Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Transcription

1 A Clear View of Challenges, Solutions and Business Benefits

2 Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide to organizations of all sizes. Whether organizations are using private, public or hybrid cloud environments for infrastructure or software-as-a-service, the common goal is to achieve operational and cost benefits without giving up full control over infrastructure and data. Introducing a real challenge, privileged accounts in cloud environments are at a critical juncture of control and management because once an unauthorized user has access to privileged account credentials, control over the entire infrastructure is in the hands of the attacker. This is where securing privileged accounts plays a critical role in securing cloud environments and meeting audit and compliance requirements. Privileged Accounts in Cloud Environments Privileged accounts in cloud environments must be managed, protected and monitored just like privileged accounts in traditional datacenter environments. These privileged accounts include administrative accounts on virtual machines and management consoles as well as cloud provider APIs, and administrative accounts for software-as-a-service applications including corporate social media accounts. While securing privileged accounts in traditional environments is becoming common practice, there are unique characteristics of privileged users and credentials in cloud environments that introduce new challenges and requirements for protecting these accounts. The flexibility and dynamic nature of cloud environments leads to privileged accounts that are extremely powerful and must be properly secured. Beginning with the management console, an administrator can control thousands of images. Machines can be provisioned or deleted with the click of a button while corresponding administrator accounts are created and deleted at the same rapid pace. APIs expand this problem by provisioning and deleting machines without user interaction. All of this can be done without the added budget approval and purchasing processes that delivers a checks and balances review in a traditional hardware environment. The power of these management console and API credentials combined with the ease with which privileged users can execute actions puts organizations at risk of inadvertent or intentional disruption of the cloud environment or breach of existing security controls and policies. Equally important, this can result in unnecessary and unapproved expenses, defeating the cost savings advantage of cloud computing. Old Way Hack a System New Way Hack a Datacenter Cloud management tools provide a single access point for attackers to reach an entire datacenter. CyberArk Software Ltd. cyberark.com 1

3 Moving beyond the management consoles to the virtual server environment, privileged credentials grow exponentially in cloud environments because new server instances are commonly deployed by simply cloning an existing template. As a result, new servers are deployed instantaneously with default administrative passwords, which are at high-risk of being compromised because they can be easily guessed or discovered through basic investigation. This explosive use of default passwords in cloud environments poses a critical risk of unauthorized access. In both the management console and server layers, the dynamic nature of cloud environments makes detecting changes and monitoring activity extremely challenging. Beyond the challenges in traditional environments, it is difficult to maintain visibility in a cloud environment because privileged users can make changes to the environment with relative ease, avoiding detection. As a result, monitoring activity to detect changes is a challenge. Required Capabilities for Protecting Privileged Accounts in Cloud Environments Secure privileged credentials Privileged passwords and SSH keys are powerful and therefore should be stored securely. Access and use of privileged credentials should be tightly controlled with workflow approvals required for the most sensitive credentials. Audit logs and individual accountability are necessary for effective forensics investigations. Eliminate default passwords and SSH keys The rapid and seamless creation of machines introduces new privileged credentials to the environment at an alarming rate. For example, every new Linux machine in AWS is provisioned with an SSH key. Therefore, default passwords and SSH keys should be replaced or rotated upon provisioning of a new machine. The new credentials should meet existing policies for complexity and frequency of rotation. Isolate Activity Direct connections to critical systems by third parties can make virtual machines vulnerable to endpoint risks. The use of a jump server segregates an organization s internal network from the cloud and prevents malware from traveling from network machines and those of third parties to the cloud environment. The jump server acts as a single access control point, allowing organizations to enforce strict firewall rules, further enhancing security. Eliminate credentials in scripts and applications Passwords and SSH keys used to authenticate scripts and applications introduce a back door for attackers and should be removed and replaced with dynamic credentials stored in a secure environment. The rotation and retrieval of these credentials should be automated for maximum reliability and security. Monitor and record sessions The dynamic nature of cloud environments makes visibility into privileged credential access and use a real challenge. Monitoring and recording privileged user and session activity is required to identify malicious or unintentional changes to the environment. Tamper-proof audit logs and video recordings that can be viewed later are valuable for compliance and forensics purposes. Enforce least privileges Users with excess privileges can lead to accidental and intentional damage to the network. Reducing administrative privileges and enabling centrally managed privilege escalation minimizes the risk of credential misuse with no impact on user productivity. Detect anomalous activity For maximum security, organizations need a strategy for uncovering attacks already inside the cloud environment. In order to detect and disrupt malicious activity on privileged accounts, all activity should be collected and analyzed to detect anomalous activity. Once alerted to suspicious activity, organizations can stop in-progress attacks and reduce the window of opportunity for attackers. Cloud environments have privileged credentials in two different layers at the management console layer and at the virtual server layer. Therefore, it is important for organizations to employ a layered approach to protecting privileged credentials in both virtual servers as well as the tools used to manage the environment. Management tools that require protection include hypervisors, APIs and web management consoles provided by cloud service providers. This double-layer of privileged account security will mitigate the risk of unauthorized access to cloud environments. CyberArk Software Ltd. cyberark.com 2

