Privileged Access Control Ramsey Hajj MS CISSP Director APAC edmz Security Ramsey.hajj@edmz.com Governmentware 2010 Booth A-13 Slide 1
Agenda What is Privileged Access? Examples of Privileged Access Common characteristics of Privileged Access Other factors Why is it important? What is Privileged Access Control? Common characteristics of Privileged Access Control How is Privilege Access Control natively provided Windows Unix/Linux Cisco/Network Issues with native approaches Provisioning Sudo Privileged Access Control evolution SAPM SUPM PSM Privileged Access Control future 3 Trends in Privileged Access Control Questions 2
What is Privileged Access? Users with access to resources at an elevated or privileged level such root, administrator or equivalent. Users (privileged or not) with access to critical or sensitive resources/data such as HR or financial information servers. From Ops/Availability Any activity that has the ability to affect availability/uptime From Change Control Any process that has the ability to change production systems. From Security Access that has the ability to change or affect controls From audit Access that affects accountability From management Access that requires approval or review 3
Examples of Privileged Access A Unix system administrator (SA) gaining root privilege to restore a system backup. A Unix operator gaining root privilege to run a system backup. A Windows change control administrator requiring Local Administrator access to install a new application. A Windows developer needed Local Administrator to debug an application problem on a production server. A Firewall engineer needing root access on a Linux based firewall to update firewall rules. 4
Common characteristics of Privileged Access Use of a shared privileged account or access level Needed by multiple functional groups Needed in multiple situations emergency/change/bau Also, Functional teams could be employees or vendors Issue is independent of platform 5
Why is it important? Ex-Fannie Mae employee accused of planting computer time bomb Former computer contract employee indicted on computer intrusion charges, report says By Ellen Messmer, Network World, 01/29/2009 A computer-engineering employee fired from troubled mortgage giant Fannie Mae is accused of preparing a malware computer time bomb, which had it not been detected, might have destroyed millions of files, according to reports. Rajendrasinh Makwana, the computer contract employee in question, was indicted earlier this week on computer intrusion charges, according to the "DC Examiner" report citing court documents. Makwana, said to be an Indian citizen and former contract employee at Fannie Mae for three years, was terminated Oct. 24 for changing computer settings without permission from his employer and allegedly hiding malware code in a server that was programmed to become active Jan. 31. 6
Why is it important? S.F. officials locked out of computer network Jaxon Van Derbeken, Chronicle Staff Writer Tuesday, July 15, 2008 (07-14) 19:23 PDT SAN FRANCISCO -- A disgruntled city computer engineer has virtually commandeered San Francisco's new multimillion-dollar computer network, altering it to deny access to top administrators even as he sits in jail on $5 million bail, authorities said Monday. Terry Childs, a 43-year-old computer network administrator who lives in Pittsburg, has been charged with four counts of computer tampering and is scheduled to be arraigned today. Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored. Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said. 7
What is Privileged Access Control? Privileged Access control is the means to limit, monitor, and control the granting of privilege. It typically has a number of concepts: Individual Accountability- since privilege is many times gained through a shared account or mechanism, it is important to maintain accountability. Pre-release controls- This is the process that defines the people who will be able to gain privilege and the manner to accomplish this. The main access methods include granting of privilege (by adding a user to the Administrators group, or defining the user in a sudoers file or wheel group) and by controlling access to a secret (like the root password for su commands). A major difference is whether the access is always available or only as needed. Post-release controls- This is the process to reconcile the use of privilege with the appropriate requirement. 8
How is Privilege Access Control natively provided? Windows- Windows provides the ability to grant privileges to the individual user or groups. This methodology provides strong individual accountability. The main issue is that privilege is always available, instead of only when needed. This sometimes leads to a user needing multiple accounts. Unix- Unix provides as needed access (through gaining root privileges) but loses some individual accountability in the process. Specific commands can be delegated through tools like sudo, but at the file level the change is reflective of the surrogate user account, not the original user. Network- Many network devices still use a shared secret (i.e the enable account), although through radius/tacacs this method becomes more of a granted access instead of on demand. 9
Issues with native approaches Windows- typically does not support on-demand access. It is also dependent on Local Access being controlled by limiting or changing the local Admin password. Post-release processes are very difficult (primarily diff reports). Unix- If using sudo as the privilege access control mechanism, it becomes difficult to manage disparate sudoers files to ensure consistency across an enterprise. The root password must be controlled to avoid console logins that could bypass sudo. Post-release has typically been provided by keystroke logs and diff reports. Network- If using tacacs or radius, access is typically not on-demand. If using a shared secret, control of the shared secret is difficult. Post review is typically difficult. 10
Privileged Access Control evolution SAPM,SUPM,PSM COTS solutions have been introduced to help with the issues SAPM (Gartner term)- Shared Account Password Management SAPM has been designed to address the issue of the shared accounts. These solutions manage the change and release of accounts such as root, administrator, and enable across an ever growing number of platforms. These tools were introduced in 2003 and now 10+ vendors offer solutions to address this issue. SUPM (Gartner term)-superuser Privilege Management SUPM tools are designed to provide an enterprise view of privilege delegation. While some of these tools are very similar to sudo, they typically provide centralization of policy and reporting. Around for at least 10+ years. PSM (edmz term)- Privilege Session Management Provides the ability to allow on-demand privileged access post-release processes. 11
