Privileged - Super Users out of Control

Transcription

1 ID WORLD Abu Dhabi March 2012 Secure ID in the Digital World Jochen Koehler Regional Director Cyber Ark Software Privileged - Super Users out of Control Organized by: Conference Host:

2 PRIVILEGED Jochen Koehler, Director D/A/CH & Middle East

3 SUPERUSERS OUT OF CONTROL 3

4 Superusers can reach any system from anywhere Line of Business A Public Cloud Enterprise Central Datacenter Business User IT Personnel Developer Infrastructure IT Personnel Outsourced Datacenter Line of Business B Business Applications Operating Systems Business User IT Personnel Infrastructure Developer Infrastructure Outsourced IT Personnel

5 Common Requirements for Privileged Access External Vendors IT Personnel Business Applications Shared/Privileged Accounts Audit Security Policy Enforcement Workflows Provisioning Business Continuity Hard coded/ embedded application accounts Enterprise IT Most organizations have more privileged accounts than personal accounts Source: Sally Hudson, IDC Analyst Group Environment

6 The Problem of Privileged Privileged Accounts are not (well) managed! Most of them are Shared Accounts! ROOT, DBA, Enable, Administrator, System, SAPall! Their Passwords don t change often! Password Policy Enforcement not existing! They are the same on many systems! Servers, Desktops, Databases, Routers, Firewalls, Proxies, SAP! Often known even outside the IT department! There is no Audit on WHO s accessed them! Think of outsourced and/or managed systems! High efforts are needed for changes! What if an administrator leaves the company? 6

7 Top Risk Privileges Superusers can do Full Access!! No Tracking of the who! 100 Admins it could have been every single one ot them! What if the systems are not managed by your own employees?! Non-Compliance! PCI, SAS70, SOX, Basel II, ISO 27001,! Password policy! External Audit (PwC, KPMG, )! Excessive privilege and access control rights! have the greatest financial impact! IDC: Top 3 of Internal Incidents 7

8 What are the regulations?! ISO The allocation & use of privileges shall be restricted & controlled. Formal procedures should be in place to control the allocation of access rights to information systems and services Management should review users access rights at regular intervals using a formal process.! PCI/DSS Restriction of access rights to privileged user IDs, to least privileges necessary to perform job responsibilities. Monitor vendor remote access accounts when in use. Do not use group, shared, or generic accounts and passwords, or other authentication methods. Immediately revoke access for any terminated users. Use passwords that contain both numeric and alphabetic characters.! MaRisk Insbesondere sind Prozesse für eine angemessene IT-Berechtigungsvergabe einzurichten, die sicherstellen, dass jeder Mitarbeiter nur über die Rechte verfügt, die er für seine Tätigkeit benötigt. 8

9 What are the auditors looking at (in general)? G38 Access Controls (IT Audit and Assurance Standards Overview)! General Categories of Access Minimal Access User access only to the specific resources needed Need to know basis User access to the resources needed to perform the work Owner User responsible for the asset! A set of controls should be defined for controlling and monitoring user activities! Entitlement Review should be done at least semi-annually! Passwords should have expiration dates and systems should force automatic changes! Access control tools should exist. 9

10 What are they looking at about privileged access? G38 Access Controls (IT Audit and Assurance Standards Overview)! All vendor-supplied user IDs, where there is no business need, should be removed.! Elimination of all platform default access/users, wherever possible.! Restricting all production service accounts from log on by users.! Activities of the privileged or superuser login account should be closely monitored.! All privileged users should be monitored and have a tighter control process for justification, documentation and approval.! Activities carried out by default users or contractors should be monitored on a daily basis. It is recommend to use security tools for this task.! The usage of privileged log in accounts should be monitored and justified. Whenever possible, such users should have their own logon IDs rather than use a generic ID, as it may be shared. 10

11 But in reality... Survey on Privileged Account Management (Quocirca): Around 41 % of organisations that claim to have implemented ISO27001 admit to privileged user account sharing.

