Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Transcription

1 Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk John Hawley VP, Security CA Technologies September 2015

2 Today s Theme: Preparing for the Adversary How to Prepare Your Organization for Attack Attacks are increasingly being focused on legitimate identities and exploiting our inability to properly control access. This presents a challenge to the modern enterprise because organizations are being forced by the business to be more open and accessible than ever. We will discuss the most likely attack points and share approaches to reduce the identity attack surface CA. ALL RIGHTS RESERVED.

3 Traditional Approach to Security Is Not Enough CA. ALL RIGHTS RESERVED.

4 Application Economy is Driving a More Open Enterprise Consumer/Citizen Engagement 1.75B 25 smartphone users in Mobile Apps (API) / DevOps + Sec Business apps per device 2 Internet of Things 50B Connected devices (IoT) by SaaS Adoption >$100B in cloud spending this year CA. ALL RIGHTS RESERVED.

5 The threat is not limited to governments: there are many highly public examples of insider breaches CA. ALL RIGHTS RESERVED.

6 From Bradley Manning to Edward Snowden, insider threats have become top of mind CA. ALL RIGHTS RESERVED.

7 New Attacks are Focused on Exploiting Identity Malicious Insider Employees Administrators Customers / Citizens Partners Connected Devices Criminal Organization Former Employee uses credentials on a SaaS application to steal sensitive corporate data Attackers Increasingly Exploit Legitimate User Accounts Administrator password is exposed thru phishing attack and used to steal corporate IP Customer account is taken over due to stolen password file on mobile device or another web site Partner (with less security controls) is exploited; attacker uses partner account to reach retail systems PERIMETER SECURITY IS NOT ENOUGH: MUST TAKE IDENTITY CENTRIC APPROACH CA. ALL RIGHTS RESERVED.

8 Identity Centric Security Mobile / IoT Developer Communities Customers Centralized Identity & Access Cloud Services www Web / Mobile / API Partners/Divisions Employees / Contractors On Premise CA. ALL RIGHTS RESERVED.

9 There are three types of insiders Malicious Insiders Typically start with good intentions and go bad after an event or external recruitment "Most insider breaches were deliberate and malicious in nature, and the majority arose from financial motives. - Verizon 2014 DBIR Exploited Insiders Only amateurs attack machines; professionals target people. - Bruce Schneier? Careless 24% of incidents, 35% of our time Insiders - Patrick Reidy, Chief Information Security Officer, FBI CA. ALL RIGHTS RESERVED.

10 There are several misconceptions about insider threats 1 The people behind insider threats are hackers 2 Insider threats are primarily a technical problem We HAVE to trust our employees and administrators Detection of security breaches is the most important part of an insider threats defense program Analyzing massive amounts of data is the solution CA. ALL RIGHTS RESERVED.

11 Misunderstanding the threat: Insiders are very rarely hackers 1 The people behind insider threats are hackers But they likely have access to sensitive data Or they may have privileged access to sensitive systems If they don t know where sensitive data resides, they can easily find out They have been entrusted with all the tools they need But our defenses are often focused on the elite threat CA. ALL RIGHTS RESERVED.

12 Understanding, in addition to technical prowess, is critical 2 Insider threats are primarily a technical problem Know Your People What are their work hours? What are their network use patterns? What devices do they use? What is their role? How has it changed? What are their ambitions? Know Your Data What are the crown jewels of your organization? What data, if exposed, would cause the most long-term damage to your organization? What data, if breached, would cause the most short-term damage? What data must be protected, according to laws and regulations? Know Your Enemy Who would be targeting your organization? Who would they target inside your organization? Who are the high risk individuals in your organization? CA. ALL RIGHTS RESERVED.

13 Organizational factors cited as contributing factors to insider attacks Poor management practices Poor use of auditing functions Poor security culture Lack of adequate, role-based, personnel security risk assessment Poor pre-employment screening Poor communication between business areas Lack of awareness of people risk at a senior level Inadequate corporate governance 2 Insider threats are primarily a technical problem CA. ALL RIGHTS RESERVED.

14 The principle of least privilege applies to EVERYONE What it is What it does 3 We HAVE to trust our employees and administrators The Principle of Least Privilege Access Restricts access to the minimum a user needs to do his/her job Limits damage done by a malicious or exploited insider Stops stupid mistakes Least Privilege is not a matter of trust. Everyone benefits from the proper access controls CA. ALL RIGHTS RESERVED.

