AWS Privileged Access Management

2

Easy, but is it Secure?

It’s“easy”tospinupworkloads,getcodedeployedandstand-upaworkingenvironment.It’sEASIER tocreateaninsecureenvironmentandlosecontrolwithhighercosts.

3

Why typical “PAM” solutions may not help you in the cloud…

Vaulting access is only solving a shared password/key problem, and not:

• Providing easy access to request temporary privileges to sensitive accounts/workloads/data

• Auto assign elevated privileges based on approved time window, especially integrated with existing tools like ServiceNow

• Tracking AccountID rotation is a problem for SIEM, log analysis• Giving you painless audit reports and certification of privileged

activity

4

Shared Responsibility Model of AWS

Source : https://aws.amazon.com/compliance/shared-responsibility-model/

5

Visibility Challenge – Infrastructure as Code

<keyName>my-key-pair</keyName> <amiLaunchIndex>0</amiLaunchIndex> <productCodes/> <instanceType>c1.medium</instanceType> <launchTime>YYYY-MM-DDTHH:MM:SS+0000</launchTime> <placement> <availabilityZone>us-west-2a</availabilityZone> <groupName/> <tenancy>default</tenancy> </placement> <platform>windows</platform> <monitoring> <state>disabled</state> </monitoring> <subnetId>subnet-1a2b3c4d</subnetId> <vpcId>vpc-1a2b3c4d</vpcId> <privateIpAddress>10.0.0.12</privateIpAddress> <ipAddress>46.51.219.63</ipAddress> <sourceDestCheck>true</sourceDestCheck> <groupSet> <item> <groupId>sg-1a2b3c4d</groupId> <groupName>my-security-group</groupName> </item> </groupSet> <architecture>x86_64</architecture> <rootDeviceType>ebs</rootDeviceType> <rootDeviceName>/dev/sda1</rootDeviceName> <blockDeviceMapping> <item> <deviceName>/dev/sda1</deviceName> <ebs> <volumeId>vol-1a2b3c4d</volumeId> <status>attached</status> <attachTime>YYYY-MM-DDTHH:MM:SS.SSSZ</attachTime> <deleteOnTermination>true</deleteOnTermination> </ebs> </item>

Enterprise ServersVMs in AWS/Azure

6

Visibility – Multiple Environments

“ReducingtheBlastRadius” isimportantleadingtomultipleInfrastructureenvironments

“MultipleEnvironments”inturnneedclearseparationofroles/permissionswhichoftengetignored

• API key exposure - 8 hrs• Default configs – 24 hrs• Security grps – 24 hrs• Escalation of priv – 5

days• Known vuln – 8 hrs

7

Challenge of High Velocity and adding security controls to devOps and CI/CD processes

CI/CD Processes are fast; Security controls are not

Imperative to introduce Security Controls in CI/CD processes with high speed and delivery

Source: https://agilityerp.com/wp-content/uploads/2014/01/DevOps-enables-business-agility-adaptive-IT-Venn.png

8

Access Challenges – Evolving , Constant Churn

AzureTwoPortals(Management(Classic)andPreview)OnesupportsRBACmodel,otherdoesnotNonativesupportformanagingandmonitoringPrivilegedAccess

AWSAccessassignedviaPolicies(Code- JSONObjects)Supportsmultipletypesofpolicies(Resource,InlineandIAM)AccessManagementisverybasic.Nouser,roleorpolicylifecyclemanagementNonativesupportformanagingandmonitoringPrivilegedAccess

9

Challenge of Usage and Monitoring

Volume(millionsofrecords/dayacrossAWSaccountsandAzureSubscriptions)=petabytesofdata

Types(7differentlogcategoriesjustforSecurityMonitoringinAWS)

Aggregation,Retrievalandderiving“meaningfulinformation”requiresmultipleintegrationcomponents,solidengineeringandusageofbig-datatechnologies

