aws privileged access management - cloud object storageaws+meetup.pdf · • continuous monitoring...
TRANSCRIPT
AWS Privileged Access Management
2
Easy, but is it Secure?
It’s“easy”tospinupworkloads,getcodedeployedandstand-upaworkingenvironment.It’sEASIER tocreateaninsecureenvironmentandlosecontrolwithhighercosts.
3
Why typical “PAM” solutions may not help you in the cloud…
Vaulting access is only solving a shared password/key problem, and not:
• Providing easy access to request temporary privileges to sensitive accounts/workloads/data
• Auto assign elevated privileges based on approved time window, especially integrated with existing tools like ServiceNow
• Tracking AccountID rotation is a problem for SIEM, log analysis• Giving you painless audit reports and certification of privileged
activity
4
Shared Responsibility Model of AWS
Source : https://aws.amazon.com/compliance/shared-responsibility-model/
5
Visibility Challenge – Infrastructure as Code
<keyName>my-key-pair</keyName> <amiLaunchIndex>0</amiLaunchIndex> <productCodes/> <instanceType>c1.medium</instanceType> <launchTime>YYYY-MM-DDTHH:MM:SS+0000</launchTime> <placement> <availabilityZone>us-west-2a</availabilityZone> <groupName/> <tenancy>default</tenancy> </placement> <platform>windows</platform> <monitoring> <state>disabled</state> </monitoring> <subnetId>subnet-1a2b3c4d</subnetId> <vpcId>vpc-1a2b3c4d</vpcId> <privateIpAddress>10.0.0.12</privateIpAddress> <ipAddress>46.51.219.63</ipAddress> <sourceDestCheck>true</sourceDestCheck> <groupSet> <item> <groupId>sg-1a2b3c4d</groupId> <groupName>my-security-group</groupName> </item> </groupSet> <architecture>x86_64</architecture> <rootDeviceType>ebs</rootDeviceType> <rootDeviceName>/dev/sda1</rootDeviceName> <blockDeviceMapping> <item> <deviceName>/dev/sda1</deviceName> <ebs> <volumeId>vol-1a2b3c4d</volumeId> <status>attached</status> <attachTime>YYYY-MM-DDTHH:MM:SS.SSSZ</attachTime> <deleteOnTermination>true</deleteOnTermination> </ebs> </item>
Enterprise ServersVMs in AWS/Azure
6
Visibility – Multiple Environments
“ReducingtheBlastRadius” isimportantleadingtomultipleInfrastructureenvironments
“MultipleEnvironments”inturnneedclearseparationofroles/permissionswhichoftengetignored
• API key exposure - 8 hrs• Default configs – 24 hrs• Security grps – 24 hrs• Escalation of priv – 5
days• Known vuln – 8 hrs
7
Challenge of High Velocity and adding security controls to devOps and CI/CD processes
CI/CD Processes are fast; Security controls are not
Imperative to introduce Security Controls in CI/CD processes with high speed and delivery
Source: https://agilityerp.com/wp-content/uploads/2014/01/DevOps-enables-business-agility-adaptive-IT-Venn.png
8
Access Challenges – Evolving , Constant Churn
AzureTwoPortals(Management(Classic)andPreview)OnesupportsRBACmodel,otherdoesnotNonativesupportformanagingandmonitoringPrivilegedAccess
AWSAccessassignedviaPolicies(Code- JSONObjects)Supportsmultipletypesofpolicies(Resource,InlineandIAM)AccessManagementisverybasic.Nouser,roleorpolicylifecyclemanagementNonativesupportformanagingandmonitoringPrivilegedAccess
9
Challenge of Usage and Monitoring
Volume(millionsofrecords/dayacrossAWSaccountsandAzureSubscriptions)=petabytesofdata
Types(7differentlogcategoriesjustforSecurityMonitoringinAWS)
Aggregation,Retrievalandderiving“meaningfulinformation”requiresmultipleintegrationcomponents,solidengineeringandusageofbig-datatechnologies
AWS Privileged Access Use Cases
Assume Role command run from Command Line Interface
11
User Sagar performing Assume Role and giving the session name as test123
Events shown in Cloud Trail of AWS
12
