Privileged Account Management Jason
Download
Report
Transcript Privileged Account Management Jason
Privileged Account Management
Jason Fehrenbach, Product Manager
Customer Use Cases - Introduction
• A US-based Natural Gas and Electric company serving multiple
states
• Project Requirements
– Only grant access to shared administrative accounts with pre-approval based on
established policy
– Need to provide ‘firecall’ functionality
– Needed to delegate administrative access for Separation of Duty (SoD)
– Required logging of Windows administrator activity
– Needed to consolidate Unix identities into Active Directory to streamline
provisioning, password management and privilege account management
Customer Use Cases - Introduction
• A global leader in payment processing
• Project Requirements
– Needed to centralize accounts and get control over passwords and user
lifecycles
– Needed to replace NIS and provide centralized authentication
– Needed to restrict and audit what users could do but at the same time provide for
users to carry on with their day-to-day jobs
– Needed to provide controls around shared administrative passwords
– Needed to rotate administrative account passwords regularly
– Needed to correlate and audit administrative activity with the actual end user
PAM Sub-Categories
PLATFORMS
PRIVILEGES
Use Case – Utility Company
AD Bridge
•
Shared
Passwords
Needed to consolidate Unix identities into
Active Directory to streamline provisioning,
password management and privilege
account management
Use Case - Payment Processing
Privilege
Sessions
Delegation
•
Needed to centralize accounts and get
control over passwords and user lifecycles
•
Needed to replace NIS and provide
centralized authentication
Operating Systems
PAM Sub-Categories
PLATFORMS
PRIVILEGES
Use Case – Utility Company
Operating Systems
AD Bridge
•
Shared
Passwords
Privilege
Sessions
Delegation
•
Only grant access to shared administrative
accounts with pre-approval based on
established policy
Network Devices
Need to provide ‘firecall’ functionality
Use Case - Payment Processing
•
Needed to provide controls around shared
administrative accounts
•
Needed to rotate administrative account
passwords regularly
Databases
Applications
PAM Sub-Categories
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
PAM Sub-Categories
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
PAM Sub-Categories
PROTOCOLS
PRIVILEGES
Use Case – Utility Company
RDP
VNC
AD Bridge
•
Shared
Passwords
Required logging of Windows administrator
activity
SSH
TELNET
Privilege
Sessions
Delegation
HTTP
HTTPS
3270
4690
5250
PAM Sub-Categories
PLATFORMS
PRIVILEGES
Use Case – Utility Company
AD Bridge
•
Shared
Passwords
Needed to provide find-grained delegation
of administrative (root) access for
Separation of Duty (Sod)
Use Case - Payment Processing
Privilege
Sessions
Delegation
•
Needed to restrict and audit what users
could but at the same time provide for
users to carry on with their day-to-day jobs
•
Needed to correlate and audit
administrative activity with the actual enduser
Operating Systems
Unix Delegation: Problem Statement
PRIVILEGES
AD Bridge
How do I allow users to perform elevated tasks on Unix without losing
control of the root password?
•
Pair a password vault with a delegation solution
Shared
Passwords
Privilege
Sessions
Delegation
Common delegation solutions
•
•
•
Native OS solutions (RBAC implementations)
The open source Sudo project
The Commercial Unix Security space
What did we discover?
Native OS options
Commercial 3rd party
solutions
PRIVILEGES
~3,000 customers
AD Bridge
sudo
Shared
Passwords
Privilege
Sessions
Delegation
Linux: 7.5M servers
Unix: 2.8M servers
Mac: 2.0M servers
Result? Companies would:
• Purchase a PAM sol’n only for their
highest risk machines
• Hate having to re-train admins &
help desk staff on a new syntax
• “Bend” sudo in crazy ways
No focus
on this
segment!
Sudo v1.7 and earlier
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
Field Feedback: Common Pain and Trends
PRIVILEGES
AD Bridge
•
How do I easily provide access control reports?
•
How do I deal with sudoers?
• How to manage it, distribute it, etc
•
How do I enable central keystroke logging?
•
How do I know what is going on across lots of systems?
•
How do I provide more fine-grain control in the policy?
Shared
Passwords
Privilege
Sessions
Delegation
Sudo v1.8 and the new plug-in API
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
Example architecture using plug-in API
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
Example pain points that the plug-in API can assist with
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
•
Sudo Reporting
• Access Control Report
• Event Activity
• Commands run
• Policy changes
•
Deployment
• Preflight and sudo plug-in installation
•
Policy Management
• Editor, Versioning, Rollback
•
Keystroke Logging
• Search, Playback
•
Separation of Duty
Delegation
SUDO v2.0: Design Phase
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
•
http://www.sudo.ws/sudo/sudo-rbac.html (April 12, 2012)
•
New security policy format
• Designed for the needs of the enterprise
•
Include an API to support analysis and reporting tools
•
Support grouping of commands and options in logical units
•
Facility management of sudoers by multiple stake-holders
•
Time based policy rules
•
Data source plug-ins
SUDO v2.0: Design Phase
PRIVILEGES
AD Bridge
Shared
Passwords
Privilege
Sessions
Delegation
Complete Identity & Access Management
Manage Access to
Business Critical
Information
Access
Governance
Access
Governance
Privileged
Account
Privileged
Account
Management
Understand &
Control
Administrator
Activity
Management
Simplify
Account
Management
Identity
Administration
User
Activity
Monitoring
Audit
User
Activity
19
©2011 Quest Software, Inc. All rights reserved..
Thank You