2013 AWS Worldwide Public Sector Summit Washington, D.C.

Transcription

1 Washington, D.C. Next Generation Privileged Identity Management Control and Audit Privileged Access Across Hybrid Cloud Environments Ken Ammon, Chief Strategy Officer

2 Who We Are Security software company providing Next Generation Privileged Identity Management solutions Global Fortune 1000 and Government customer base Headquartered in Herndon, VA Xsuite Platform Best Privileged Access Management Solution Best Overall IT Company RSA 2011 Hot New Security Product Cool Vendor Hot Company to Watch Top 100 Global Company FIPS 140-2, Level-2 Common Criteria EAL 4+ UC/Approved Prod. List

3 Our Customers Include Commercial Federal Top 5 Global Bank Top 3 Telecommunications Company Fortune 10 Financial Services Company Top 5 Global Retailer Multiple Global Stock Exchanges Fortune 200 Food Products Company Top 3 Online Broker Top 3 Smart Phone Provider Top 3 Food and Drug Retailer

4 The Problem We Solve Protect Enterprises from Privileged User Risks Reduced Complexity of Audit and Compliance Controls PCI/DSS, HIPAA/HITECH, NERC CIP, FISMA, GLBA, SOX Privilege Usage Gateway to Manage Access Across Traditional, Virtualized, Cloud, and Hybrid Environments Enable Secure Migration of Enterprise Applications to the Cloud Federate Privileged Identity Across Hybrid Cloud Environments Separate Authentication from Authorization

5 Deploy Privileged Account Management for IaaS and Private Cloud Administrators of private cloud and IaaS environments gain more concentrated power and the risk that goes with it..additional controls should be put in place around the privileged accounts within these environments and employ privileged account management products to aid in placing finer-grained controls around the additional operations that these environments provide. -Nick Nikols, Analyst for Gartner The State of Identity and Access Management With Regard to Public and Private Clouds

6 Compliance and Audit Controls, Directives, Policy, Frameworks. HSPD-12, CAP Goals (PIV, Cont. Monitoring, TIC) NIST SP (r4) (Insider Threat, Cloud) Audit Findings (POAM) Shared accounts ( who was root ) Shared credentials ( / sticky note) Weak / default passwords Poor privilege management and role-based access Violating least privilege

7 DoD Identity Authentication for Information Systems Credential Strength E all administrative access Hardware token PKI technology Identity proofing Identity vetting Credential registration Credential Management i.e. DoD Common Access Card

8 Who Are Privileged Users? On Premise VMware Administrator Microsoft Office 365 Administrator Employees/Partners Systems Admins Network Admins DB Admins Apps Application Admins AWS Administrator Public Cloud Employees Systems/NW/DB/A pplication Admins Internet Partners Systems/NW/DB/Application Admins Unauthorized User Hacker (Malware/APT) Apps

9 Migration to the New Enterprise STAGE 1: Server Virtualization Figure 2. The Virtualization Road Map Through Private Cloud Computing STAGE 2: Distributed Virtualization STAGE 3: Private Cloud MANAGEMENT PLANE STAGE 4: Hybrid Cloud STAGE 5: Public Cloud Business Drivers: Cost Reduction Speed Agility New Applications Software Defined IT Infrastructure New IT Operations Model Consolidation Capital expense Source: Gartner (February 2012) Flexibility and speed Operational expense automation Less downtime Self-serve agility Standardization IT as a business Usage metering Costs for peak loads Flexibility for peak loads Capital expense elimination Increased flexibility (up and down) New Risk/Compliance Issues

10 NIST Guide to Security for Full Virtualization Technology Restrict and protect administrator access to the virtualization solution The security of the entire virtual infrastructure relies on the security of the virtualization management system start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only. Secure each management interface, whether locally or remotely accessible. For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.