Cloud Trail events showing that test123 has performed actions like DeleteUser and CreateUser. In reality it was performed by Sagar using the session name test123
13
Assumed Role Logs Corelation
Challenges
- User defined Role Session Name - Access Keys rotated by AWS after regular intervals
14
Federated User – Logs corelation
Federated user SAVIYNTCLOUD\Administrator with email id :[email protected] logs in and selects the role ADFS-Dev
15
Federated User – Logs corelation
Federated user [email protected] assumes role and performs an event DeleteUser
17
Federated Use Case
Federated user SAVIYNTCLOUD\Administrator with email id:[email protected] signed in to AWS console
18
Cross Account Command Line Interface (CLI) Use Case
IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe from CLI
19
Cross Account CLI Use Case
IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe and performs event CreateUser from CLI
20
Cross Account CLI Use Case
IAM user Rashmibhupal assumes cross account Role SaviyntAWSRole (accountId: 368698334588) with session name johndoe and performs event CreateInstance from CLI
22
Federated FireFighter Use Case
Federated user [email protected] assumes a FireFighter Role Saviynt-SaviyntSuperAdministrator-6UNP1H2JPILG
23
Federated Fire Fighter Use Case
Federated user [email protected] assumes Fire FighterRole SaviyntSuperAdmnistrator and performs an event TerminateInstance
24
Co-relation of CloudTrail Logs for AWS CLI Operations
Challenges • CLI operations
25
CLI Use Case
IAM user Rashmibhupal assumes Fire Fighter Role SaviyntSuperAdmnistrator with session name vibhutisinha and performs event CreateInstance from CLI
Best Practices
CloudsecurityisnotonlysecuringCloudandcannotbedoneinasilo.EnterpriseRisk factoringiscritical
TyingIdentity andaccessinformationtotheinfrastructurecomponentsiscriticalforcompletenessofinfrastructuresecurity
Preventivecontrols arekey
SecuredevOps,CI/CDprocesses
AvoidasterisksinyourAccessPolicies
27
The need for IaaS Security Management
SAVIYNT INFRASTRUCTURE SECURITY MANAGEMENT
• 100+ Risk Controls Library
• Near real-time Preventive
Workload Security
• DevSecOps & Secure
CI/CD
• Entity Life-cycle
Management
• Privilege Access
Governance
• User Behavior Analytics
• Continuous monitoring and Preventive Controls are essential to protect cloud infrastructure from cyber attacks. However, gaining this visibility needs correlation of at least 5 different sources
• Compromise of one privileged account is enough to bring down the entire cloud infrastructure. Managing these “keys to the kingdom” is paramount
• Managing IAM entities is complex and involves entities such as VPCs, subnets, DBs, data objects, etc. Simplifying IAM processes that links these entities to enterprise systems (HRMS, DLP etc.) is key for a successful hybrid IT
• Security controls and automated remediation are critical to “Get Compliant” and “Stay Compliant”
28
Saviynt provides comprehensive IaaS Security Management and Identity Governance capabilities
Discover risks and detect policy violation1
• 80+ risk signatures and ‘actionable’ security controls ranging from AWS resource security, key management, IAM users’ access, data security policies, network / security configuration, DevOps policies, etc.
• Dashboard for AWS command and control
Near Real-time protection of AWS / DevOps resources & S3 data
2• Real-time identification & notification of policy violations, activities and events• Preventive protection of AWS & DevOps resources e.g. stop rogue workloads to
be provisioned, access escalation, modifications to roles, de-provision vulnerable workloads, etc.