4 Spotlight on Social Media Software-as-a-Service applications including corporate social media accounts on Facebook, Twitter and LinkedIn etc. are cloud applications that require protection. These accounts are often overlooked because they contain public-facing content, which is not sensitive or in need of protection from unauthorized access. However, if an unauthorized insider or external attacker gains access to the administrative credentials of the account, they could do serious damage to the business. Unapproved postings to social media accounts have led to significant brand damage, loss of customers and negative press in several high-profile cases. With a complete Privileged Account Security Solution, these powerful credentials can also be managed, protected and monitored to ensure social media postings are in the control of the enterprise at all times. Business Benefits of Securing Privileged Accounts in the Cloud Maximized Investment in Security Solutions Extending privileged accounts security solutions to cloud-based environments allows organizations to maintain a consistent security posture for privileged accounts across all servers, network devices and applications whether on-premises or in hybrid and public cloud environments. Organizations that invest in a comprehensive Privileged Account Security Solution will receive maximum value from a single solution that can manage all credentials and accounts regardless of location. Streamlined Management The use of one solution for all privileged accounts and credentials streamlines administration and management of solutions by providing a single management interface for all features of the solution as well as environments. In addition, DevOps teams can integrate the solution directly into existing cloud management tools including Chef, Puppet and Powershell for maximum productivity. This streamlined management makes IT, DevOps and security teams more efficient with day-to-day tasks and increases capacity to take on new strategic initiatives. Complete, Efficient, Auditing Process Full visibility, monitoring and recording of privileged account activity in cloud environments provides auditors with a complete view of activity and streamlines audit procedures. In addition, integrated reports on cloud-based and on-premises privileged activity increases efficiency and confidence that audit reports are complete and accurate. Conclusion Privileged accounts are a preferred attack vector for advanced external and internal attacks because they provide a pathway directly into the heart of the enterprise. In order for organizations to achieve a complete privileged account security layer, all cloud-based and on-premises privileged accounts must be secured. With CyberArk Privileged Account Security, organizations can deploy a layered security strategy for proactive protection and detection of all privileged accounts regardless of where they reside. This approach delivers a critical security layer designed to disrupt advanced external and internal attacks before they stop business. CyberArk Software Ltd. cyberark.com 3

5 1. Appendix: The CyberArk Privileged Account Security Solution The CyberArk Privileged Account Security Solution provides a single solution for protecting all privileged accounts whether on-premises or in the cloud. The integrated set of products built on a common platform delivers the required features for protecting privileged accounts regardless of where they live. Specific to cloud environments, the CyberArk Privileged Account Security Solution includes: Shared Technology Platform The CyberArk Privileged Account Security Solution is built on a common platform, The CyberArk Shared Technology Platform. The consolidated platform delivers a single management interface, centralized policy creation and management, and a secure Digital Vault. The platform is design to centralize management of all privileged credentials for both on-premises and cloud environments to reduce costs and minimize resources required for securing privileged accounts across the organization. Enterprise Password Vault securely stores privileged passwords and provides access for authorized users across a broad range of cloud applications. Management features include automated password rotation based on existing policies. This automated process reduces the time-consuming and error-prone task of manually tracking and updating privileged credentials to easily meet requirements for securing cloud environments. SSH Key Manager securely stores private SSH keys, commonly used to authenticate to cloud environments and UNIX images. Once securely stored, the solution enables automatic rotation of key pairs and provides detailed audit logs on the use of SSH keys by users and applications. Application Identity Manager eliminates hard-coded credentials including passwords and encryption keys from cloud management scripts and applications. CyberArk s Application Identity Manager meets enterprise requirements for availability and business continuity and eliminates embedded application credentials often without requiring code changes and with zero impact on performance. Privileged Session Manager isolates, controls, records and monitors privileged user access and activities to virtual machines, cloud management consoles, websites and SaaS applications. The solution acts as a jump server, providing a single-access control point and secure connection to the cloud provider. This results in true network segregation with full monitoring and auditing capabilities. On-Demand Privileges Manager allows privileged users to use administrative commands from their native session on guest machines while eliminating unneeded root access or admin rights. This secure and enterprise ready sudo-like solution provides unified and correlated logging of all super-user activity linking it to a personal username while providing the freedom needed to manage machines in cloud environments. Privileged Threat Analytics uses behavioral-based analytics to establish a baseline profile of all users and account activity to then compare real-time data and detect anomalous activity. Alerts on anomalous activity indicate an in-progress attack and enable organizations to shut down attacks and minimize business impact. CyberArk Software Ltd. cyberark.com 4

6 All rights reserved. This document contains information and ideas, which are proprietary to CyberArk Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of CyberArk Software Ltd. Copyright by CyberArk Software Ltd. All rights reserved. cyberark.com CyberArk Software Ltd. cyberark.com 5