Trust but Verify: Best Practices for Monitoring Privileged Users Olaf Stullich, Product Manager (olaf.stullich@oracle.com) Arun Theebaprakasam, Development Manager Chirag Andani, Vice President, Identity Management Services September, 2014 Copyright 2014, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary Oracle Confidential 4
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary 5
Oracle Identity Management Mobile Security Mobile Application Management Mobile Device Management Mobile Access Management API Security Identity Governance Access Request Access Governance Automated Provisioning Privileged Account Management Access Management Authentication Authorization Audit Federation Mobile Authenticator Directory Services Enterprise Directory Cloud/Mobile App Directory Virtual Directory
Identity Management Challenges Supporting the rapid adoption of cloud applications Securing the mobile experience Reducing the number of moving parts to simplify Identity Management Controlling and auditing access to privileged accounts and systems
Why should you be concerned? What do these two have in common? Access to Privileged Accounts = Excessive Rights From the Verizon Data Breach Report - 2014 Insider & Privilege Misuse Category Privilege abuse taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts 88% of 11700~ incidents involved privilege abuse 8
What do we mean by Privileged Accounts? Privileged Accounts are those that allow administration of a system or provide higher levels of access within a system, including: Root (Unix / Linux / Solaris) Administrator (Windows) DB Admin Accounts (SYS) Infrastructure Accounts (Firewall, Router, VM ) Embedded Accounts (Applications & Service accounts) 9
Managing Privilege Access Is Not Well Defined SCALE Manual solutions don t scale (Spreadsheets anyone? ) RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs 10
What should Organizations be Working Towards? System correlates user to privilege login and session recording User finishes tasks System sets a new Privileged Password User gains authorized access to privileged account System tracks login and records session Apply the principal of least privilege access to privileged accounts Only provide access to a privileged account when it s required to perform a specific task Assign privileged access to specific individuals know exactly who has been granted a privileged account password and limit command execution Apply access governance principals to Privileged Accounts Access Request / Approval / Certification Audit use of privileged accounts and activities performed using a privileged account 11
How should you Manage, Monitor & Audit Privileged Users? You need a solution that will support Privilege Account Management as part of a larger Identity Management Strategy INVENTORY POLICY ACCOUNTABILITY AUDIT Create an inventory of Privilege Accounts in a secure Privilege Account Management service Apply Privileged Account Management technology to server/service Password change policies Access Policies including restricted command exec. Session policies Emergency Access Check-in/Check-out Individual accountability Access Request & Certification Notification Track individual usage Forensic analysis Session recording Analytics 12
Inventory Centralize account management Identify privileged accounts across your organization including infrastructure elements like Network, Hypervisors Identify administrative accounts across OS s, applications, database etc. Map systems to those supported by Privileged Account Management (PAM) technology Identify need for password management, session recording /control, based on associated risk 13
Policy Define policies based on the risk associated with the privilege account Should you change passwords every day or after every session? Should your access policies include emergency access and notification policies? Should you have temporal constraints associated to certain accounts? Should your access policies extend to control of commands within the session? 14
Accountability Name and Shame Accountability helps promote the principal of least privilege Use notifications when privileged accounts are used Map individuals who need privileged accounts to specific systems and associate access control policies Force any users outside of this group to go through Access Request / Approval processes Use access certifications to ensure users with privileged access remains at a minimal level 15
Audit Auditing Privileged Account usage needs to go beyond simple logs Forensic reports are essential what happened at this time on this specific system PAM technology must associate individuals to privilege access PAM technology must correlate session recordings with individuals PAM technology that can analyze privilege use and recommend / adapt to requests will strengthen policy control 16
How can Oracle Help? By providing a Unified Identity Management Platform that encompasses privileged accounts Self Service Compliance Identity Intelligence Privileged Access Access Request Password Management Access Certification Continuous Compliance Operational Reporting Access Dashboards Privileged Access Privileged Audit Platform Common Data Model Role and Policy Library Workflows and Service Desk Integration Identity Connector Framework LDAP Cloud Apps HRMS Apps Devices DB
Oracle Privileged Account Manager Inventory Secure Password Vault Connected & Disconnected (lockbox) targets Out-of-the-box connectivity Databases, Operating Systems, LDAP Directories Oracle FMW applications, SAP and more. Privileged Account discovery and/or integration with Oracle Identity Governance (OIG) reconciliation Risk-based certification Privileged access information is exposed for certification Risk can be calculated based its privilege status and other data such as the provisioning method how an account was created etc. Access violations can be revoked automatically by OIM Resource Grouping Delegated Administration 18
