Securing Your Enterprise With Identity Governance And .

Transcription

Securing your enterprisewith Identity Governance andPrivileged Access Management(PAM) integrationIntroductionA recent study by Forrester Research unveiled adirect correlation between data breaches and theimmaturity of organizations’ Identity and AccessManagement (IAM) systems. The study foundthat organizations with mature IAM functionsexperience half the number of breaches that lessmature companies experienced.1 A key marker ofIAM maturity is the use of an integrated platformapproach for IAM, specifically Identity Governance,along with Privileged Access Management (PAM)technologies to streamline operations in order tobetter develop consistent access control policiesand achieve operational efficiency.This white paper references findings from a 2019survey of 209 organizations which were askedabout Identity Governance and PAM integration3.It describes best practices for integrating bothtypes of solutions and highlights the risks/challenges faced by organizations that have notproperly integrated Identity Governance and PAMsolutions in order to provide a unified view ofusers’access.

An overview of IdentityGovernance and PAM integrationEnterprises have become increasingly reliant ondigital information to meet business objectives,effectively manage operations and competein a digitally connected world. This includestasks like migrating to the cloud, managing agrowing internet of things, increasingly relying ondevelopers and more. The ever-growing digitalecosystem demands that organizations transformtheir identity programs to protect and monitorcritical data and systems from cybersecuritythreats. Identity governance solutions enableorganizations to securely perform businessoperations by granting users and applicationsaccess to digital assets which is reviewedperiodically for appropriateness and ongoing use.Certain users, such as IT systems administrators,require elevated or privileged rights to accesscritical yet sensitive systems, applicationsand data across the enterprise in order to dotheir jobs and maintain business continuity.However, this type of access can pose a seriousthreat if misused or compromised. ForresterResearch estimates that 80 percent of securitybreaches involve theft of privileged credentials.2Adversaries often target these types of privilegedaccounts to gain a foothold within a corporatenetwork and infiltrate systems across theenterprise. They typically do so through the useof phishing schemes designed to obtain usercredentials from insiders such as employeesand third-party business partners – includingsuppliers, consultants and contractors.A staggering 80 percent of the survey’srespondents said they had experienced casesof privileged access being incorrectly orover-assigned.3 The risks of poorly managedprivileged accounts are significant and caninclude unauthorized exposure to sensitivedata, alteration of files, and downtime of criticalsystems and applications. Integrating IdentityGovernance and PAM solutions can helporganizations to mitigate these risks.An integrated approachMany organizations have invested heavilyin identity technologies and processes toaddress risks, compliance and operationalgaps associated with the management ofdigital identities and access. But as adversariesdevelop increasingly sophisticated attacktechniques, businesses have been forcedto reassess the capabilities of their identitysolutions. While all components of IAM shouldbe under consideration, a rash of breachesinvolving privileged credentials has increasedthe focus on securing the access rights ofprivileged users.To protect data from internal and externalthreats, organizations will need to managethe entire lifecycle of privileged accounts andcredentials. Despite the rising frequency ofthe compromise of privileged accounts, manyorganizations lack the mature capabilitiesneeded to effectively manage privileged access.This has compounded the risk of compromise.Some organizations, for instance, have purchasedsolutions but haven’t developed correspondingprocesses and governance to make themeffective. Others may have good processesin place but lack the enabling technologiesneeded to address privileged access risks atan enterprise scale. Some organizations haveimplemented both Identity Governance and PAMsolutions, but many have not integrated the two.2

Of the survey respondents, 72 percent hadimplemented an IAM solution and 83 percenthad implemented a PAM solution. However, overthree quarters (77 percent) reported that they hadnot integrated the two solutions. This practicecan result in inconsistent access processes andpolicies across silos of tools, leading to faultyreporting and failed audits.Regardless of their IT maturity, organizationsshould integrate Identity Governance and PAMto effectively manage both privileged and nonprivileged user access requests, approvals,certifications, provisioning and remediation.Identify Privileged EntitlementsDiscover high riskentitlements and accountsAccess Request ManagementAllow users to requestnew privileged accountsand add safe membershipIAM PAMBirthright PrivisioningAuto-provision newprivileged accountsand entitlement assignmentAutomated TerminationDisable privileged useraccount accessbased on user terminationEnabling technologiesThe SailPoint Identity Governance SolutionSailPoint, a global leader in Identity Governance,provides an open Identity Governance platformthat helps organizations manage access acrossthe enterprise, including on-premise and cloudbased systems and applications. The SailPointplatform comprises components catering tovarious Identity Governance needs, including: Compliance Management, for accesscertifications, access policy management,auditing and reporting. Lifecycle Management, for access requestand provisioning, password management andlifecycle events processing. Advanced PAM Integration, which enablesadvanced governance controls such asauditing, approvals, and policy checking.Reviews of privileged access can also beviewed and centrally managed from theIdentity Governance platform.3

