cis13: managing the keys to the kingdom: next-gen role-based access control and privilege

© 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.

Managing the Keys to the Kingdom Next-‐Gen Role-‐based Access Control and Privilege

2 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.

•  Business has more dynamic demands on IT

•  Time and scale – need it now, on-‐demand

•  Form factor and location – On-‐prem, virtualized, cloud

•  Manual and domain-‐specific configuration (startup/teardown)

•  Compliance and best practices – assurance & accountability

•  Fragmented identity – infrastructure, administrators, users

•  “silos” of access policies and diffuse controls

Business Challenges for IT


Regulatory Compliance is Not an Option NIST 800-‐53 sets the baseline security policies which most other regulations reference for identity and access management specific controls:

•  Identity & Authentication (IA) •  Uniquely identify and authenticate users •  Employ multifactor authentication

•  Access Control (AC) •  Restrict access to systems and to privileges •  Enforce separation of duties and least-‐privilege rights management

•  Audit & Accountability (AU) •  Capture in sufficient detail to establish what occurred, the source,

and the outcome •  Configuration Management (CM)

•  Develop/maintain a baseline configuration •  Automate enforcement for access restrictions and audit the

actions •  Systems & Communications (SC)

•  Boundary Protection •  Transmission Integrity and Confidentiality •  Cryptographic Key Establishment and Management including

PKI Certificates


•  Unified identity, access, privilege policy controls •  Consistency across deployments

•  Distributed enforcement

•  Ensure availability, No single point of failure

•  Unified visibility •  Accountability •  Triage and remediation

•  Automation

•  Speed and consistency of deployment

•  Accuracy, compliance, best practices

Dynamic Real-‐time IT is Required


Active Directory

•  Active Directory provides the foundation for Enterprise security •  Highly distributed, fault tolerant directory infrastructure designed for scalability •  Supports large Enterprises through multi-‐Domain, multi-‐Forest configurations

•  Kerberos-‐based authentication and authorization infrastructure provides SSO

•  Security administration is centralized and delegated •  Centralized account & group management natively supports separation of duties

•  Group Policy enforcement of security settings

•  User accounts are centralized in one system •  Simplifying authentication and password policy enforcement

•  Automation simplifies deployment and integration

Active Directory Provides the IdM Foundation

Engineering WebFarm Accounting Operations


IT Support Requires Separation of Duties

•  Separation of Duties is especially important in managing privileges for a multi-‐tier support organization with vendor support

•  Elevated rights are required to support these systems

•  Front line has minimal rights, escalating to the next tier with elevated privileges.

•  Security Operations Center

•  SOC staff provide 7x24 monitoring of all administrative activities

•  SOC staff have limited rights to alert and escalate on security violations

Tier 1

Tier 2

Tier 3

Vendor

Security Operations

Center

Escalation Process to the next Tier

Monitoring

Least Rights -> More Rights


•  While the most powerful accounts must be protected from misuse, Admins and DBAs require the privileges of these accounts to perform their duties

•  System Administrators need root or local admin rights to manage their systems

•  Help Desk need minimal access and privilege rights to identify issues and escalate

•  Database Admins need oracle account privileges to perform their duties

•  Web Admins need root privileges to start/stop the web server and manage the webroot docs

•  Cloud Server Admins need access and privileges across dynamic server environments

Let’s see how this works across 4 different real world customer scenarios

Role-‐based Privileged Access


•  This customer wanted to establish an environment where no one has access to any system at steady state, access and privileges are granted upon approved requests

•  All system accounts such as root and local admins are locked down

•  Users will login with their AD account only if granted permission

•  Default access rights for all systems is set to deny login

•  Access and privileges are granted for approved requests only, automated by their IdM workflow system leveraging Active Directory groups

•  The solution established a centralized access and privilege management system

•  Granting access based on AD group membership

•  Granting specific rights based on user Role

Use Case – Request based Access and Privilege


•  Centralized role-‐based policy management •  Create Roles based on job duties

•  Grant specific access and elevated privilege rights

•  Eliminate users’ need to use privileged accounts

•  Secure the system by granularly controlling how the user accesses the system and what he can do

•  Availability controls when a Role and it’s Rights can be used

•  Scoped to specific systems or groups of systems

•  Linux rights granted to Roles •  PAM Access – controls users access to system interfaces and

applications

•  Privilege Commands – dynamically grants privileges

•  Restricted Shell -‐ controls allowed commands in the shell

•  Windows rights granted to Roles •  Session Rights – Ability to elevate privileges for a session (with session

switching)

•  Application Rights – Ability to run an application with privilege

•  Service Rights – Ability to elevate privilege when accessing network services (ex. MMC from one machine to a SQL server)