Integrated behavioral analytics4
• Leverage peer group analysis, behavioral deviations, event rarity, volume / frequency spikes, geolocation, threat intelligence that spans across enterprise and cloud to detect anomalies in real-time and perform automatic remediation
• Comprehensive continuous controls monitoring with built-in best practice controls
Manage Privilege Access and Roles3
• Self-service request for emergency or privilege access with time-bound provisioning & multi-level approvals
• Integrated Session recording and activity certification• Account ownership management (with federation support)
Access Request / Review
Access Provisioning
Continuous Controls Monitoring
Reporting Dashboards
User Behavior Analytics
AnalyzeDiscover
From Discovery to Management, Saviynt offers end to end security for IaaS providers
29
InsecureMisconfigured
Protect Manage
API-based Connectors for IaaS & DevOps Tools
IAM Users, Access Policies, Configuration
Objects
Unstructured Data
Audit & Usage Logs
80+ Risk Signatures
Risk Intelligence
Peer Group Analytics
Access Policy /
Configuration Analysis
Data Classification
Near Real-time Preventive Security
Review / Approve AccessInfrastructure Access
Policies (RBAC / ABAC)Privilege Access Management /
GovernanceSegregation of Duty rules
EcosystemAWS IAMEBS S3EC2
ChefPuppet
(DevOps)RDS ELB
CloudTrail, CloudWatch, AWS Config / SNS, AWS APIs, DevOps logs, VPC flow logs
30
AWS Security and Identity Management features in detail…
SOD MANAGEMENT & CONTROLS LIBRARY
o 200+ security and SOD controls embedded within Security Manager platform
o Integrated with online Controls Exchange for contribution from customers and partners
o Cross application, business & technical SOD evaluation
o Investigation workbench, remediation Impact Analysis
DATA ACCESS GOVERNANCE*
o Discover ‘where your critical data is’, identify ‘who has access to it’ and ‘who are the privilege users’
o Near real-time protection includes quarantine, encryption, etc.
o S3 buckets with Sensitive Content (tagged using Content Type, Org Based Policies etc.) monitoring
SECURITY INTELLIGENCEo Peer comparison and behavior analysis to detect
unknown threatso Interactive drag and drop Link Analysis for rapid
investigation on high risk eventso Prioritized, real-time risk dashboards for
actionable investigationso Geo IP intelligence to perform traffic analysiso Controls reporting mapped to PCI, FedRAMP,
HIPAA, etc.
PRIVILEGE ACCESS GOVERNANCEo Identify privilege accounts (operational, service,
shared) across various instances and manage ownership – request, create / update / delete, review / certify
o Monitor access modification activities performed by privilege access
o Monitor privilege account activity for suspicious behavior, event rarity and take corrective actions
ACCESS REQUEST & CERTIFICATION
o Easy shopping cart based approach to request access for service / privilege accounts, certs, etc.
o Access recommendations / certification decisions empowered via usage activity, peer requests, business policies / attributes
o Risk-based access certification (periodic / event based – transfers, outliers, etc.)
AWS RESOURCE PROTECTION
o Near real-time detection of events and activities that violate security policies and resource baselines
o Preventive protection of AWS & DevOps resources e.g. stop rogue workloads to be provisioned, access escalation, modifications to roles, de-provision vulnerable workloads, etc.
* Planned
31
Identify risks with comprehensive Saviynt risk signatures
100+ security controls to identify risks in IaaS environment spanning across resources, IAM users, audit events, etc.
Violation events:
Drilldown dashboards with actionable controls:
32
Protect “keys to the kingdom” with effective privileged access monitoring and governance
Self-service, time-bound (checkout / check-in) and multi-level approval workflow for AWS privileged access / role across multiple AWS accounts
Session recording of privileged activity and correlation of temporary access keys to actual identity
Launch automatic certification of privileged activity
Perform behavioral analytics to identify suspicious privileged activity
1 2 3
33
Saviynt Security Analyzer for AWS -FREE for one AWS Account
Thank You