SAPM SAPM (Shared Account Password Management Gartner) PAM (Privileged Account Management- Burton) Administrative Password Management (e-dmz) PPM (Privileged Password Management Cyber-Ark) All relate to the same issue: Administrative accounts (like root on Unix, Administrator on Windows) that typically are shared by multiple system administrators. These accounts must exist, and are required for many system level functions. Many systems have default passwords for these accounts 12
Procedural based solutions This is the typical envelope in the safe method (sometimes referred to as firecall, emerid, telkey, etc). The admin password (i.e. root) is manually changed by someone (sa or security person), then written down and sealed in an envelope. The envelope is then delivered to operations where it is put in some secure container (or safe). In some cases dual control is required on the release of the password by having two keys to the container. A list is kept showing who is authorized to request the password. The passwords may be changed on use or at a set period. 13
Procedural based issues Scale. This may work for a hundred or even two hundred accounts, but definitely shows stress above this number. Operationally, there is no way to know the password is correct until it is used. The changing of passwords is time-consuming, and unless a random password generator is used, the password strength will suffer. Additionally, the manual nature of the change can cause administrative issues (did they write 1, l, 0, or O ) and compliance issues (how do you prove individual accountability if the security admin knows the password before it is stored in the envelope.) The release process is difficult if the password must be communicated over the phone by an operator to an SA, and also raises individual accountability issues. 14
In house technology based solutions These can range from encrypted spreadsheets to in-house applications that are similar to COTS solutions. The basic requirements are the following: Store Change Check Release Few in-house solutions satisfy all of the requirements. 15
In house technology based issues Support. Many of these solutions are tools which quickly can have issues when the creator leaves or is reassigned. Maintenance. Since these tools are typically point in time solutions, they do not tend to evolve. Few in-house solutions satisfy all of the requirements. 16
COTS solutions COTS (Commercial Over the counter solutions) The Password Auto Repository (PAR) was the first COTS product developed specifically to address SAPM. It was first released in 2003. As of 2010, there were 14+ commercial solutions offered. Though SAPM started as primarily a financial services issue, many other industries have now embraced the technology from manufacturing to retail. Most COTS offerings have evolved to allow closer interaction with other technologies, including LDAP and Active Directory. 17
SUPM solutions These solutions have been primarily a Unix offering, though there are also some Windows centric solutions (temporary granting of access) Many provide post-review through keystroke logging mechanism. 18
PSM solutions This was first introduced in 2005 as a mechanism to provide post-review for graphical environments. eguardpost was the first COTS offering. Additional solutions are continuing to be introduced 4 distinct COTS offerings for PSM now exist. Most follow a similar mechanism. The connection is proxied, and some level of recording is provided. Many also provide pre-release workflow. 19
Approaches before PSM 1. Jump box In this scenario, the user only has access to a few defined machines from which they initiate their sessions. Pros- 1. Defined point of entry 2. If using keystroke logging, can provide a replay. Cons- 1. Effort to ensure jump box is not circumvented 2. Only works for command line activities. 3. Typically not on-demand 2. VPN with ACLs In this scenario, the VPN only allows connections to a few defined systems that are to be supported. Pros- 1. Defined access Cons- 1. No replay. Typically not on-demand. 20
Trends in Privileged Access Control (in my opinion) Move to on-demand Based on the increasing requirements around privilege, I believe most organizations will move to this model. The idea of individuals always having privilege will be replaced with the concept of granting the privilege only when necessary. Move to more delegated access Privilege will continue to be sliced and diced to reflect a more mainframe-esque model of control. The days of godlike access will become the exception instead of the rule. Move to constant monitoring As PSM solutions gain wider acceptance, the fact that privilege access is recorded will become as natural as the cameras over ATMs. I envision a point where devices (like routers) will only access recorded connections, providing a complete history of all privileged access to a device. 21
Real world scenarios Bank solution PSM for security infrastructure. MSSP Solution PSM for firewalls. Also accountability abstraction to eliminate one-touch. Insurance Solution Three datacenters with DPA affinity. Kiosk solution Remote solutions with embedded OS like POS 22
Real world scenarios Bank solution PSM for security infrastructure. Security technology groups uses a PSM solution to record all activity to security infrastructure devices. Target systems are Unix with security software that only allows ssh connections from the PSM device. Benefits: Audit group has full review capability of all security changes, and PSM sessions are tied to change control. Process: Since high risk, PSM sessions are reviewed within 24 hours. 23
Real world scenarios MSSP Solution PSM for firewalls. Also accountability abstraction to eliminate one-touch. MSSP uses PSM device as access method to all managed devices on customer premises. Benefits: Customers have full review capability to all changes to managed devices. MSSP has the ability to leverage a shared account at the device level. Process: All devices use ssh with dss authentication. Non dss is disabled. Dss key only exists on PSM device. 24
Real world scenarios Insurance Solution Three datacenters with DPA affinity. Major insurance company forces all IT changes to go through PSM devices. DPAs are provisioned at each datacenter to support 500 concurrent connections. Benefits: Customer has full review capability to all IT changes. Process: Customer uses layer 3 controls to only allow network access from the PSM devices. 25
Real world scenarios Kiosk solution Remote solutions with embedded OS like POS Customer has thousands of kiosks across north America. Customer forces remote support to access PSM to connect to kiosk. Benefits: Closes a PCI issue around audit of admin activity at the kiosk. Process: Remote support method requires PSM (automated login with changing account password). 26
Questions 27
Best Regulatory Compliance Solution Best Privileged Access Solution Best Password Management Solution August 2010