Solution – Role-‐based Access & Privileges

Role Definition

Backup Operator Role

Availability •  Maintenance window only

PAM Access •  ssh login

Privileged Commands •  tar command as root

Restricted Environment •  Only specific commands

AD Users & Groups

Backup

Resources HR Computers

IDM Manages AD Groups


•  This customer needed to establish a process to grant contractors the rights they needed on specific systems without giving Admin rights across all Windows Servers

•  Contractor needs access to several systems in lab and production

•  Normally IT would individually approve admin actions on request

•  Or depending on the work, the contractor may have been granted a second privileged account for admin duties (typically called a “dash A” account, eg. david.mcneely-‐a)

•  Privileged Windows rights needs to be granted to specific systems and not the entire server farm

•  The solution established a centralized access and privilege management system

•  Granting access to specific Windows Servers based on AD group membership

•  Granting specific Windows rights based on user Role

•  Simplifying user access with desktop privilege elevation interface for remote servers

Use Case – Contractor Privileges for Windows


Solution – Privilege Elevation for Windows

•  Least access principles require that privileges only be available “as required”

•  i.e. don’t logon in as Superman if you only need to be Clark Kent…

•  User determines when he is going to elevate privilege

•  User can open a desktop session for select role(s) for duration of session

•  User can select role(s) through a system tray application for adding/removing roles to session

•  User can select roles(s) for a specific application at launch time


•  This customer needed to be able to monitor DBA access to the database servers and attribute specific actions to the appropriate DBA

•  DBAs login to systems with their own accounts

•  They switch (su) to the Oracle account in order to do work on the database

•  The logs show that the Oracle user is accessing the database tables making it challenging to determine which user is responsible for individual actions

•  The Auditors also cannot see all actions which user is performing within the database application based on the current logging system

•  The solution provides user activity auditing that captures all user access •  All login sessions and activity are recorded just as a video camera captures all activity at

Point of Sale terminals

•  User activity along with session metadata is forwarded to SIEM solution for further analysis and alerting where auditors can then review the session recordings

Use Case – Auditing DBA Access


•  Address regulatory and audit requirements while reducing threat of insider attacks

•  Detailed capture of user activity – real-‐time surveillance of privileged systems

•  Establishes accountability and advances compliance reporting

•  Record and playback which users accessed which systems, what commands they executed, with what privilege, and exact changes made to key files and configurations

•  Automatically doc vendor procedures and mitigate personnel transitions or hand-‐offs

Solution – Unified Session and Activity Auditing

Collect Store and Archive

SIEM Integration Search and Replay

Session metadata and video capture

Capture


•  This customer needed to grant authorized user access to AWS Servers, but did not want to manage an independent IdM system for these servers •  Users must authenticate to the company Active Directory before accessing any AWS Server

•  Internal IT manages this AD where the Cloud Server team does not have management rights

•  AWS Servers configured to require Kerberos-‐based login, refusing userid/password logins

•  They do not want to manage SSH keys, users gain access based on Kerberos tickets

•  Root accounts are configured with a randomized password that no one knows

•  Privileges are granted dynamically based on user role at login

•  The solution integrated these cloud servers into their existing AD environment to enable authorized users the rights to login with their existing AD account •  Servers join to a new AD Forest which has a one-‐way trust with the internal AD

•  Authorized users are required to VPN to the company network in order to login

•  Cloud Servers require Kerberos ticket based authentication in order to gain access •  Privileges are granted based on AD group memberships

Use Case – Strong Auth to AWS Servers


•  Active Directory deployed in a federated configuration enforces centralized access policies on these dynamic environments

•  Taking control over security credentials and system policies

•  Supporting Separation of Duties between Hosting provider and the Enterprise

•  Enterprise-‐centric and automated security framework

•  Role-‐based access and privilege control •  Single sign-‐on for applications •  Audit all user activity for on-‐premise and cloud systems

Internal Network

DMZ Fred Joan

AD & Windows Administration

Solution – Extending AD to Cloud Servers

One-way Trust with Internal AD


Summary

Leverage your existing AD environment in order to manage the access and privileges across your on-‐premise or cloud server environment

•  Uniquely identify and authenticate users •  Restrict access to systems and to privileges •  Enforce separation of duties and least-‐privilege rights management •  Capture session details to establish what occurred, the source, and the outcome •  Automate enforcement for access restrictions and audit the actions •  Establish centralized trust to ensure Kerberos is used for transmission integrity and

confidentiality

cis13: managing the keys to the kingdom: next-gen role-based access control and privilege

Technology