cis13: managing the keys to the kingdom: next-gen role-based access control and privilege
DESCRIPTION
David McNeely, Director of Product Management, Centrify Privilege users are the great and powerful in your IT organization. But has the practice of sharing privileged credentials gone too far? Sharing of broad and unmanaged administrative rights equates to security and compliance vulnerabilities. Implementing policies for role-based access and privilege management are a start, but when it comes to securing your most valuable company assets what’s next? Attend this session and learn about a comprehensive security approach that spans best practices for managing privilege identity access from the data center to the cloud, monitoring and auditing for compliance, and a new model for securing access to systems both at the network and OS layer – all based on roles.TRANSCRIPT
© 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Managing the Keys to the Kingdom Next-‐Gen Role-‐based Access Control and Privilege
2 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Business has more dynamic demands on IT
• Time and scale – need it now, on-‐demand
• Form factor and location – On-‐prem, virtualized, cloud
• Manual and domain-‐specific configuration (startup/teardown)
• Compliance and best practices – assurance & accountability
• Fragmented identity – infrastructure, administrators, users
• “silos” of access policies and diffuse controls
Business Challenges for IT
3 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Regulatory Compliance is Not an Option NIST 800-‐53 sets the baseline security policies which most other regulations reference for identity and access management specific controls:
• Identity & Authentication (IA) • Uniquely identify and authenticate users • Employ multifactor authentication
• Access Control (AC) • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management
• Audit & Accountability (AU) • Capture in sufficient detail to establish what occurred, the source,
and the outcome • Configuration Management (CM)
• Develop/maintain a baseline configuration • Automate enforcement for access restrictions and audit the
actions • Systems & Communications (SC)
• Boundary Protection • Transmission Integrity and Confidentiality • Cryptographic Key Establishment and Management including
PKI Certificates
4 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Unified identity, access, privilege policy controls • Consistency across deployments
• Distributed enforcement
• Ensure availability, No single point of failure
• Unified visibility • Accountability • Triage and remediation
• Automation
• Speed and consistency of deployment
• Accuracy, compliance, best practices
Dynamic Real-‐time IT is Required
5 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Active Directory
• Active Directory provides the foundation for Enterprise security • Highly distributed, fault tolerant directory infrastructure designed for scalability • Supports large Enterprises through multi-‐Domain, multi-‐Forest configurations
• Kerberos-‐based authentication and authorization infrastructure provides SSO
• Security administration is centralized and delegated • Centralized account & group management natively supports separation of duties
• Group Policy enforcement of security settings
• User accounts are centralized in one system • Simplifying authentication and password policy enforcement
• Automation simplifies deployment and integration
Active Directory Provides the IdM Foundation
Engineering WebFarm Accounting Operations
6 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
IT Support Requires Separation of Duties
• Separation of Duties is especially important in managing privileges for a multi-‐tier support organization with vendor support
• Elevated rights are required to support these systems
• Front line has minimal rights, escalating to the next tier with elevated privileges.
• Security Operations Center
• SOC staff provide 7x24 monitoring of all administrative activities
• SOC staff have limited rights to alert and escalate on security violations
Tier 1
Tier 2
Tier 3
Vendor
Security Operations
Center
Escalation Process to the next Tier
Monitoring
Least Rights -> More Rights
7 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• While the most powerful accounts must be protected from misuse, Admins and DBAs require the privileges of these accounts to perform their duties
• System Administrators need root or local admin rights to manage their systems
• Help Desk need minimal access and privilege rights to identify issues and escalate
• Database Admins need oracle account privileges to perform their duties
• Web Admins need root privileges to start/stop the web server and manage the webroot docs
• Cloud Server Admins need access and privileges across dynamic server environments
Let’s see how this works across 4 different real world customer scenarios
Role-‐based Privileged Access
8 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer wanted to establish an environment where no one has access to any system at steady state, access and privileges are granted upon approved requests
• All system accounts such as root and local admins are locked down
• Users will login with their AD account only if granted permission
• Default access rights for all systems is set to deny login
• Access and privileges are granted for approved requests only, automated by their IdM workflow system leveraging Active Directory groups
• The solution established a centralized access and privilege management system
• Granting access based on AD group membership
• Granting specific rights based on user Role
Use Case – Request based Access and Privilege
9 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Centralized role-‐based policy management • Create Roles based on job duties
• Grant specific access and elevated privilege rights
• Eliminate users’ need to use privileged accounts
• Secure the system by granularly controlling how the user accesses the system and what he can do
• Availability controls when a Role and it’s Rights can be used
• Scoped to specific systems or groups of systems
• Linux rights granted to Roles • PAM Access – controls users access to system interfaces and
applications
• Privilege Commands – dynamically grants privileges
• Restricted Shell -‐ controls allowed commands in the shell