12 DO YOU AGREE? 12

13 STANDARD MEASURES 13

14 Standard Measures and their limits! Personalising all Accounts! Implementing IAM! FireIDs and local Accounts still there! Establish Password Policies for Privileged Accounts! Enforce password changes! But how?! Perform Regular Audits! Internal & external! Findings do not help solving the problem 14

15 MODERN MEASURES 15

16 Privileged Identity Management Unix Admins Windows Admins DBAs VM Admins External Vendors Business Applications Auditor/ Security & Risk OPM Workflow SSH / X / Telnet PSM Workflow EPV Workflow AIM AIM Workflow Workflow Monitoring & Reporting Workflow PIM & PSM Suites ü Unified policy ü Unified audit reports Virtual Servers Unix /Linux Servers Windows Servers iseries zseries Mainframes Mainframes Database s Application s Network Security Devices Appliances Unix Linux Windows AS400 OS390

17 Privileged Identity Management Suite External Vendors PIM Portal/Web Access Identity Management Ticketing Systems IT Personnel Auditors Central Policy Manager Secure Digital Vault Monitoring & SIEM Applications Enterprise Directory and more Developers & DBAs 17

18 CONTROLLING PRIVILEGED ACCESS 18

19 Enterprise Password Vault 1. Central and Integrated Policy Definition 2. Initial load & Reset Automatic Detection, Bulk upload, Manual 3. Request Workflow Dual control, Integration with Ticketing Systems, One-time Passwords, exclusivity, groups 4. Direct Connection to Device 5. Auditor Access Security/ Risk Management IT Personnel Policy Request access to Windows Administrator On prod.dom.us Policy Vault Password Vault Web Access Central Policy Manager System User Pass Unix Oracle Windows z/os Cisco root SYS Administrator DB2ADMIN enable Oiue^$fgW y7qef$1 Tojsd$5fh X5$aq+p lm7yt5w gvina9% tops3cr3t tops3cr3t tops3cr3t tops3cr3t tops3cr3t Enterprise IT Environment Auditors

20 Service Accounts lm7yt5w y7qef$1 gvina9% X5$aq+p Vault Central Policy Manager System User Pass Oracle DB/2 SAP Windows appid1 backup1 edi_user2 service1 OracleApp1 DB2backup1 SAP123 WinService1 Supported Platforms: Windows Services Windows Scheduled Tasks IIS Application Pools Windows Registry F5 BigIP. Applications/Products using embedded credentials Database Servers/ Network Resources 20

21 Supported Systems Enterprise IT Environment Databases Oracle MSSQL DB2 Informix Sybase MySQL Any ODBC Central Policy Manager Operating Systems Windows Unix/Linux AS400 OS390 HPUX Tru64 NonStop ESX OVMS Security Appliances FW1, SPLAT IPSO PIX Netscreen FortiGate ProxySG Applications SAP WebSphere WebLogic Windows: Services Scheduled Tasks Generic Interface IIS App Pools IIS Anonymous SSH/Telnet COM+ ODBC Oracle Application ERP Windows System Center Configuration Manager Registry Network Devices Cisco Juniper Nortel Alcatel Quntum F5 Directories and Credential Storage AD SunOne Novell UNIX Kerberos UNIX NIS Remote Control and Monitoring HMC HPiLO ALOM Digi CM DRAC

22 MONITORING PRIVILEGED SESSIONS 22

23 Privileged Session Manager Databases IT personnel 1 HTTPS 2 RDP over HTTPS PVWA 4 SSH SSH Windows Windows Servers Unix Linux UNIX Servers PSM 3 1. Logon through Webaccess 2. Connect 3. Fetch credential from Vault 4. Connect using native protocols 5. Store session recording 6. Logs forwarded to SIEM/SIM/ Syslog Vault 5 6 SIM/SIEM/Syslog Routers and Switches ESX\vCenters 23

24 Monitoring DBA Activities Application & Business Users DAM Optional Privileged DBA User PSM Monitoring privilegierter DBAs Ersetzt in vielen Fällen DB Logging 24 24

25 Privileged Remote Access Internet DMZ Corporate Network Access Control HTTPS HTTPS IBM AIX HTTPS HTTPS PVWA ACI External Supporter SSL Gateway HTTPS PSM SSH Oracle DB Firewall 1. Problem, request for support 2. Request for access 3. Access approval 4. Connect true ssh 5. Session recording Firewal l Vault Auditors IBM Websphere 25

26 Distributed Architecture & High Availability Auditor s PVWA/CPM/PSM IT Vault (HA Cluster) Main Data Center - US IT Environment Auditors/IT CPM/PSM CPM/PSM Auditors/IT IT Environment London DR Site IT Environment Hong Kong Central management with distributed reach without compromising network security 26

27 Summary! Approach Compliance with confidence! Company s security policy, SOX, ISO27001! Maximize security! Protect your business critical systems! Audit on all Privileged Activities! Increase efficiency! automate processes & eliminate human errors! Protect Investment! easily scales & integrates as your business grows ny Device, Any Datacenter On Premise, Managed, Hosted or In The Cloud 27

28 QUESTIONS? 28

29 THANK YOU