace 5. Self-service, business-driven attestation and reporting 14

15 Complete Identity Governance and Administration Solution Identity Governance Achieve complete, business-driven governance for identities, data, and privileged access by marrying visibility & control with administration Access Management Ensure that all users can get to the resources they need to do their jobs from any location and any device in a convenient, secure, & compliant manner Privileged Management Centrally manage privileged accounts with individual accountability through granular control & monitoring of administrator access. 15

16 To learn more Dell Privileged Management Dell Identity Governance Dell Access Management Why PCI DSS Compliance is Impossible without Privileged Management 16 Choosing the right privileged management solution

17 Thank You! 17