Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Transcription

1 Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform

2 Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World Example...5 Use Cases...6 Choice of Access Methods...7 About ERPM...8 Conclusion...9 About Lieberman Software

3 How Privileged Identity Management Evolved to a Service Platform Overview Every cloud infrastructure can be home to potentially hundreds of thousands of vulnerable privileged accounts present as stale, shared or misconfigured administrative logins; VM and application instances with unchanged, published default logins; and otherwise poorly secured and easily cracked credentials. The presence of automated hacking tools means that even a small number of improperly secured privileged logins are virtually certain to give hackers free reign on the network and access to customers private data within minutes of an incursion. Cloud service providers face enormous market pressures to deliver high service availability and consistent data security at an absolute minimum cost. Yet until now privileged accounts and other file-based secrets have proven difficult to secure within large-scale, dynamic cloud service provider networks using human intervention and first-generation software tools. As a result, improperly secured privileged accounts provide an easily exploited attack surface for hackers and malicious insiders. For example, a 2012 Verizon survey 1 of larger organizations that suffered data breaches revealed that 84% of records were stolen as a result of compromised credentials. Fortunately new types of automation are being introduced to address the problem of weak and unmanaged privileged credentials present in cloud infrastructures. This whitepaper outlines how Privileged Identity and sensitive file management is evolving as a platform for lifecycle orchestration in cloud service environments. Management Issues Concerns about cloud security are cited as the top roadblock to enterprise adoption, with a recent survey by the Information Systems Audit and Control Association (ISACA) revealing that nearly 7 in 10 US IT professionals believe the risks to cloud services adoption outweigh the potential benefits 2. Cloud service providers face significant risks from even a single data loss incident - including not only direct remediation and legal costs, but also the loss of business resulting from public disclosure. And service providers face a daunting challenge to secure constantly changing physical and virtual IT assets using security methodologies that in some cases were never intended to scale to the size of cloud services networks. The issues can be especially acute when it comes to securing privileged identities in cloud infrastructure. SANS Institute calls the misuse of these administrative privileges a primary Data Beach Investigations Report, Verizon RISK Team, page 26 2 ISACA 2012 IT Risk/Reward Barometer: North America,

4 Managing Privileged Identities in the Cloud method for attackers to spread inside a target enterprise. 3 And cloud environments are home to vast numbers of rapidly changing privileged accounts present on physical and virtual tiers (Figure 1 below), including: Administrative logins on physical and virtual computers (Windows, Linux, UNIX, and others), as well as the privileged logins present in VM hypervisors Administrator and Root accounts present in directory services Highly privileged service and process accounts used for application-to-application and application-to-database authentication Root and Admin accounts present on physical and virtual network security appliances and backup appliances Figure 1 Privileged Accounts Present on Physical and Virtual Tiers In general, privileged identities aren t managed by conventional Identity and Access Management (IAM) systems, because unlike conventional user logins, privileged accounts aren t typically provisioned. Instead, privileged accounts frequently appear on the network whenever physical and virtual IT assets are deployed and changed. As a result, privileged credentials must be 3 Critical Control 12: Controlled Use of Administrative Privileges, -

5 How Privileged Identity Management Evolved to a Service Platform discovered and continuously tracked by software that s separate from IAM. And, because every shared, static, or cryptographically weak privileged identity represents a potential attack surface, IT regulatory mandates including Critical National Infrastructure mandates, PCI DSS, SOX, HIPAA and others require that these credentials be frequently changed. These privileged passwords must also be cryptographically complex. Access to these passwords must be attributed to named individuals and audited. Because of the risks introduced by unmanaged privileged identities, industry groups cite the control and auditing of privileged access as an essential cornerstone of effective cloud security. For example, the Controls Matrix (IS-08) published by the Cloud Security Alliance reads, in part 4 : privileged user access to applications, systems, databases, network configurations, and sensitive data and functions shall be restricted and approved by management prior to access granted. The provisioning, control and auditing of file-based secrets including certificates, large binary files and other assets can prove a daunting challenge where access lists and even the assets themselves change more rapidly than human intervention can manage. Real-World Example Lieberman Software has been approached by a US Fortune 100 Cloud Service Provider (CSP) who markets its services to corporate customers, including very large enterprises. The CSP s network consists of well over one million virtual machines, with requirements for automated secrets management that include the ability to: Control of all aspects of the privileged identity life cycle using a PowerShell interface Immediately deploy, manage and de-provision privileged accounts and file-based secrets (including x.509 and other certificates, and large binary files) regardless of the physical or virtual machine where they reside Change privileged credentials in defined groups of systems without service impact Programmatically register and manage new service accounts on physical and virtual machines Programmatically retrieve credentials to support run-time applications Audit and report all service operations through the machine interface The scope of the CSP s environment is highly elastic, and operational demands have left the organization with a need to build in privileged identity security as part of the provisioning process. Details of the solution that has been deployed to meet the needs of this and other customers are provided in the following section