UnifiedGovernance lyticsRiskModelITSecurity3rd PartyIT ServiceProvisioning Mobile DeviceManagement ManagementThe CyberArk Privileged Access SecuritySolutionCyberArk, a global leader in Privileged AccessManagement, provides organizations with theability to manage and secure privileged accessfor individuals and applications. The solutionsecures credentials like passwords, secrets andSSH keys, controls account access, and isolates,records and monitors privileged sessions forauditing and forensics analysis. The CyberArkPrivileged Access Security Solution is basedon the CyberArk Shared Technology Platform,which combines an isolated vault server, aunified policy engine and a discovery engine tohelp provide continuous scalability, reliability andsecurity for privileged accounts.CYBERARK PRIVILEGED ACCESS SECURITY SOLUTIONENDPOINTPRIVILEGE MANAGERCORE PRIVILEGEDACCESS SECURITYAPPLICATIONACCESS MANAGERSTANDARDLeast Privileged andCredential Theft Protectionfor WorkstationsRisk-based Credential Securityand Session Management toProtect Against AttacksALEROADVANCEDRemote VendorAccess to CyberArkON - PREMISESSecrets Managementfor Applications, Tools,Containers and DevOpsLeast Privileged Serverand Domain ControllerProtectionHYBRIDCLOUD4

Integrating SailPoint and CyberArkSailPoint and CyberArk have partnered toprovide an integrated, centrally managedsolution. This seamless integration with theCyberArk Privileged Access Security solution isdone via a SCIM-based integration model. Thisallows critical identity information to be sharedbetween the two solutions.CyberArkSailPointCore PrivilegedAccess SecurityApp IdentityManager/ConjourEnterprisePassword VaultDevOps & AppsSecrets ManagementPrivileged SessionManagerEndpointPrivilege ManagerPrvileged ThreatAnalyticsEndpoint LeastPrivilege App Control &Theft ProtectionOn - PremiseBulk import privileged aacountsAccount ProvisioningUnified GovernanceIdentityIQ Policy enforcement & workflowsHybridCloudGovernance PlatformSystem forCross-domainIdentityManagement(SCIM) APIA much bigger risk than reward?One of the key components of the SailPointcloud open identity platform is the ability tointegrate with and govern a host of enterpriseapplications and directories including ActiveDirectory, database systems, HR systems,and more, regardless of whether they are inthe cloud, on-premise or a hybrid of both. Thisintegration usually requires creating a serviceaccount that will authenticate to each targetapplication in order to read identity information.Most of the time, these service accounts aregiven elevated privileges to create, modifyand delete accounts in the target applications.However, as critical enterprise applications areincreasingly onboarded into the IAM platform,these accounts make for high-value targets forthreat actors.One survey respondent mentioned a concern,saying, “Integration causes an issue related tosegregation of duties; admins in IAM tool canprovide themselves with access in the PAM tool.”The solution to this valid concern is to developand apply IAM and PAM implementation bestpractices such as the following:5

Record and actively monitor all privilegedsessions and/or commands.Conduct periodic access review foradministrative and privileged users.Limit access for remote administrators,contractors and outsourced parties.Automatically deprovision privileged users’access as they terminate.Do not allow shared administrative accountsand limit administrative access.Implement least-privilege access foradministrators.Automate role-based provisioning to appsand infrastructure.In addition to the above, the CyberArk PAMplatform provides credential cycling capability,a feature that allows applications which requirecredentials (such as username and password) toobtain that information directly from CyberArk.This feature can significantly reduce the riskthat an admin will be able to provision rogueaccounts on target applications.Key drivers and benefitsNinety percent of the survey’s respondents saidthey were concerned that the lack of a unifiedaccess policy across all accounts was creatingan inconsistent access experience for users3.An integrated IAM and PAM implementation cancorrect this issue and can enable businessesto securely manage identities, quickly respondto incidents and help facilitate regulatorycompliance. It can also help automate real-worldbusiness use cases involving the managementof privileged accounts. Some of these usecases include: Discovering privileged accounts andcredentials configured in the PAM applicationwhich can be effectively managed throughthe IAM solution.Implementing a unified, policy-drivenapproach to IAM across all users. Automatically provisioning new privilegedaccounts by using role-based accessprovisioning or provisioning policiesconfigured in the IAM solution.Leveraging user profile attributes such astitle, business unit and job profile to grantappropriate access to privileged accounts.Automating periodic access reviews forprivileged accounts.Automating and enforcing segregation ofduties (SOD) policies across privileged andnon-privileged accounts.Automating terminations of privilegedaccounts access based on user separationor termination events as processed by theIAM solution.Implementation of these use cases can helpbusinesses gain enhanced visibility intoprivileged accounts by accessing account datadirectly from the IAM solution.ConclusionIn today’s digital business ecosystem,organizations face increasinglysophisticated cybersecurity threats thatoften target insiders, including employeesand third-party business partners. Manyorganizations are attempting to addressthese threats by implementing solutions togovern access for both privileged and nonprivileged users. However, this approachis not as effective as it could be if the twotechnologies were integrated, providinga more holistic view of and approach tomanaging users and administrators whopossess access across both realms. Theintegration of solutions such as CyberArkand SailPoint can enable an organization tofurther reduce such inherent risks throughthe use of automated controls.6

References1.2.3.A commissioned study conducted by Forrester Consulting on behalf of Centrify, December 2016Cser, Andras, “The Forrester Wave : Privileged Identity Management, Q3 2016”Survey conducted by SailPoint and CyberArk, September 2019Further informationFor more information about successfully integrating IAM and PAM visit:PwC - nd-privacy.htmlSailPoint - https://www.SailPoint.com/CyberArk - https://www.cyberark.com/pwc.com 2019 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separatelegal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should notbe used as a substitute for consultation with professional advisors. 667494-2020 AP

Privileged Session Manager Prvileged Threat Analytics App Identity ManagerConour DevOps Apps Secrets Management ndpoint Privilege Manager Endpoint Least Privilege App Control Theft Protection n Premise yrid Cloud Bulk import privileged aacounts Account Provisi