IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Similar documents
Remote Access Securing Your Employees Out of the Office

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

privileged identities management best practices

Introduction. PCI DSS Overview

Executive Summary P 1. ActivIdentity

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Choosing an SSO Solution Ten Smart Questions

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

RSA SecurID Two-factor Authentication

GFI White Paper PCI-DSS compliance and GFI Software products

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

DriveLock and Windows 7

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Hard vs. Soft Tokens Making the Right Choice for Security

Additional Security Considerations and Controls for Virtual Private Networks

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Windows 7. Qing Liu Michael Stevens

e-governance Password Management Guidelines Draft 0.1

etoken Single Sign-On 3.0

Modern two-factor authentication: Easy. Affordable. Secure.

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Research Information Security Guideline

Securing Virtual Desktop Infrastructures with Strong Authentication

Security and Compliance. Robert Nottoli Principal Technology Specialist Microsoft Corporation

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Implementing HIPAA Compliance with ScriptLogic

An Overview of Samsung KNOX Active Directory-based Single Sign-On

A brief on Two-Factor Authentication

Mobile Admin Architecture

Securing Remote Vendor Access with Privileged Account Security

Multi-factor authentication

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

Catapult PCI Compliance

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Presented by: Mike Morris and Jim Rumph

Chapter 1: Introduction

DriveLock and Windows 8

The Convergence of IT Security and Physical Access Control

SECUREAUTH IDP AND OFFICE 365

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

SPICE EduGuide EG0015 Security of Administrative Accounts

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Microsoft Enterprise Mobility Suite

Windows Remote Access

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

PGP Whole Disk Encryption Training

The Convergence of IT Security and Physical Access Control

Locking down a Hitachi ID Suite server

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Security Management. Keeping the IT Security Administrator Busy

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Session ID: Session Classification:

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Strong Authentication for Secure VPN Access

Central Agency for Information Technology

Network and Security Controls

HP ProtectTools User Guide

How to Achieve Operational Assurance in Your Private Cloud

Active Directory Self-Service FAQ

How To Achieve Pca Compliance With Redhat Enterprise Linux

SECURING YOUR REMOTE DESKTOP CONNECTION

70-685: Enterprise Desktop Support Technician

An Overview of Samsung KNOX Active Directory and Group Policy Features

Privilege Gone Wild: The State of Privileged Account Management in 2015

How To Protect Your Organization From Insider Threats

Information Security

Active Directory was compromised, now what?

Active Directory Change Notifier Quick Start Guide

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

USER GUIDE WWPass Security for Windows Logon

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Section 12 MUST BE COMPLETED BY: 4/22

IMS Health Secure Outlook Web Access Portal. Quick Setup

Transcription:

IDENTITY & ACCESS Privileged Identity Management controlling access without compromising convenience

Introduction According to a recent Ponemon Institute study, mistakes made by people Privilege abuse accounted and systems are the main causes of enterprise data breaches. Together, system and human errors account for 64% of breaches, and a staggering for 88% of the almost 62% of employees think it is ok to transfer corporate data outside the 12,000 incidents of insider company. 1 misuse in 2013 3 It s sobering to think that by accident or on purpose, your employees could be at the heart of your data security risk, potentially causing a compromise that could cost you millions of dollars in lost revenue, remediation, legal and technology costs, and most importantly loss to reputation and brand. Privileged users exist in every organization and they hold the keys to much of any company s most private information. Often thought of as senior executives or those in high profile roles, such as finance, HR, etc, privileged users exist elsewhere in the organizations in the form of IT system administrators. The accounts of these users come with permissions to access a multitude of resources across systems, applications and platforms. A lack of access controls The fact that a simple user name and password is still the most prevalent protocol in most enterprise IT settings is a major problem in itself. A single factor of authentication is hardly secure, but even worse is many privileged admin accounts are shared because of the sheer volume of the number of logins needed to maintain a typical enterprise infrastructure. Every domain, jump server and remote connection has an associated unique ID and password, resulting in possibly thousands of passwords. In addition to security violations associated with not having a single credential associated with a single person, many other problems ensue with a single authentication process such as: > Loss of control when it comes time to revoking an individual s access privileges due to resignations, terminations or other causes. Any password changes to accounts shared by a number of admins require a coordinated effort to ensure everyone is informed and not inconvenienced by a temporary account lockout. > With so many passwords to keep up with, they are often written down or stored in obvious places like on the very server the admin is accessing. > Perhaps the greatest problem with passwords is the threat of malware (malicious software) or spyware designed to steal login credentials. In addition to a weak protocol, most organizations have even more relaxed rules for privileged users. In particular, the following problems are often observed when using passwords: > Lax password reset protocol because of the difficulty to coordinate a change among all admins and systems, there are minimal rules to reset passwords on a regular basis (making them less secure than regular user passwords). > Lack of accountability since everyone logs in the same, there is minimal traceability of administrative changes.