AWS Privileged Access Use Cases

Assume Role command run from Command Line Interface

11

User Sagar performing Assume Role and giving the session name as test123

Events shown in Cloud Trail of AWS

12

Cloud Trail events showing that test123 has performed actions like DeleteUser and CreateUser. In reality it was performed by Sagar using the session name test123

13

Assumed Role Logs Corelation

Challenges

- User defined Role Session Name - Access Keys rotated by AWS after regular intervals

14

Federated User – Logs corelation

Federated user SAVIYNTCLOUD\Administrator with email id :admin@saviyntcloud.net logs in and selects the role ADFS-Dev

15

Federated User – Logs corelation

Federated user admin@saviyntcloud.net assumes role and performs an event DeleteUser

16

Federated Use Case

Federated user admin@saviyntcloud.net performs an event CreateUser

17

Federated Use Case

Federated user SAVIYNTCLOUD\Administrator with email id:admin@saviyntcloud.net signed in to AWS console

18

Cross Account Command Line Interface (CLI) Use Case

IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe from CLI

19

Cross Account CLI Use Case

IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe and performs event CreateUser from CLI

20

Cross Account CLI Use Case

IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe and performs event CreateInstance from CLI

21

Federated Use Case

Federated user admin@saviyntcloud.net performs an event CreateInstance

22

Federated FireFighter Use Case

Federated user admin@saviyntcloud.net assumes a FireFighter Role Saviynt-SaviyntSuperAdministrator-6UNP1H2JPILG

23

Federated Fire Fighter Use Case

Federated user admin@saviyntcloud.net assumes Fire FighterRole SaviyntSuperAdmnistrator and performs an event TerminateInstance

24

Co-relation of CloudTrail Logs for AWS CLI Operations

Challenges • CLI operations

25

CLI Use Case

IAM user Rashmibhupal assumes Fire Fighter Role SaviyntSuperAdmnistrator with session name vibhutisinha and performs event CreateInstance from CLI

Best Practices

CloudsecurityisnotonlysecuringCloudandcannotbedoneinasilo.EnterpriseRisk factoringiscritical

TyingIdentity andaccessinformationtotheinfrastructurecomponentsiscriticalforcompletenessofinfrastructuresecurity

Preventivecontrols arekey

SecuredevOps,CI/CDprocesses

AvoidasterisksinyourAccessPolicies

27

The need for IaaS Security Management

SAVIYNT INFRASTRUCTURE SECURITY MANAGEMENT

• 100+ Risk Controls Library

• Near real-time Preventive

Workload Security

• DevSecOps & Secure

CI/CD

• Entity Life-cycle

Management

• Privilege Access

Governance

• User Behavior Analytics

• Continuous monitoring and Preventive Controls are essential to protect cloud infrastructure from cyber attacks. However, gaining this visibility needs correlation of at least 5 different sources

• Compromise of one privileged account is enough to bring down the entire cloud infrastructure. Managing these “keys to the kingdom” is paramount

• Managing IAM entities is complex and involves entities such as VPCs, subnets, DBs, data objects, etc. Simplifying IAM processes that links these entities to enterprise systems (HRMS, DLP etc.) is key for a successful hybrid IT

• Security controls and automated remediation are critical to “Get Compliant” and “Stay Compliant”

28

Saviynt provides comprehensive IaaS Security Management and Identity Governance capabilities

Discover risks and detect policy violation1

• 80+ risk signatures and ‘actionable’ security controls ranging from AWS resource security, key management, IAM users’ access, data security policies, network / security configuration, DevOps policies, etc.

• Dashboard for AWS command and control

Near Real-time protection of AWS / DevOps resources & S3 data

2• Real-time identification & notification of policy violations, activities and events• Preventive protection of AWS & DevOps resources e.g. stop rogue workloads to

be provisioned, access escalation, modifications to roles, de-provision vulnerable workloads, etc.