11 NIST Cloud Security Architecture

12 NIST Cloud Security Architecture Privilege Management Infrastructure Identity Management Domain Unique Identifier Identity Provisioning Authorization Services Policy Enforcement Policy Management Resource or Data Management Role Management Out of the Box (OTB) Federated IDM Attribute Provisioning Policy Definition Privileged Data Management XACML Obligation Authentication Services SAML Token OTP Biometrics Risk Based Authenticati on Smart Card Single Sign On WS Security Identity Verification Privilege Usage Management Keystroke/Sessio n Logging Privilege Usage Gateway Multifactor Password Management Network Authentication Middleware Authentication OTB Password Vaulting Resource Protection NIST (r4) Security Controls

13 Introducing Xsuite Next Generation Privileged Identity Management New Enterprise Traditional Data Center Virtualized Data Center Public Cloud - IaaS SaaS Applications Mainframe, Windows, Linux, Unix, Networking VMware Console AWS Console & APIs Office 365 Console Control and Audit All Privileged Access Vault Credentials Centralized Authentication Federated Identity Privileged Single Sign-on Role-Based Access Control Prevent Leapfrogging Monitor & Record Sessions Full Attribution Unified Policy Management Identity Integration Enterprise-Class Core Hardware Appliance OVF Virtual Appliance AWS AMI

14 Xsuite Security Admin High Level Xsuite Architecture - Security, Compliance, and Audit simplified Web Interface Privileged User Authentication Service Federated Privileged Identity Service Security Policy Engine (Authorization Services) Password and Key Vaulting and FIPS Encryption Session Applets API Proxy Keystroke and Session Recording Alerting, Logging, and Resource Protection Privileged Identity and Authentication Management HSM Crypto Support Target Cloud, Application or Host Platform Third Party Log and SIEM Platform Third Party Encryption, Identity Providers, and X.509 Services Directory Services (LDAP, AD FS, AD)

15 Xsuite In Action Attribute Identity for Shared Accounts (e.g., Root/Admin) Prevent Leapfrogging Record Sessions Monitor Sessions & Prevent Unauthorized Commands Control Access to Target Systems Positively Authenticate Users Vault & Manage Credentials Session Logs Credential Safe Policies Before: After: ID: abc123 PW: password ID: abc123 PW:x8km&eie10$z*!B

16 Xsuite for AWS Security Across AWS Regions, Management Console, and APIs Xceedium Announces Privileged User Protection for AWS Cloud Management APIs New Xsuite API Proxy Controls, Monitors, and Audits All Programmatic Access to AWS Cloud Management Infrastructure

17 AWS Management API Security Shared credentials are typical Key Pair, Secret URL Difficult to attribute privileged API activities to unique users No log files of what happened Key Pair Secret URL CLI AWS IAM Service SDKs Python, PHP, Pearl, etc. AWS APIs (Compute/Networking, Storage/Content Delivery, App Services, Database)

18 Xsuite for AWS API Proxy Public Cloud/ Gov. Cloud/ VPC AWS API Console Single point of access control, monitoring, and audit - all activity with AWS Management Console and REST APIs Role-based API access control for programmatic and manual AWS API Access Separation of duties Full, real-time bi-directional audit trail of all API calls Attribute AWS API activity to a specific user no need to add users to AWS Identity and Access Management (IAM) Uses alternative credentials valid only with the Xsuite AWS API Proxy no direct access to AWS APIs Vault and manage the credentials used by scripts to access AWS APIs and eliminate the practice of sharing these important keys

19 Core Xsuite Capabilities Comprehensive Protection for Management Consoles, APIs and Guest Systems: Role Based Privileged Access Control Password and Access Key Vaulting & Management Application-to-Application Password Vaulting Privileged User Single Sign-On Full Audit Trail and Session Recording Full Identity Attribution for Shared Accounts Auto-discovery and Provisioning Smartcard-based Multi-Factor Authentication High Assurance and Public Sector Ready

20 What Sets Xceedium Apart? Next Generation Privileged Identity Management Xsuite is the Only Platform With: A comprehensive set of well integrated controls enforced across hybrid cloud environments Single policy enforcement point across hybrid-cloud environments Unified policy management Protection for both management consoles and guest systems Integration with VMware, Amazon Web Services and Microsoft Office 365 Control and Auditing of AWS management API calls Specifically architected for dynamic, elastic cloud environments Choice of appliance form factor: hardware, OVF or AMI Proven Performance, Reliability, Scalability Most Highly Certified Solution Available

21 Contact Us 2214 Rock Hill Road, Suite 100 Herndon, VA Phone: facebook.com/xceedium

22 Thank You