> Passwords are not deleted when someone leaves the company, which could lead to misuse of privileged accounts by a former employee. Increased threats from the inside IT departments worldwide got a wakeup call when privileged user Edward Snowden showed just how easy it was to circumvent some of the tightest security controls. Most privileged users have unchecked access to an organization s confidential data, According to CERT networks and systems. According to a recent survey of 700+ IT security decision makers, 46% believe they are very vulnerable or vulnerable Research, more than half to an insider attack. Some of these organizations are taking the of insiders committing IT privileged user issue very seriously, with 45% of the surveyed decision sabotage were former makers admitting Edward Snowden s activity helped changed their perspective on insider threats. employees who regained 2 access via backdoors or Insider threats are not always malicious in intent. As mentioned before, corporate accounts that human error accounts for the majority of data breaches in today s enterprise organizations. Writing down passwords, sharing logins, were never disabled. 4 neglecting to terminate the account of a former employee, forgetting to logoff a shared resource any of these could result in unauthorized access into your company s most private assets. In addition to threats from the inside, the privileged account is often a prime target for cyber criminals, especially Advance Persistent Threat (APT) attacks. Uncontrolled privileged accounts are like master keys that can give hackers access into the deepest crevasses of an organization, unearthing the most sensitive assets. Time to rethink security While most organizations spend a large chuck of the IT budget securing the corporate walls from outsiders, increasing threats from the inside, whether accidental or malicious, can not be ignored. Security threats are not the only problem IT management faces when managing privileged users. This group needs quick, unencumbered access to potentially hundreds of domains and systems per day. They are extremely busy and, rightly so, not supportive of anything that makes their job more difficult. Any techniques used to control and monitor access must be simple, efficient and reliable in addition to being highly secure.

Necessary features for successful control and management of privileged accounts: > Multi-factor authentication > Ability to assign fine grained role-based access to privileged accounts. For more information, visit Microsoft s technical article, Securing Active Directory Administrative Groups and Accounts > Easy provisioning and termination of privileged accounts > Access activity logging > Tight integration with the day-to-day tools used by IT administrators and others privileged users > Conformance with audit requirements How do smart card devices work? To login with a smart card ID, the admin simply inserts the card into a special reader device on a keyboard, an attached reader in a laptop, or a standalone reader. Once prompted, the admin enters a user specific PIN code. Once the PIN code is accepted, unlocking the card, there is an encrypted authentication exchange between the user credentials stored on the card and the host system or the remote server. What makes this approach so secure is that the smart card uses its own processor and software independent of the PC to secure and accept the user credentials. Since the credentials are secured and isolated from the PC and each login uses a challenge response exchange, users are protected from threats on the end user device or the network. The card stays in the reader for the duration of the secure session. Removing the card ends the session. Not only does the smart card provide more security, it is also more convenient for the admins to use. Instead of trying to keep track of complex, frequently changing passwords, admins only need to remember their PIN code and the smart card authenticator takes care of strongly authenticating the user and establishing an encrypted secure session. Additionally, smart cards are tightly integrated in the Windows enterprise architecture the certificates used for login can be issued directly from a Windows Server CA and smart card logon is out of the box on all supported Windows operating systems. This tight integration means users can access the resources they are authorized to log in to from any machine that is part of the enterprise domain, a key requirement for IT support professionals. Smart card logon benefits from the investment made in the resilience of the Windows Domain backbone without additional investment. Privileged users are managed directly from the Active Directory repository, so removal of a user automatically terminates logon privileges, a benefit of centralized account management of the enterprise. All authentications can be captured directly from the Domain Controller event logs, without adding the need to monitor another critical resource.

