Transcript PowerPoint Template

Successful IAM Deployment
Mike Futty, Midrange Platform Server Security Engineering
Bank of America
About Mike Futty
 VP, Platform Security Engineering
 Responsible for
- Midrange server systems security engineering
- Platform security baselines
- Security product selection, design and deployment
 30+ years technology experience
 12 years with Bank of America
Page  2
Covering a Global Environment
40 Countries1
50 US States1
24,014 Global Offices and Facilities Worldwide1
248K Full-time Employees2
One of the world’s largest AD environments
1BAC
2BAC
Page  3
2012 Corporate Social Responsibility report
2013 Third Quarter Financial Results report
Why focus on IAM?
Page  4
Recognizing a clear and present danger
9,140,000 results
98,200,000 results
Unit 61398
Hacktivists
Organized Crime
Advanced Persistent Threat
Page  5
databreaches.net
indefenseofdata.com
privacyrights.org
Recognizing a clear and present danger
“76% of network intrusions exploited weak or
stolen credentials”
“13% resulted from privilege misuse and abuse”
Page  6
2013 Verizon Data Breach Investigations Report:
A global study performed by the Verizon RISK team
http://www.verizonenterprise.com/DBIR/2013/
Data breaches are costly
On average,
28,765 records are compromised
at an organizational cost of $5,403,644
per data breach in the US
Page  7
2013 Cost of Data Breach Study: Global Analysis
Benchmark research sponsored by Symantec - Independently Conducted by Ponemon Institute LLC - May 2013
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
Protect your REPUTATION Every company’s most valuable asset
Customer and Shareholder Trust
Page  8
The IAM Challenge
Page  9
Privileged Accounts
They are EVERYWHERE and can be complex to find and manage.
DMZ
Environments
Page  10
Dev/UAT
Production
Objectives and Requirements
Page  11
Basic Concept
Eliminate static and easily guessable passwords
to non-human IDs with elevated privileges
 Set passwords to random values - scheduled and after access
 Apply uniform policy of who can sign into what
 Implement access policies based on:
 Risk
 Organization (business unit)
 Environment (production, development, DMZs, etc.)
 Location
 Eliminate persistent access by developers to production systems
 Create transparent audit logs of privileged access
 Record activity during privileged logins
Page  12
Business Requirements
Satisfy numerous process requirements
 Meet regulatory requirements:
- Different jurisdictions with different mandates
- Requirements for on-boarding, access control, approvals, audit logs and more
 Can’t slow down or impact current access
- Pre-authorized access for administrators with an audit trail
- Request/approval workflow for everybody else
 Minimal ongoing support
 Manageable process for on-boarding many systems, accounts at once
 Training: up front and ongoing
 Forensic audits: who broke this server?
Page  13
Security Requirements
The whole point is enhanced security
 Overarching principle: minimize the number of people with
persistent administrative access
 Damage containment
 Eliminate full-time developer access from production systems
 Provide a temporary access mechanism
 Session logging
 Audit trail: who had and used access to this system?
Page  14
Technical Requirements
 Fault tolerant (fire, flood, earthquake, hurricane, etc.)
 Scalable:
- Hundreds of thousands of systems
- Thousands of people
- Tens of thousands of daily logins
- Record 10,000 concurrent sessions globally
 Ability to integrate with:
- Existing security infrastructure
- Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.)
- Multiple AD domains
- Systems in DMZ zones
 Administrator-friendly:
- Support for multiple SSH clients
- Support for other admin tools (SQL Studio, vSphere, etc.)
 Easily expandable
 Automatic discovery and classification of systems.
Page  15
Deployment
Page  16
Ingredients of a Successful IAM
Deployment
1
Needs analysis
2
Product selection
3
Testing (Proof of Concept, User Acceptance, etc.)
4
Create development and troubleshooting processes
5
Develop rollout plan, key project reporting metrics, and a
good communications plan
6
Production rollout
Page  17
Needs Analysis
 Team members and skills
- Project Champion (executive support)
- Analysts (systems/accounts discovery)
- Product Engineering
- Product Operations
- Project manager(s)
- Communications and product marketing
 Business requirements
 Technical requirements
 Tactical and strategic target systems/accounts (roadmap)
 Infrastructure hardware and storage
 Request process and tracking
 Reporting
Page  18
Development Cycle
Assess and
Prioritize
Targets
Identified Needs
Monitor
and
Control
Design
For success, IAM must
be a permanent program,
not a one-time project.
Transition
to
Operations
Develop
and Test
Deploy to
Production
Page  19
Rollout Plan Tips
 Design and document your processes end-to-end from your end
user’s perspective
 Assess and prioritize target systems/accounts
 Develop a deployment roadmap (functionality/environment)
 Pre-educate your IAM product consumers
- Information Security
- Business executives
- Server Administrators
- Application Owners
- Auditors
 Identify, recruit and work with early adopters
Page  20
Key Metrics and Reporting Tips
 What doesn’t get measured doesn’t get done
 Measure what’s important, not just what’s easy to measure!
 Accurate target server/application/account inventories are critical
- Eliminates blind spots - you can’t secure what you can’t see
 Never be tempted to “cook” metrics
- Call it like you see it (audit-proof your records)
 Report and communicate progress
- Report by support organizations
- Total targets and what’s complete (scope of effort)
- Percentage complete
- Trending (weekly, monthly or quarterly)
- This creates self-governance
Page  21
Challenges
Page  22
Project
 Funding: up-front and ongoing
 Gain early experience with easiest large-risk use-cases
 Setting realistic expectations
- Stakeholders who want things before they are available (boiling the ocean)
- Recognizing not every problem will be solved at once (magic bullet)
 Stakeholder recognition that strategic success is directly tied to a
prioritized and incremental deployment
 Stopping additional “non-compliant” account creation or usages
 Balancing or combining with other projects competing for resources
 Driving continual progress
Page  23
Organizational
 Resistance to change
 Convincing support teams to use uniform access control model
 Ensuring the system isn’t used to simply automate existing insecure
processes (insist on a policy of least privilege)
 Training can be a revolving door of new users and consumers
 Ensuring timely communications are received by all stakeholders
- Early marketing of the program and benefits
- What functionality is available?
- What environment is it available in? (production, development, DMZs, etc.)
- Future functionality/environment roadmap
- Issues and challenges (knowledge base)
Page  24
Technical
 Gaining appropriate global rights for the product to work without
creating new risk
 Modeling a production environment with a large number of platform
and systems combinations in development and UAT environments
 Testing is easy with one system, hard with a thousand
 Maintaining reliable system and account ownership data in the
context of a large dynamic organization
 OS settings, patches and security policies that can cause
performance degradation
 Deactivating legacy password management processes
 Gradual activation without disrupting existing IDs or processes
Page  25
Current State
Page  26
Current State
 Available and running: 5 replicated PAM nodes on 3 continents
 Multi-master architecture
 Each node has an app server, a database server and a session
monitoring server
 Load balanced globally - nodes can fail without service disruption
 On-boarding accounts from
- Windows servers
- UNIX/Linux servers
- Active Directory
Page  27
Future Direction
Page  28
Future Direction
 Continue deployment based on prioritized target system/account
use cases
 Further integration with corporate IT Security Fabric toolset
 Fine-tune detection and notification of
- Users with high number of request rejections
- Users with abnormally high access events
- Other outlier or abnormal events
Page  29
Questions?
Page  30