Integrated behavioral analytics4

• Leverage peer group analysis, behavioral deviations, event rarity, volume / frequency spikes, geolocation, threat intelligence that spans across enterprise and cloud to detect anomalies in real-time and perform automatic remediation

• Comprehensive continuous controls monitoring with built-in best practice controls

Manage Privilege Access and Roles3

• Self-service request for emergency or privilege access with time-bound provisioning & multi-level approvals

• Integrated Session recording and activity certification• Account ownership management (with federation support)

Access Request / Review

Access Provisioning

Continuous Controls Monitoring

Reporting Dashboards

User Behavior Analytics

AnalyzeDiscover

From Discovery to Management, Saviynt offers end to end security for IaaS providers

29

InsecureMisconfigured

Protect Manage

API-based Connectors for IaaS & DevOps Tools

IAM Users, Access Policies, Configuration

Objects

Unstructured Data

Audit & Usage Logs

80+ Risk Signatures

Risk Intelligence

Peer Group Analytics

Access Policy /

Configuration Analysis

Data Classification

Near Real-time Preventive Security

Review / Approve AccessInfrastructure Access

Policies (RBAC / ABAC)Privilege Access Management /

GovernanceSegregation of Duty rules

EcosystemAWS IAMEBS S3EC2

ChefPuppet

(DevOps)RDS ELB

CloudTrail, CloudWatch, AWS Config / SNS, AWS APIs, DevOps logs, VPC flow logs

30

AWS Security and Identity Management features in detail…

SOD MANAGEMENT & CONTROLS LIBRARY

o 200+ security and SOD controls embedded within Security Manager platform

o Integrated with online Controls Exchange for contribution from customers and partners

o Cross application, business & technical SOD evaluation

o Investigation workbench, remediation Impact Analysis

DATA ACCESS GOVERNANCE*

o Discover ‘where your critical data is’, identify ‘who has access to it’ and ‘who are the privilege users’

o Near real-time protection includes quarantine, encryption, etc.

o S3 buckets with Sensitive Content (tagged using Content Type, Org Based Policies etc.) monitoring

SECURITY INTELLIGENCEo Peer comparison and behavior analysis to detect

unknown threatso Interactive drag and drop Link Analysis for rapid

investigation on high risk eventso Prioritized, real-time risk dashboards for

actionable investigationso Geo IP intelligence to perform traffic analysiso Controls reporting mapped to PCI, FedRAMP,

HIPAA, etc.

PRIVILEGE ACCESS GOVERNANCEo Identify privilege accounts (operational, service,

shared) across various instances and manage ownership – request, create / update / delete, review / certify

o Monitor access modification activities performed by privilege access

o Monitor privilege account activity for suspicious behavior, event rarity and take corrective actions

ACCESS REQUEST & CERTIFICATION

o Easy shopping cart based approach to request access for service / privilege accounts, certs, etc.

o Access recommendations / certification decisions empowered via usage activity, peer requests, business policies / attributes

o Risk-based access certification (periodic / event based – transfers, outliers, etc.)

AWS RESOURCE PROTECTION

o Near real-time detection of events and activities that violate security policies and resource baselines

o Preventive protection of AWS & DevOps resources e.g. stop rogue workloads to be provisioned, access escalation, modifications to roles, de-provision vulnerable workloads, etc.

* Planned

31

Identify risks with comprehensive Saviynt risk signatures

100+ security controls to identify risks in IaaS environment spanning across resources, IAM users, audit events, etc.

Violation events:

Drilldown dashboards with actionable controls:

32

Protect “keys to the kingdom” with effective privileged access monitoring and governance

Self-service, time-bound (checkout / check-in) and multi-level approval workflow for AWS privileged access / role across multiple AWS accounts

Session recording of privileged activity and correlation of temporary access keys to actual identity

Launch automatic certification of privileged activity

Perform behavioral analytics to identify suspicious privileged activity

1 2 3

33

Saviynt Security Analyzer for AWS -FREE for one AWS Account

Thank You