15 Focus on deterrence as a critical reason for technical controls 4 Detection of security breaches is the most important part of an insider threats defense program People are extremely unlikely to commit an attack if they believe they will get caught. Develop a culture of security within your organization. Make it tough for insiders to operate CA. ALL RIGHTS RESERVED.

16 What data should we really be looking at? 5 Analyzing massive amounts of data is the solution Big Data >80% of data movement is done by <2% of population* Identity-focused Data Anomalies and red flags can be detected by looking at individuals Indicators must be observable and differentiating Source: Internal FBI Computer Security Logs ( The-FBI-Slides.pdf) CA. ALL RIGHTS RESERVED.

17 To better understand YOUR organization s exposure to privileged insiders, answer six key question areas Identifying Exposure to Privileged Identities Do you allow shared privileged access to your sensitive servers? How do you account for privileged users actions? Can your system administrators access sensitive data on the servers? Do you have controls to prevent/log that? Can you trace administrative action back to administrative users? Have you had system down incidents where you needed to do so? Do you have any controls in place for shared account access on your sensitive servers? What server operating systems do you have deployed? How do you manage security across operating systems? 6 How do you provide evidence of compliance? CA. ALL RIGHTS RESERVED.

18 Mitigating attacks thru legitimate user accounts is not easy, but it IS about SURVIVAL The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent the bulk of a U.S. corporation s value. This shift has made corporate assets far more susceptible to espionage. - Protecting Key Assets: A Corporate Counterintelligence Guide, The Office of the National Counterintelligence Executive (ONCIX), 2014 so how do we do that? Source: Ocean Tomo Intellectual Capital Equity, Courtesy Office of The National Counterintelligence Executive CA. ALL RIGHTS RESERVED.

19 Mitigation: Identity Governance Identity analytics & privilege cleanup User selfservice Keys To Success Put the business in front of the process not IT Ongoing refinement Complete Identity Lifecycle User On-boarding Certify user access Managers Auditors Deliver an end-user application experience Include physical access systems in clean up What you need to do Enable end user with simple experience Control & govern access to sensitive data Efficiently scale to tens millions of identities Value to your business Visibility into who has access to what Mitigate risks of users with excessive privileges Increased user productivity CA. ALL RIGHTS RESERVED.

20 Mitigation: Privileged Identity Management EXTERNAL THREATS Traditional Perimeter INSIDER THREATS Shared Admin Account Sensitive Data Keys To Success Get the quick win with password vault, then include app and server Traditional Hackers Organized Crime Military Hackers Hacktivists Administrators Employees Partners Application Account Privileged Identity Critical Systems Add privileged accounts to the governance process Self certification of privileged access activity What you need to do Protect shared account passwords Control privileged identities Record Admin actions for forensic analysis Value to your business Improved security thru Least privilege access Reduced risk of reputational damage Improved accountability for Administrators CA. ALL RIGHTS RESERVED.

21 Mitigation: Multi-Factor Authentication ANY DEVICE Context-based authentication Device Geolocation Velocity User history Fraud patterns REJECT/STEP-UP AUTH Flexible Access Mgt & SSO WEB & MOBILE APPS Keys To Success Assume the password is already compromised Think adaptive controls based on a risk model Think simple user experience What you need to do Adopt risk-based approach to user auth Provide step up auth for suspicious transactions Centralize security policy management Value to your business Increases security without end user friction Detects and blocks fraud with real-time analysis Improves security and reduces admin costs CA. ALL RIGHTS RESERVED.

22 Mitigation: Federated Access Keys To Success Centralized Access Control Session Assurance Cloud Services On Premise Create accounts only as needed JIT provisioning Get to know OAuth and OpenID Connect Disable local authentication at SaaS apps What you need to do Centralize access policy and enforcement to on premise and SaaS applications Plan for legacy systems & move to mobile & API Enable developers with easy access to access services Value to your business Reduce chance of error leading to breach Maintain compliance - Immediate removal of access rights when job role changes Better user experience for employees CA. ALL RIGHTS RESERVED.