Smart chip enabled devices can be deployed in a variety of form factors including cards, USB tokens or dual OTP/PKI tokens. In addition to login security capabilities, smart cards can be used for physical identification, secure e-mail, VPN and data encryption including Bitlocker to go. Using smart card as a privileged access user Logon to a host machine The administrator s laptop and desktop is his every workday starting point so it is an important element to secure. Accessing a laptop with a smart card will prevent unauthorized access. Using run as An administrator doesn t need to access critical resources consistently. When the administrator performs tasks that don t require critical resources, he should be using an account with lower privileges. If the administrator needs to run a specific command or execute an application that requires elevated privileges, he can start this application using a different account. This is known as the Run as feature in Windows.

RDP to a remote server Administrators may works on hundreds of machines, some may be physical, and others may be virtualized. The ability to access these resources remotely is critical for the administrator productivity. Remote Desktop allows an administrator to gain full control of a machine using a smart card. SSH Linux resources can also be accessed securely with a smart card. The private key is stored on the smart card, while the public key needs to be configured in the server SSH configuration. Using the same certificate for multiple domains/forests Large companies have dozens of domains and forests. IT administrators may have one or more accounts in each of these forests. Username and password authentication means administrators have to remember many passwords. Smart card certificates can be mapped to multiple accounts in different forests, so the administrator can authenticate with the same card using different identities. A smart card can contain several certificates that are protected by either a single PIN or different PINs. The user is prompted to choose which certificate to use at the time of login. Issuing multiple certificates for the different domains/forests Legacy systems may not map a certificate to multiple accounts. In this case, the administrator can be provided with a card with multiple certificates, representing his identities in the different forests and domains. Making it all work For instructions to set up a CA with Microsoft Windows 2012 to issue certificate credentials, please read our guide ExecProtect Armored Office Setup Guide. Issuing and managing the credentials using Gemalto IDAdmin 200 The IDAdmin 200 product suite provides all the tools to manage smart cards in a secure and convenient way. IDAdmin is fully functional with minidriver-enabled smart cards and it streamlines all aspects of a smart card management system by connecting to enterprise directories, certificate authorities and synchronization servers. With IDAdmin 200, organizations can issue smart cards to employees, personalize the smart cards with authentication credentials and manage the lifecycle of every card. Benefits of IDAdmin 200 include: > Easy and fast to deploy Scales from 10 users to thousands > Full lifecycle credential management Card pre-personalization and printing Credential issuance and personalization (including printing)

Card unblock > Distributed administration > Tightly integrated with Active Directory > Easily issue certificates for multiple forests within the enterprise > Tools to work with smart cards and certificates Summing Up Strong authentication for your IT privileged users is a good start Every week brings new stories of companies damaged by the breach of sensitive information, a problem that can be prevented by identity-centric best practices. Preventing data loss and protecting sensitive information from unauthorized access should be a top concern of every company. Although implementing strong authentication throughout your organization should be a consideration, starting with those employees who have elevated access is a good start. It is evident that username and password authentication is simply not a secure way to protect any level of information within a company. Making a certificate-based smart card ID credential part of your login procedure for your privileged users can prevent data loss and protect your confidential information. > Privileged access users can continue to work with the tools with which they are familiar. > Fully integrated with the Microsoft enterprise architecture > Easy to deploy and managed > User management will meet stringent auditor reviews > Cost effective road to compliance Where to go from here? Request more information or schedule a demo today! Contact us. 1 Ponemon 2013 Cost of a Data Breach Study 2. 2013 Vormetric/ESG Insider Threats Survey, September 2013 3. 2014 Verizon Data Breach Investigations Report 4 2013 Verizon Data Breach Investigations Report

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information