Pulse Comes To You 2009
Privileged Identity Management
Sven-Erik Vestergaard
Certified IT specialist
Security architect IBM Nordic
Pulse Comes To You 2009
2
Agenda
� What is Privileged Identity Management
� Compliance issues
� Steps in controlling Privileged Identity Management
� How to create and maintain compliance
� Q/A
Pulse Comes To You 2009
3
Who cares about privileged identities?
Malicious insiders care…
The problem:
3 of the Top 10 Threats to
Enterprise Security are insider
related:
Employee error
Data stolen by
partner/employee
Insider Sabotage
Insider driven fraud costs US
enterprises over $600 Billion
annually
Pulse Comes To You 2009
4
Identity Governance
Identity Governance
Entitlement Management
Role Management
Privileged Identity Mgmt
Separation of Duties
Prevents and detects
business specific conflicts
at role or entitlement level
Privilege Identity Management
Enhanced user administration and monitoring of system or administrator accounts that have elevated privileges
Access Certification
Ongoing review/validation of access to resources at role or entitlement level
Entitlement Management
Entitlement management simplifies access control by administering and enforcing fine-grained authorizations
Role Management
Process used to manage user access to resources but unlike user provisioning, role management doesn’t grant/remove user access, it sets up a role structure to do it more efficiently
Separationof
Duties
Access Certification
Pulse Comes To You 2009
5
Privileged Identity Management
What is a privileged Identity
� Generic/shared accounts
� Privileged personal accounts
� Application accounts
� Emergency accounts
Pulse Comes To You 2009
6
Special focus for Privileged Identity Management
Must be a part of the Provisioning and Identity lifecycle management
This includes
� Authorization
� Authentication
� Password Management
� Auditing
Pulse Comes To You 2009
7
Agenda
� Compliance issues
Pulse Comes To You 2009
8
Privileged Identity Management
� Lack of accountability – internal solutions not able to ensure 100% accountability for shared or application privileged accounts
� Lack of effective, secure release controls
� Limited implementation of strong inter-application authentication
� Lack of monitoring of privileged activities and enforcement of privileged activity policies
� Lack of change controls
� Lack of consistency in password change policies
� Limited auditing of privileged activities, approvals processes, privileged account access request, privileged password changes, and/or strength/uniqueness
Pulse Comes To You 2009
9
Agenda
� First steps in controlling Privileged Identity Management
Pulse Comes To You 2009
10
Privileged Identity Management
� Locate, Identify, and label privileged identities.
� Apply the appropriate security parameters for
access personalization, change, and control.
� Implement a centralized management function or dashboard, to monitor processes.
� Regularly audit all privileged identity activity by appropriate internal systems management and external regulatory sources.
Pulse Comes To You 2009
11
Problems with today’s scenario
� Privileged identities are shared
� No audit trail – Joe signed on to work station but administrator signed on to SAP for example
� Difficult to manage good practices
� For example changing passwords frequently requires all sharers ot be informed
Pulse Comes To You 2009
12
Shared Privileged ID Account Lifecycle Management in TIM
� Privileged ID accounts in ITIM are flagged and can be enabled for sharing.
