Post on 26-Feb-2016
description
transcript
Privileged Account ManagementJason Fehrenbach, Product Manager
Customer Use Cases - Introduction• A US-based Natural Gas and Electric company serving multiple
states
• Project Requirements
– Only grant access to shared administrative accounts with pre-approval based on established policy
– Need to provide ‘firecall’ functionality
– Needed to delegate administrative access for Separation of Duty (SoD)
– Required logging of Windows administrator activity
– Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management
Customer Use Cases - Introduction• A global leader in payment processing
• Project Requirements
– Needed to centralize accounts and get control over passwords and user lifecycles
– Needed to replace NIS and provide centralized authentication
– Needed to restrict and audit what users could do but at the same time provide for users to carry on with their day-to-day jobs
– Needed to provide controls around shared administrative passwords
– Needed to rotate administrative account passwords regularly
– Needed to correlate and audit administrative activity with the actual end user
Delegation
PAM Sub-Categories
Use Case – Utility Company
• Needed to consolidate Unix identities into Active Directory to streamline provisioning, password management and privilege account management
Use Case - Payment Processing
• Needed to centralize accounts and get control over passwords and user lifecycles
• Needed to replace NIS and provide centralized authentication
PRIVILEGES
Privilege Sessions
AD Bridge
Shared Passwords
PLATFORMS
Operating Systems
Delegation
Use Case – Utility Company
• Only grant access to shared administrative accounts with pre-approval based on established policy
• Need to provide ‘firecall’ functionality
Use Case - Payment Processing
• Needed to provide controls around shared administrative accounts
• Needed to rotate administrative account passwords regularly
PRIVILEGES PLATFORMS
Privilege Sessions
Shared Passwords
Operating Systems
Network Devices
Databases
Applications
AD Bridge
PAM Sub-Categories
Delegation
PRIVILEGES
Privilege Sessions
Shared Passwords
AD Bridge
PAM Sub-Categories
Delegation
PRIVILEGES
Privilege Sessions
Shared Passwords
AD Bridge
PAM Sub-Categories
PROTOCOLS
RDPVNC
PRIVILEGES
327046905250
SSHTELNET
HTTP
HTTPS
Delegation
Shared Passwords
Privilege Sessions
AD Bridge
Use Case – Utility Company
• Required logging of Windows administrator activity
PAM Sub-Categories
PLATFORMS
Operating Systems
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
Use Case – Utility Company
• Needed to provide find-grained delegation of administrative (root) access for Separation of Duty (Sod)
Use Case - Payment Processing
• Needed to restrict and audit what users could but at the same time provide for users to carry on with their day-to-day jobs
• Needed to correlate and audit administrative activity with the actual end-user
PAM Sub-Categories
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
How do I allow users to perform elevated tasks on Unix without losing control of the root password?
• Pair a password vault with a delegation solution
Common delegation solutions
• Native OS solutions (RBAC implementations)• The open source Sudo project• The Commercial Unix Security space
Unix Delegation: Problem Statement
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
What did we discover?
Result? Companies would:• Purchase a PAM sol’n only for their
highest risk machines• Hate having to re-train admins &
help desk staff on a new syntax• “Bend” sudo in crazy ways
Commercial 3rd partysolutions
~3,000 customers
Native OS options
sudoLinux: 7.5M serversUnix: 2.8M serversMac: 2.0M servers
No focuson this
segment!
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
Sudo v1.7 and earlier
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge • How do I easily provide access control reports?
• How do I deal with sudoers?• How to manage it, distribute it, etc
• How do I enable central keystroke logging?
• How do I know what is going on across lots of systems?
• How do I provide more fine-grain control in the policy?
Field Feedback: Common Pain and Trends
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
Sudo v1.8 and the new plug-in API
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
Example architecture using plug-in API
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge • Sudo Reporting• Access Control Report• Event Activity• Commands run• Policy changes
• Deployment• Preflight and sudo plug-in installation
• Policy Management• Editor, Versioning, Rollback
• Keystroke Logging• Search, Playback
• Separation of Duty
Example pain points that the plug-in API can assist with
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
• http://www.sudo.ws/sudo/sudo-rbac.html (April 12, 2012)
• New security policy format• Designed for the needs of the enterprise
• Include an API to support analysis and reporting tools
• Support grouping of commands and options in logical units
• Facility management of sudoers by multiple stake-holders
• Time based policy rules
• Data source plug-ins
SUDO v2.0: Design Phase
PRIVILEGES
Privilege Sessions
Shared Passwords
Delegation
AD Bridge
SUDO v2.0: Design Phase
19
©2011 Quest Software, Inc. All rights reserved..
Simplify Account Management
Manage Access to Business Critical Information
Audit User
Activity
Privileged Account
Management
AccessGovernance
Access Governance
Privileged Account
Management
Complete Identity & Access Management
Understand &Control
Administrator Activity
Identity Administration
User Activity
Monitoring
Thank You