Transcript Successful IAM Deployment
Successful IAM Deployment
Mike Futty November 2013
About Mike Futty
• • • • VP, Platform Security Engineering Responsible for Midrange server systems security engineering Platform security baselines Security product selection, design and deployment 30+ years technology experience 12 years with Bank of America 2
Covering a Global Environment
• • • • •
40 Countries
1
50 US States
1
24,014 Global Offices and Facilities Worldwide
1
248K Full-time Employees
2
One of the world’s largest AD environments
1 BAC 2012 Corporate Social Responsibility report 2 BAC 2013 Third Quarter Financial Results report 3
Why Focus on IAM?
4
Recognizing a Clear and Present Danger 9,140,000 results 98,200,000 results Unit 61398 Hacktivists Advanced Persistent Threat
databreaches.net
indefenseofdata.com
Organized Crime
privacyrights.org
Recognizing a Clear and Present Danger
76% of network intrusions exploited weak or stolen credentials 13% resulted from privilege misuse/abuse
2013 Verizon Data Breach Investigations Report: A global study performed by the Verizon RISK team http://www.verizonenterprise.com/DBIR/2013/
6
Recognizing a Clear and Present Danger
On average, 28,765 records are compromised at an organizational cost of $5,403,644 per data breach in the US
2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec - Independently Conducted by Ponemon Institute LLC - May 2013 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
7
Protecting Your REPUTATION Every Company’s Most Valuable Asset
Customer and Shareholder Trust
8
The IAM Challenge
9
Privileged Accounts
They are EVERYWHERE and can be complex to find and manage
10
Objectives and Requirements
11
Basic Concept
Eliminate static and easily guessable passwords to non-human IDs with elevated privileges
• • • • • •
Set passwords to random values - scheduled and after access Apply uniform policy of who can sign into what
-
Implement access policies based on:
Risk Organization (business unit) Environment (production, development, DMZs, etc.) Location
Eliminate persistent access by developers to production systems Create transparent audit logs of privileged access Record activity during privileged logins
12
Business Requirements
Satisfy numerous process requirements
• • • • • • -
Meet regulatory requirements
Different jurisdictions with different mandates Requirements for on-boarding, access control, approvals, audit logs and more -
Can’t slow down or impact current access
Pre-authorized access for administrators with an audit trail Request/approval workflow for everybody else
Minimal ongoing support Manageable process for on-boarding many systems, accounts at once Training: up front and ongoing Forensic audits: who broke this server?
13
Security Requirements
The whole point is enhanced security
• • • • • •
Overarching principle: minimize the number of people with persistent administrative access Damage containment Eliminate full-time developer access from production systems Provide a temporary access mechanism Session logging Audit trail: who had and used access to this system?
14
Technical Requirements
• • • • • •
Fault tolerant (fire, flood, earthquake, hurricane, etc.)
-
Scalable
Hundreds of thousands of systems Thousands of people Tens of thousands of daily logins Record 10,000 concurrent sessions globally -
Ability to integrate with
Existing security infrastructure Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.) Multiple AD domains Systems in DMZ zones -
Administrator-friendly
Support for multiple SSH clients Support for other admin tools (SQL Studio, vSphere, etc.)
Easily expandable Automatic discovery and classification of systems
15
Deployment
16
Ingredients of a Successful IAM Deployment 1
Needs analysis
2
Product selection
3
Testing (Proof of Concept, User Acceptance, etc.)
4
Create development and troubleshooting processes
5
Develop rollout plan, key project reporting metrics, and a good communications plan
6
Production rollout 17
Needs Analysis
• • • • • • • -
Team members and skills
Project Champion (executive support) Analysts (systems/accounts discovery) Product Engineering Product Operations Project manager(s) Communications and product marketing
Business requirements Technical requirements Tactical and strategic target systems/accounts (roadmap) Infrastructure hardware and storage Request process and tracking Reporting
18
Development Cycle Identified Needs
Assess and Prioritize Targets Monitor and Control Design Transition to Operations
For success, IAM must be a permanent program, not a one-time project.
Develop and Test Deploy to Production 19
Rollout Plan Tips
• • • • •
Design and document your processes end-to-end
from your end users’ perspective
Assess and prioritize target systems/accounts Develop a deployment roadmap (functionality/environment)
-
Pre-educate your IAM product consumers
Information Security Business executives Server Administrators Application Owners Auditors
Identify, recruit and work with early adopters
20
Key Metrics and Reporting Tips
• • • • •
What doesn’t get measured doesn’t get done Measure what’s important, not just what’s easy to measure!
-
Accurate target server/application/account inventories are critical
Eliminates blind spots - you can’t secure what you can’t see -
Never be tempted to “cook” metrics
Call it like you see it (audit-proof your records) -
Report and communicate progress
Report by support organizations Total targets and what’s complete (scope of effort) Percentage complete Trending (weekly, monthly or quarterly) This creates self-governance 21
Challenges
22
Project
• • • • • • •
Funding: up-front and ongoing Gain early experience with easiest large-risk use-cases
-
Setting realistic expectations
Stakeholders who want things before they are available (boiling the ocean) Recognizing not every problem will be solved at once (magic bullet)
Stakeholder recognition that strategic success is directly tied to a prioritized and incremental deployment Stopping additional “non-compliant” account creation or usages Balancing or combining with other projects competing for resources Driving continual progress
23
Organizational
• • • • •
Resistance to change Convincing support teams to use uniform access control model Ensuring the system isn’t used to simply automate existing insecure processes (insist on a policy of least privilege) Training can be a revolving door of new users and consumers
-
Ensuring timely communications are received by all stakeholders
Early marketing of the program and benefits What functionality is available?
What environment is it available in? (production, development, DMZs, etc.) Future functionality/environment roadmap Issues and challenges (knowledge base) 24
Technical
• • • • • • •
Gaining appropriate global rights for the product to work without creating new risk Modeling a production environment with a large number of platform and systems combinations in development and UAT environments Testing is easy with one system, hard with a thousand Maintaining reliable system and account ownership data in the context of a large dynamic organization OS settings, patches and security policies that can cause performance degradation Deactivating legacy password management processes Gradual activation without disrupting existing IDs or processes
25
Current State
26
Current State
• • • • •
Available and running: 5 replicated PAM nodes on 3 continents Multi-master architecture Each node has an app server, database server and session monitoring server Load balanced globally - nodes can fail without service disruption
-
On-boarding accounts from
Windows servers UNIX/Linux servers Active Directory 27
Future Direction
28
Future Direction
• • •
Continue deployment based on prioritized target system/account use cases Further integration with corporate IT Security Fabric toolset
-
Fine-tune detection and notification of
Users with high number of request rejections Users with abnormally high access events Other outlier or abnormal events 29
Questions?
30