� Specific Access Control is required for Privileged ID via ITIM ACI
� Specific Lifecycle workflows are required for lifecycle change events of shared ID (Create/Modify/PasswordChange/Suspend/Delete)
� Password Change needs to support privilege sharing
1.1 Create/Configure at End point
Cre
atio
n
Assign Owner
Change
Term
ination
2.Assign Owner via Adoption Rule or other
mapping rule (URT code)
3.1 Password Change
3.2 Account Attribute Change
3.3 Revalidation
• Employment Verification
• Recertification Policy
4.1 Manual Transfer Request
4.2 Owner Job Change (triggered in Person Modify workflow)
4.3 Employment Termination
1.2 Create/Configure in ITIM (ITIM Admin
Only, Owner is assigned during
creation)
Pulse Comes To You 2009
13
Privilege Identity Management in ITIM
Privilege Defined As Access
Accounts
User Id, Password,
Group (Controls
Access Privilege)
Authorized
Pulse Comes To You 2009
14
Shared Privilege lifecycle management (ITIM+TAM-ESSO)
Request
AccessAccess
ProvisioningEstablished Authorization
Record for Privileged Access and enable user for checkout/check in
Access
Approval
Access
Revalidation
Access
Termination
Check Out
Check In
Check out and check in
is triggered when user access native system via
TAM-ESSO once the access is authorized in
ITIM
User does not have to know the iD/password, it
is provided by TAM-ESSO
Justification may be required based on the
privilege type
Business
Justification is
required
during access
request
Business
Justification is
required
Business
Justification is
required
• Employment Verification
• Recertification Policy
Pulse Comes To You 2009
15
Shared privilege identity management – Solution provided through services
Shared Privileged
Access
Shared Privileged Services
Accounts
User Id, Password,
Group (Controls
Access Privilege)
Authorized
Flagged
Shared
Privileged
Accounts
Pulse Comes To You 2009
16
Agenda
� How to create and maintain compliance
Pulse Comes To You 2009
17
After Log Capture, Translation is Next
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Windowsexpert
z/OSexpert
AIXexpert
Oracleexpert
SAPexpert
ISSexpert
FireWall-1expert
Exchangeexpert
IISexpert
Solarisexpert
Co
mp
reh
en
d
Pulse Comes To You 2009
18
Now all Logs in Your Enterprise in a Single Language
TCIM saves your information security and compliance staff time and money by automating monitoring across the enterprise.
TCIM saves your information security and compliance staff time and money by automating monitoring across the enterprise.
Translate logs to “English”
TCIM “W7”
Windows z/OS AIX Oracle SAP ISS FireWall-1 Exchange IIS Solaris
Co
mp
reh
en
d
Pulse Comes To You 2009
19
Quick Drill-down
Policy Exceptions
Special Attentions
Failures
Trends
Reporting DBs
Aggregation DBs
Enterprise Overview
Reports Distribution
Self-audit
Demonstrate Compliance
Pulse Comes To You 2009
21
EventDetail
An Event Detail Report Even drill down into that specific event
and see all the event details, and we
can even go to the raw log-file
Pulse Comes To You 2009
22
Key Solution Functions
• Centralized web-based management of Privileged IDs• Provisioning
• Access management – who can access
• Change password
• Password reset
• De-provisioning
• Approval workflows
• Single Sign-on with Real-time Privileged ID Access Control• On demand check-in/check-out and verification of Privileged IDs
• Single sign on to all systems with Privileged ID
• Easy on boarding of applications through visual profiling
• Comprehensive audit trail and reporting• Logs for password provisioning, change, reset, de-provisioning
• Logs for check in. check out cross by user and application
Pulse Comes To You 2009
23
Putting it all together-Privileged Identity Management Solutions
� Leverage your IAM infrastructure� Approval workflows� Ensure password management/ regular password changes� Centralized ID management and password management and password store improves overall
control and security� Password Reset� Tivoli Identity Manager helps here
� Exploit your SSO infrastructure� Utilise check-in/ check-out� Single sign-on of all privileged IDs� TAM ESSO helps here
� Access control� Limit the rights of privileged users � TAMOS helps here
� Leverage your SIM infrastructure� Audit real user access � Audit privileged identity access� Correlate and report� TCIM helps here
Pulse Comes To You 2009
IBM Tivoli Identity, Access, and Audit Management Suite provides a complete
solution for cost effective privileged identity management
Enroll &
Proof
Users
Define Controls
Issue &
Manage User Rights
Enforce Access Control
Monitor,
Audit,
Report
Tivoli Security Policy ManagerTivoli Security Policy Manager
Tivoli Identity Manager
Tivoli zSecure Family
IBM Entity Analytics
IBM RACF
Tivoli Identity Manager
Tivoli zSecure Family
IBM Entity Analytics
IBM RACFTivoli Access Manager for
Operating Systems
Tivoli Access Manager for
Enterprise Single Sign On
Tivoli Federated Identity
Manager
Tivoli zSecure Family
IBM RACF
Tivoli Access Manager for
Operating Systems
Tivoli Access Manager for
Enterprise Single Sign On
Tivoli Federated Identity
Manager
Tivoli zSecure Family
IBM RACF
Tivoli Compliance
Insight Manager
Tivoli Compliance
Insight Manager
Pulse Comes To You 2009
25