Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform



Similar documents
Privileged Identity Management for the HP Ecosystem

Best Practices for Information Security and IT Governance. A Management Perspective

Privileged Identity Management. An Executive Overview

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Free Multi-Factor Authentication. Using and SMS in Enterprise/Random Password Manager (E/RPM)

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

How to Achieve Operational Assurance in Your Private Cloud

Privilege Gone Wild: The State of Privileged Account Management in 2015

Windows Least Privilege Management and Beyond

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Privilege Gone Wild: The State of Privileged Account Management in 2015

Service & Process Account Management

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Beyond passwords: Protect the mobile enterprise with smarter security solutions

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

Safeguarding the cloud with IBM Dynamic Cloud Security

privileged identities management best practices

SecurityMetrics Vision whitepaper

Who Holds the Keys to Your IT Kingdom?

IBM Security Privileged Identity Manager helps prevent insider threats

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

HP Server Automation Standard

Preemptive security solutions for healthcare

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Trend Micro. Advanced Security Built for the Cloud

IBM Security QRadar Vulnerability Manager

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

PCI DSS 3.0 Compliance

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Privileged Identity Management

Seven Things To Consider When Evaluating Privileged Account Security Solutions

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Drawbacks to Traditional Approaches When Securing Cloud Environments

McAfee Database Security. Dan Sarel, VP Database Security Products

Secret Server Splunk Integration Guide

Strengthen security with intelligent identity and access management

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

SWOT Assessment: BeyondTrust Privileged Identity Management Portfolio

2013 AWS Worldwide Public Sector Summit Washington, D.C.

PCI DSS Reporting WHITEPAPER

Netwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Extreme Networks Security Analytics G2 Vulnerability Manager

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Securing Virtual Applications and Servers

Effective End-to-End Cloud Security

How To Manage A Privileged Account Management

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Cloud Security Who do you trust?

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Enterprise Random Password Manager Training Guide

Application Monitoring for SAP

Virtualization Case Study

Guardium Change Auditing System (CAS)

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Stay ahead of insiderthreats with predictive,intelligent security

A Look at the New Converged Data Center

Leveraging Privileged Identity Governance to Improve Security Posture

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

White Paper. Managing Risk to Sensitive Data with SecureSphere

PowerBroker for Windows Desktop and Server Use Cases February 2014

Oracle Identity Manager, Oracle Internet Directory

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Log Management Solution for IT Big Data

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Breaking down silos of protection: An integrated approach to managing application security

McAfee Server Security

Simplify security management in the cloud

How To Achieve Pca Compliance With Redhat Enterprise Linux

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Alliance Key Manager Solution Brief

IBM Tivoli Netcool Configuration Manager

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

End-user Security Analytics Strengthens Protection with ArcSight

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

The Cloud App Visibility Blindspot

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

GFI White Paper PCI-DSS compliance and GFI Software products

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Trust but Verify: Best Practices for Monitoring Privileged Users

Transcription:

Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World Example...5 Use Cases...6 Choice of Access Methods...7 About ERPM...8 Conclusion...9 About Lieberman Software...9-2 -

How Privileged Identity Management Evolved to a Service Platform Overview Every cloud infrastructure can be home to potentially hundreds of thousands of vulnerable privileged accounts present as stale, shared or misconfigured administrative logins; VM and application instances with unchanged, published default logins; and otherwise poorly secured and easily cracked credentials. The presence of automated hacking tools means that even a small number of improperly secured privileged logins are virtually certain to give hackers free reign on the network and access to customers private data within minutes of an incursion. Cloud service providers face enormous market pressures to deliver high service availability and consistent data security at an absolute minimum cost. Yet until now privileged accounts and other file-based secrets have proven difficult to secure within large-scale, dynamic cloud service provider networks using human intervention and first-generation software tools. As a result, improperly secured privileged accounts provide an easily exploited attack surface for hackers and malicious insiders. For example, a 2012 Verizon survey 1 of larger organizations that suffered data breaches revealed that 84% of records were stolen as a result of compromised credentials. Fortunately new types of automation are being introduced to address the problem of weak and unmanaged privileged credentials present in cloud infrastructures. This whitepaper outlines how Privileged Identity and sensitive file management is evolving as a platform for lifecycle orchestration in cloud service environments. Management Issues Concerns about cloud security are cited as the top roadblock to enterprise adoption, with a recent survey by the Information Systems Audit and Control Association (ISACA) revealing that nearly 7 in 10 US IT professionals believe the risks to cloud services adoption outweigh the potential benefits 2. Cloud service providers face significant risks from even a single data loss incident - including not only direct remediation and legal costs, but also the loss of business resulting from public disclosure. And service providers face a daunting challenge to secure constantly changing physical and virtual IT assets using security methodologies that in some cases were never intended to scale to the size of cloud services networks. The issues can be especially acute when it comes to securing privileged identities in cloud infrastructure. SANS Institute calls the misuse of these administrative privileges a primary 1 2012 Data Beach Investigations Report, Verizon RISK Team, page 26 2 ISACA 2012 IT Risk/Reward Barometer: North America, www.isaca.org/risk-reward-barometer - 3 -