Oracle Privileged Account Manager Policy Policy-based access to privilege accounts via grants Grants control if and when a given administrator has access to a privileged account Grants are represented as OPAM Usage Policies Grants are typically assigned through LDAP group membership in the identity store Flexible password policies Notification Plugins 19
Oracle Privileged Account Manager Accountability Check-Out / Check-In Self Service Console Custom built approvals (e.g. phone) Custom built ticketing system integration Custom built notifications Access Request Interface Privilege Accounts added to OIG resource catalog Keystroke logging Session recording 20
Oracle Privileged Account Manager User Interface 21
Oracle Identity Governance (OIG) Access Request Privileged accounts are published to the OIG Access Catalog Access Requests follow defined workflow policies User is provisioned with a group membership after the approval 22
Oracle Privileged Account Manager Audit Real time usage reports Indexed / Searchable Checkout History Report Interactive Session (DVR) Playback for Windows and SSH Custom built SIEM integration 23
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary 24
Oracle Privileged Account Manager in Action How to request access to a privileged account password (A day in the life of an administrator) How to use OPAM operations to enable emergency access (A day in the life of an administrator) How does OPAM Session Management and Auditing provide compliance data (A day in the life of an auditor) 25
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary 26
Overview of Privileged Access Issues Password stored using Text Files and Spreadsheet, wiki pages etc Multiple In-House Custom Password Applications with little or no support Limited audits Access not revoked 27
Oracle Cloud Privileged Access Requirements No permanent / standing access to existing data and privileged accounts Automated On-demand role based account access provisioning and revocation Auditing and Certification of account access Automated policy based and On-demand password resets 28
No standing access to data and controlled privileged account access only upon approval Copyright 2014 Oracle and/or its affiliates. All rights reserved. Oracle Confidential Internal/Restricted/Highly Restricted 29
Break Glass Cloud Use Case High Level Requirements Account Security All privileged account passwords are controlled Account access requests are approved by security personnel Passwords are reset at predefined intervals Data Security End to End Data encryption including data-at-rest Identity Controls and Auditing Separation of duties to minimize risks with super users Copyright 2014 Oracle and/or its affiliates. All rights reserved. Oracle Confidential Internal/Restricted/Highly Restricted 30
Solution Overview Break Glass Application POD Cloud Portal Scripts CSF OPAM Shared IDM * At Rest Encryption Fleet Manager TDE All privileged account credentials are stored in OPAM Access to OPAM is only for members of specified OID directory groups Scripts reset access to OID groups and the passwords at specified time intervals and update them in OPAM
Oracle Privileged Account Manager Cloud Use Case Summary OPAM, Oracle Privileged Account Manager Randomized passwords for privileged accounts Control password access to users through break glass Application Account Management API access to credentials for automated scripts Transparent Data Encryption Enforce data-at-rest encryption Oracle Data Vault Prevent DBAs from accessing data Oracle Identity Governance Entitlement request, life-cycle provisioning and certification Copyright 2014 Oracle and/or its affiliates. All rights reserved. Oracle Confidential Internal/Restricted/Highly Restricted 32
Oracle Privileged Account Manager Cloud Use Case Planned use cases Command Control to mandate restriction based on roles Consolidate keystroke logging Delegated Administration based on org roles Segregating resource management Copyright 2014 Oracle and/or its affiliates. All rights reserved. Oracle Confidential Internal/Restricted/Highly Restricted 33
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary 34
Oracle Privileged Account Manager in Action Session command execution restriction (A day in the life of an administrator) Using Resource Grouping and Delegated Administration in a Cloud Deployment (A day in the life of an administrator) Managing and Monitoring access to Network Devices and Hypervisors (A day in the life of an administrator) 35
Program Agenda 1 2 3 4 5 Introduction Demo Case Study: Oracle Cloud and Privileged Account Management Demo Summary 36
Privileged Account Management Benefits Enforce internal security policies and eliminate potential security threats from privileged users Reduce IT costs through efficient self service and common security infrastructure Cost-effectively enforcement and attestation to regulatory requirements Session Management and Auditing User activities (who, did what, when) 37
Complimentary ebook Register Now www.mhprofessional.com/mobsec 38
2014 ORACLE FUSION MIDDLEWARE: CELEBRATE THIS YEAR'S MOST INNOVATIVE CUSTOMER SOLUTIONS ORACLE FUSION MIDDLEWARE INNOVATION Innovation Awards Ceremony set for: Tuesday, September 30, 2014 5:00-5:45pm in the LAM Research Theater (Session ID: CON7029)
Join the Community Twitter twitter.com/oracleidm Facebook facebook.com/oracleidm Oracle Blogs Blogs.oracle.com/OracleIDM Oracle IdM Website oracle.com/identity 40
Further Information Oracle Privileged Account Manager on Oracle Technology Network Website http://www.oracle.com/technetwork/middleware/id-mgmt/overview/opam-homepage- 1697430.html Documentation http://www.oracle.com/technetwork/middleware/id-mgmt/documentation/index.html Software http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html Questions? Please contact: olaf.stullich@oracle.com 41
42