6 Managing Privileged Identities in the Cloud Use Cases To keep pace with the demands of cloud service and larger enterprise deployments, a new version of Enterprise Random Password Manager (ERPM ), the privileged identity management (PIM) solution from Lieberman Software, has evolved from a software application to a service platform. In this new PIM programmatic access model, discovery, auditing and access control are managed by machines instead of direct human intervention. The PIM service platform is designed to interact with datacenter workflow frameworks such as Microsoft System Center Orchestrator and, and, in the case of the largest datacenters, in-house frameworks. Basic features of the service architecture include programmatic control of: Privileged account discovery and tracking that is both sufficiently broad in platform scope and deep in terms of account discovery (including discovery and tracking of process and service interdependencies to enable safe, automated changes of any interdependent accounts) Password change jobs, as needed to comply with regulatory mandates Rules for human and machine access Ongoing detection and decommissioning of inactive accounts as they are removed An example implementation consists of two separate interfaces Web services (SOAP) and PowerShell that expose all aspects of privileged identity management as an engine to support automation. Figure 2 below shows an example an example of the SOAP APIs that can interact with the framework. Figure 2 Example Web Services APIs - 6 -

7 How Privileged Identity Management Evolved to a Service Platform The full life cycle of privileged identity and certificate management has been orchestrated to address the needs of the CSP cited in the Real-World example above. This evolution marks a change in the way CSPs can embed security into their existing provisioning process to mitigate risks and achieve compliance objectives. Choice of Access Methods In addition to new Web services (SOAP) and PowerShell service platform extensions, ERPM provides both a Windows administration console and a Web browser interface to expedite setup and minimize management workloads whenever human oversight is needed. Using purely Windows console and Web browser access, ERPM has proven to be easily managed in enterprise and service provider networks consisting of hundreds of thousands of managed systems. Among other benefits, the ERPM human interfaces provide real-time, interactive business intelligence reports that can help corporate IT staff quickly identify potentially anomalous human and machine behaviors, IT service management bottlenecks, and similar issues that would be impossible to detect by reviewing log data alone (Figure 3 below). Figure 3 Business Intelligence Reporting is Part of the ERPM Web Interface - 7 -

8 Managing Privileged Identities in the Cloud About ERPM ERPM is the first privileged identity management product that automatically discovers, secures, tracks and audits the privileged account passwords in the cross-platform enterprise. It provides the accountability of showing precisely who has access to sensitive data, at what time and for what stated purpose. By doing so, ERPM helps prevent unauthorized, anonymous access to an organization s most crucial proprietary data. ERPM secures privileged identities throughout your IT infrastructure, including: Super-user login accounts utilized by individuals to change configuration settings, run programs and perform other IT administrative duties Service accounts that require privileged login IDs and passwords to run Application-to-application passwords used by web services, line-of-business applications and custom software to connect to databases, middleware and more As this privileged account management product continuously discovers privileged accounts on the network, it regularly changes each account s password to a unique value, deploys the password changes wherever they are used, and grants fast, audited access to authorized IT staff. And, ERPM dashboards give you real-time, interactive views of privileged account security everywhere on your network. ERPM deploys quickly and easily. Customers implement the solution on global networks in days not months to lower their cost of ownership and quickly boost IT staff productivity. After deployment, ERPM automatically keeps up with changes on complex, heterogeneous networks without customization, scripting, or added-cost professional services

9 How Privileged Identity Management Evolved to a Service Platform Conclusion Now that solutions have evolved to service platforms that are designed to meet Cloud Service Provider requirements for managing privileged identities, certificates and other file-based secrets in large, elastic environments, a significant operational roadblock is removed that once prevented the largest CSPs from complying with industry and regulatory requirements. Organizations that desire more insight into potential risks of the unsecured privileged accounts in their IT environments can contact Lieberman Software for an ERPM software trial. ERPM documents potential risks present in the infrastructure, enumerating privileged accounts by hardware platform, account and service type. It then continuously secures privileged accounts everywhere on your network and provides an audit trail of each access request. ERPM trial software is available at no cost to qualified organizations. To find out more about ERPM, visit liebsoft.com/erpm To request a demonstration of ERPM in your environment, [email protected] To request a risk assessment and report, visit liebsoft.com/risk_assessment About Lieberman Software Lieberman Software Corporation, established in 1978 as a software consultancy, has been a profitable, management-owned organization since its inception. Lieberman Software pioneered the privileged identity management space by releasing the first product to this market in Since then, the company has regularly updated and expanded its privileged password management solution set while growing its customer base in this vibrant and emerging market. Lieberman Software now has more than one thousand global customers, including more than 40 percent of the Fortune 50. Lieberman Software is a managed Microsoft Gold Certified Partner, an Oracle Gold Partner and an HP Silver Business Partner. The company has technology integrations with other industry leaders such as Cisco, Dell, RSA, Novell, IBM, Thales, and VMware. P (USA/Canada) P (01) (Worldwide) F (01) Avenue of the Stars, Suite 425, Los Angeles, CA Lieberman Software Corporation. Trademarks are the property of their respective owners