23 Mitigation: API Gateway SSO/ Auth SDK www Desktop / Web Mobile / IoT Finegrained API Access Control API Keys To Success Let the business experiment by opening APIs with mobile SDK Cloud Services Prepare for new single page web apps On Premise Threat Protection API Deploy rate limiting & use OAuth on a per app basis What you need to do Control access to APIs based on user, app and device Protect exposed APIs from external threats such as SQL injections and x-site scripting attacks Provide SSO across native and mobile web apps Value to your business Protect sensitive assets from compromise reducing impact to brand and regulatory compliance Delight customers with great mobile experiences Accelerate delivery of new mobile apps CA. ALL RIGHTS RESERVED.

24 Sell the business value of Identity & Access Management PROTECT THE BUSINESS Control access based on context around identity Gain visibility to govern user access rights Control privileged account access ENABLE THE BUSINESS Single sign-on for web & mobile applications Self service access request and approvals Reduced cost of user support / pw reset CA. ALL RIGHTS RESERVED.

25 Managing privileged identities is also necessary to comply with regulations and security best practices CA. ALL RIGHTS RESERVED.

26 CA Identity and Access Management by the numbers LARGE, DIVERSE CUSTOMER BASE 21 OF THE TOP 25 FORTUNE 500 COMPANIES 15 OF THE TOP 16 GLOBAL BANKS 8 OF THE TOP 10 US MANUFACTURING COMPANIES PROVEN SCALABILITY ENABLED MAJOR RETAILER TO PROCESS 240M TRANSACTIONS ON BLACK FRIDAY 30 CUSTOMERS ARE USING CA SSO TO SUPPORT WEBSITES WITH OVER 10M USERS OUR AUTHENTICATION SOLUTION IS ENABLING ONE CUSTOMER TO SUPPORT 165M CARDHOLDERS PROVIDING VALUE TO OUR CUSTOMERS CA IDENTITY MANAGER SAVES TNT OVER $1M ANNUALLY ON PASSWORD RESET COSTS IN A RECENT SURVEY, 75% OF SURVEYED ORGANIZATIONS IMPROVED USER PRODUCTIVITY SIGNIFICANTLY WITH CA IDENTITY MANAGER 79% OF SURVEYED ORGANIZATIONS SIMPLIFIED THEIR COMPLIANCE PROGRAM WITH CA SECURITY SOLUTIONS CA. ALL RIGHTS RESERVED.

27 CA Security Solutions to accelerate development & deployment of your secure applications while improving engagement with customers and protecting all your critical data ENABLE AND PROTECT THE OPEN ENTERPRISE IN THE APPLICATION ECONOMY Unified Access End-to-End Security Trusted Business Managing user access across multiple channels for unified user experience across web, mobile & APIs Controlling access end-toend from the mobile app through transmission to the API & the backend data Balancing business enablement with protection, delighting customers while instilling trust CA. ALL RIGHTS RESERVED.

28 What you need to be thinking about ENGAGE THE BUSINESS EARLY IN THE PROCESS PLAN BROADLY AND DEPLOY FOR QUICK WINS CONTINUALLY MATURE YOUR CAPABILTY CA. ALL RIGHTS RESERVED.

29 Legal Notice Copyright 2014 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. No unauthorized use, copying or distribution permitted. THIS PRESENTATION IS FOR YOUR INFORMATIONAL PURPOSES ONLY. CA assumes no responsibility for the accuracy or completeness of the information. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. In no event will CA be liable for any loss or damage, direct or indirect, in connection with this presentation, including, without limitation, lost profits, lost investment, business interruption, goodwill, or lost data, even if CA is expressly advised of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. Certain information in this presentation may outline CA s general product direction. This presentation shall not serve to (i) affect the rights and/or obligations of CA or its licensees under any existing or future written license agreement or services agreement relating to any CA software product; or (ii) amend any product documentation or specifications for any CA software product. The development, release and timing of any features or functionality described in this presentation remain at CA s sole discretion. Notwithstanding anything in this presentation to the contrary, upon the general availability of any future CA product release referenced in this presentation, CA may make such release available (i) for sale to new licensees of such product; and (ii) in the form of a regularly scheduled major product release. Such releases may be made available to current licensees of such product who are current subscribers to CA maintenance and support on a when and if-available basis CA. ALL RIGHTS RESERVED.