Transcription
lu3onsArchitect
CustomerUseCases- ‐Introduc3on A US-based Natural Gas and Electric company serving multiplestates Project Requirements– Only grant access to shared administrative accounts with pre-approval based onestablished policy– Need to provide ‘firecall’ functionality– Needed to delegate administrative access for Separation of Duty (SoD)– Required logging of Windows administrator activity– Needed to consolidate Unix identities into Active Directory to streamlineprovisioning, password management and privilege account management
CustomerUseCases- ‐Introduc3on A global leader in payment processing Project Requirements– Needed to centralize accounts and get control over passwords and userlifecycles– Needed to replace NIS and provide centralized authentication– Needed to restrict and audit what users could do but at the same time provide forusers to carry on with their day-to-day jobs– Needed to provide controls around shared administrative passwords– Needed to rotate administrative account passwords regularly– Needed to correlate and audit administrative activity with the actual end user
toaccess.Auditofallsessionac3vity
toaccess.Auditofallsessionac3vity
PAMSub- ‐CategoriesPLATFORMSPRIVILEGESUse Case – Utility CompanyAD Bridge SharedPasswordsPrivilegeSessionsDelegationNeeded to consolidate Unix identities intoActive Directory to streamline provisioning,password management and privilegeaccount managementUse Case - Payment Processing Needed to centralize accounts and getcontrol over passwords and user lifecycles Needed to replace NIS and providecentralized authenticationOpera3ngSystems
toaccess.Auditofallsessionac3vity
PAMSub- ‐CategoriesPLATFORMSPRIVILEGESUse Case – Utility CompanyOpera3ngSystemsAD Bridge SharedPasswordsPrivilegeSessionsDelegation Only grant access to shared administrativeaccounts with pre-approval based onestablished policyNetworkDevicesNeed to provide ‘firecall’ functionalityUse Case - Payment Processing Needed to provide controls around sharedadministrative accounts Needed to rotate administrative accountpasswords regularlyDatabasesApplica3ons
istrator
easepasswordresetroot
PAMSub- ‐CategoriesPRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation
toaccess.Auditofallsessionac3vity
PAMSub- ‐CategoriesPROTOCOLSPRIVILEGESUse Case – Utility CompanyAD Bridge SharedPasswordsRequired logging of Windows egationRDPVNCHTTPHTTPS327046905250
PrivilegedSessionManagement- ‐WindowsRequestsessionRetrievepasswordRDP
PrivilegedSessionManagement- ‐UnixRequestUnixsessionRetrievepasswordshell
lave
toaccess.Auditofallsessionac3vity
PAMSub- ‐CategoriesPLATFORMSPRIVILEGESUse Case – Utility CompanyAD Bridge SharedPasswordsNeeded to provide find-grained delegationof administrative (root) access forSeparation of Duty (Sod)Use Case - Payment ProcessingPrivilegeSessionsDelegation Needed to restrict and audit what userscould but at the same time provide forusers to carry on with their day-to-day jobs Needed to correlate and auditadministrative activity with the actual enduserOpera3ngSystems
UnixDelega3on:ProblemStatementPRIVILEGESAD BridgeHow do I allow users to perform elevated tasks on Unix without losingcontrol of the root password? Pair a password vault with a delegation Common delegation solutions Native OS solutions (RBAC implementations)The open source Sudo projectThe Commercial Unix Security space
What did we IVILEGES 3,000customersAD Result?Companieswould: PurchaseaPAMsol’nonlyfortheirhighestriskmachines Hatehavingtore- ‐trainadmins&helpdeskstaffonanewsyntax “Bend”sudoincrazywaysNofocusonthissegment!
Sudov1.7andearlierPRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation
FieldFeedback:CommonPainandTrendsPRIVILEGESAD Bridge How do I deal with sudoers? How to manage it, distribute it, etc How do I enable central keystroke logging? How do I know what is going on across lots of systems? How do I provide more fine-grain control in the ow do I easily provide access control reports?
Sudov1.8andthenewplug- ‐inAPIPRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation
Examplearchitectureusingplug- ‐inAPIPRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation
Examplepainpointsthattheplug- ‐inAPIcanassistwithPRIVILEGESAD BridgeSharedPasswordsPrivilegeSessions Sudo Reporting Access Control Report Event Activity Commands run Policy changes Deployment Preflight and sudo plug-in installation Policy Management Editor, Versioning, Rollback Keystroke Logging Search, Playback Separation of DutyDelegation
SUDOv2.0:DesignPhasePRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation http://www.sudo.ws/sudo/sudo-rbac.html (April 12, 2012) New security policy format Designed for the needs of the enterprise Include an API to support analysis and reporting tools Support grouping of commands and options in logical units Facility management of sudoers by multiple stake-holders Time based policy rules Data source plug-ins
SUDOv2.0:DesignPhasePRIVILEGESAD BridgeSharedPasswordsPrivilegeSessionsDelegation
Complete Identity & Access ManagementManage Access toBusiness nd yMonitoringAuditUserActivity28 2011 Quest Software, Inc. All rights reserved.
Thank You
Centrallyviewsudoeventac3vity
Searchandfiltersudoeventlogs
Managelocalaccounts
Replaysudosessions
DetailedSudoaccesscontrolrepor3ng
Separa3onofDuty
Privileged)Session)Management–Network)Enclaves) Privileged) Session Manager) X1) RequestRDP)session)to)“X1”) Retrieve)password) Proxy Session)goes)straightback)to)the)user) RDP PCI Network)Enclave) Session)details) passed)to)Proxy) SSH SSH. Heli