Managing Privileged Identities in the Cloud method for attackers to spread inside a target enterprise. 3 And cloud environments are home to vast numbers of rapidly changing privileged accounts present on physical and virtual tiers (Figure 1 below), including: Administrative logins on physical and virtual computers (Windows, Linux, UNIX, and others), as well as the privileged logins present in VM hypervisors Administrator and Root accounts present in directory services Highly privileged service and process accounts used for application-to-application and application-to-database authentication Root and Admin accounts present on physical and virtual network security appliances and backup appliances Figure 1 Privileged Accounts Present on Physical and Virtual Tiers In general, privileged identities aren t managed by conventional Identity and Access Management (IAM) systems, because unlike conventional user logins, privileged accounts aren t typically provisioned. Instead, privileged accounts frequently appear on the network whenever physical and virtual IT assets are deployed and changed. As a result, privileged credentials must be 3 Critical Control 12: Controlled Use of Administrative Privileges, http://www.sans.org/critical-security-controls/control.php?id=12-4 -

How Privileged Identity Management Evolved to a Service Platform discovered and continuously tracked by software that s separate from IAM. And, because every shared, static, or cryptographically weak privileged identity represents a potential attack surface, IT regulatory mandates including Critical National Infrastructure mandates, PCI DSS, SOX, HIPAA and others require that these credentials be frequently changed. These privileged passwords must also be cryptographically complex. Access to these passwords must be attributed to named individuals and audited. Because of the risks introduced by unmanaged privileged identities, industry groups cite the control and auditing of privileged access as an essential cornerstone of effective cloud security. For example, the Controls Matrix (IS-08) published by the Cloud Security Alliance reads, in part 4 : privileged user access to applications, systems, databases, network configurations, and sensitive data and functions shall be restricted and approved by management prior to access granted. The provisioning, control and auditing of file-based secrets including certificates, large binary files and other assets can prove a daunting challenge where access lists and even the assets themselves change more rapidly than human intervention can manage. Real-World Example Lieberman Software has been approached by a US Fortune 100 Cloud Service Provider (CSP) who markets its services to corporate customers, including very large enterprises. The CSP s network consists of well over one million virtual machines, with requirements for automated secrets management that include the ability to: Control of all aspects of the privileged identity life cycle using a PowerShell interface Immediately deploy, manage and de-provision privileged accounts and file-based secrets (including x.509 and other certificates, and large binary files) regardless of the physical or virtual machine where they reside Change privileged credentials in defined groups of systems without service impact Programmatically register and manage new service accounts on physical and virtual machines Programmatically retrieve credentials to support run-time applications Audit and report all service operations through the machine interface The scope of the CSP s environment is highly elastic, and operational demands have left the organization with a need to build in privileged identity security as part of the provisioning process. Details of the solution that has been deployed to meet the needs of this and other customers are provided in the following section. 4 https://cloudsecurityalliance.org/research/ccm/ - 5 -

Managing Privileged Identities in the Cloud Use Cases To keep pace with the demands of cloud service and larger enterprise deployments, a new version of Enterprise Random Password Manager (ERPM ), the privileged identity management (PIM) solution from Lieberman Software, has evolved from a software application to a service platform. In this new PIM programmatic access model, discovery, auditing and access control are managed by machines instead of direct human intervention. The PIM service platform is designed to interact with datacenter workflow frameworks such as Microsoft System Center Orchestrator and, and, in the case of the largest datacenters, in-house frameworks. Basic features of the service architecture include programmatic control of: Privileged account discovery and tracking that is both sufficiently broad in platform scope and deep in terms of account discovery (including discovery and tracking of process and service interdependencies to enable safe, automated changes of any interdependent accounts) Password change jobs, as needed to comply with regulatory mandates Rules for human and machine access Ongoing detection and decommissioning of inactive accounts as they are removed An example implementation consists of two separate interfaces Web services (SOAP) and PowerShell that expose all aspects of privileged identity management as an engine to support automation. Figure 2 below shows an example an example of the SOAP APIs that can interact with the framework. Figure 2 Example Web Services APIs - 6 -