• Windows rights granted to Roles • Session Rights – Ability to elevate privileges for a session (with session
switching)
• Application Rights – Ability to run an application with privilege
• Service Rights – Ability to elevate privilege when accessing network services (ex. MMC from one machine to a SQL server)
Solution – Role-‐based Access & Privileges
Role Definition
Backup Operator Role
Availability • Maintenance window only
PAM Access • ssh login
Privileged Commands • tar command as root
Restricted Environment • Only specific commands
AD Users & Groups
Backup
Resources HR Computers
IDM Manages AD Groups
10 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to establish a process to grant contractors the rights they needed on specific systems without giving Admin rights across all Windows Servers
• Contractor needs access to several systems in lab and production
• Normally IT would individually approve admin actions on request
• Or depending on the work, the contractor may have been granted a second privileged account for admin duties (typically called a “dash A” account, eg. david.mcneely-‐a)
• Privileged Windows rights needs to be granted to specific systems and not the entire server farm
• The solution established a centralized access and privilege management system
• Granting access to specific Windows Servers based on AD group membership
• Granting specific Windows rights based on user Role
• Simplifying user access with desktop privilege elevation interface for remote servers
Use Case – Contractor Privileges for Windows
11 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Solution – Privilege Elevation for Windows
• Least access principles require that privileges only be available “as required”
• i.e. don’t logon in as Superman if you only need to be Clark Kent…
• User determines when he is going to elevate privilege
• User can open a desktop session for select role(s) for duration of session
• User can select role(s) through a system tray application for adding/removing roles to session
• User can select roles(s) for a specific application at launch time
12 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to be able to monitor DBA access to the database servers and attribute specific actions to the appropriate DBA
• DBAs login to systems with their own accounts
• They switch (su) to the Oracle account in order to do work on the database
• The logs show that the Oracle user is accessing the database tables making it challenging to determine which user is responsible for individual actions
• The Auditors also cannot see all actions which user is performing within the database application based on the current logging system
• The solution provides user activity auditing that captures all user access • All login sessions and activity are recorded just as a video camera captures all activity at
Point of Sale terminals
• User activity along with session metadata is forwarded to SIEM solution for further analysis and alerting where auditors can then review the session recordings
Use Case – Auditing DBA Access
13 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Address regulatory and audit requirements while reducing threat of insider attacks
• Detailed capture of user activity – real-‐time surveillance of privileged systems
• Establishes accountability and advances compliance reporting
• Record and playback which users accessed which systems, what commands they executed, with what privilege, and exact changes made to key files and configurations
• Automatically doc vendor procedures and mitigate personnel transitions or hand-‐offs
Solution – Unified Session and Activity Auditing
Collect Store and Archive
SIEM Integration Search and Replay
Session metadata and video capture
Capture
14 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• This customer needed to grant authorized user access to AWS Servers, but did not want to manage an independent IdM system for these servers • Users must authenticate to the company Active Directory before accessing any AWS Server
• Internal IT manages this AD where the Cloud Server team does not have management rights
• AWS Servers configured to require Kerberos-‐based login, refusing userid/password logins
• They do not want to manage SSH keys, users gain access based on Kerberos tickets
• Root accounts are configured with a randomized password that no one knows
• Privileges are granted dynamically based on user role at login
• The solution integrated these cloud servers into their existing AD environment to enable authorized users the rights to login with their existing AD account • Servers join to a new AD Forest which has a one-‐way trust with the internal AD
• Authorized users are required to VPN to the company network in order to login
• Cloud Servers require Kerberos ticket based authentication in order to gain access • Privileges are granted based on AD group memberships
Use Case – Strong Auth to AWS Servers
15 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
• Active Directory deployed in a federated configuration enforces centralized access policies on these dynamic environments
• Taking control over security credentials and system policies
• Supporting Separation of Duties between Hosting provider and the Enterprise
• Enterprise-‐centric and automated security framework
• Role-‐based access and privilege control • Single sign-‐on for applications • Audit all user activity for on-‐premise and cloud systems
Internal Network
DMZ Fred Joan
AD & Windows Administration
Solution – Extending AD to Cloud Servers
One-way Trust with Internal AD
16 © 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Summary
Leverage your existing AD environment in order to manage the access and privileges across your on-‐premise or cloud server environment
• Uniquely identify and authenticate users • Restrict access to systems and to privileges • Enforce separation of duties and least-‐privilege rights management • Capture session details to establish what occurred, the source, and the outcome • Automate enforcement for access restrictions and audit the actions • Establish centralized trust to ensure Kerberos is used for transmission integrity and
confidentiality
© 2004-‐2012. Centrify Corporation. All Rights Reserved. Confidential and Proprietary.
Thank You DAV ID .MCNEELY@CENTR I FY . COM