How Privileged Identity Management Evolved to a Service Platform The full life cycle of privileged identity and certificate management has been orchestrated to address the needs of the CSP cited in the Real-World example above. This evolution marks a change in the way CSPs can embed security into their existing provisioning process to mitigate risks and achieve compliance objectives. Choice of Access Methods In addition to new Web services (SOAP) and PowerShell service platform extensions, ERPM provides both a Windows administration console and a Web browser interface to expedite setup and minimize management workloads whenever human oversight is needed. Using purely Windows console and Web browser access, ERPM has proven to be easily managed in enterprise and service provider networks consisting of hundreds of thousands of managed systems. Among other benefits, the ERPM human interfaces provide real-time, interactive business intelligence reports that can help corporate IT staff quickly identify potentially anomalous human and machine behaviors, IT service management bottlenecks, and similar issues that would be impossible to detect by reviewing log data alone (Figure 3 below). Figure 3 Business Intelligence Reporting is Part of the ERPM Web Interface - 7 -

Managing Privileged Identities in the Cloud About ERPM ERPM is the first privileged identity management product that automatically discovers, secures, tracks and audits the privileged account passwords in the cross-platform enterprise. It provides the accountability of showing precisely who has access to sensitive data, at what time and for what stated purpose. By doing so, ERPM helps prevent unauthorized, anonymous access to an organization s most crucial proprietary data. ERPM secures privileged identities throughout your IT infrastructure, including: Super-user login accounts utilized by individuals to change configuration settings, run programs and perform other IT administrative duties Service accounts that require privileged login IDs and passwords to run Application-to-application passwords used by web services, line-of-business applications and custom software to connect to databases, middleware and more As this privileged account management product continuously discovers privileged accounts on the network, it regularly changes each account s password to a unique value, deploys the password changes wherever they are used, and grants fast, audited access to authorized IT staff. And, ERPM dashboards give you real-time, interactive views of privileged account security everywhere on your network. ERPM deploys quickly and easily. Customers implement the solution on global networks in days not months to lower their cost of ownership and quickly boost IT staff productivity. After deployment, ERPM automatically keeps up with changes on complex, heterogeneous networks without customization, scripting, or added-cost professional services. - 8 -

How Privileged Identity Management Evolved to a Service Platform Conclusion Now that solutions have evolved to service platforms that are designed to meet Cloud Service Provider requirements for managing privileged identities, certificates and other file-based secrets in large, elastic environments, a significant operational roadblock is removed that once prevented the largest CSPs from complying with industry and regulatory requirements. Organizations that desire more insight into potential risks of the unsecured privileged accounts in their IT environments can contact Lieberman Software for an ERPM software trial. ERPM documents potential risks present in the infrastructure, enumerating privileged accounts by hardware platform, account and service type. It then continuously secures privileged accounts everywhere on your network and provides an audit trail of each access request. ERPM trial software is available at no cost to qualified organizations. To find out more about ERPM, visit liebsoft.com/erpm To request a demonstration of ERPM in your environment, email sales@liebsoft.com To request a risk assessment and report, visit liebsoft.com/risk_assessment About Lieberman Software Lieberman Software Corporation, established in 1978 as a software consultancy, has been a profitable, management-owned organization since its inception. Lieberman Software pioneered the privileged identity management space by releasing the first product to this market in 2001. Since then, the company has regularly updated and expanded its privileged password management solution set while growing its customer base in this vibrant and emerging market. Lieberman Software now has more than one thousand global customers, including more than 40 percent of the Fortune 50. Lieberman Software is a managed Microsoft Gold Certified Partner, an Oracle Gold Partner and an HP Silver Business Partner. The company has technology integrations with other industry leaders such as Cisco, Dell, RSA, Novell, IBM, Thales, and VMware. www.liebsoft.com P 800.829.6263 (USA/Canada) P (01) 310.550.8575 (Worldwide) F (01) 310.550.1152 1900 Avenue of the Stars, Suite 425, Los Angeles, CA 90067 2014 Lieberman Software Corporation. Trademarks are the property of their respective owners. - 9 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information