PowerPoint Template
Download
Report
Transcript PowerPoint Template
Successful IAM Deployment
Mike Futty, Midrange Platform Server Security Engineering
Bank of America
About Mike Futty
VP, Platform Security Engineering
Responsible for
- Midrange server systems security engineering
- Platform security baselines
- Security product selection, design and deployment
30+ years technology experience
12 years with Bank of America
Page 2
Covering a Global Environment
40 Countries1
50 US States1
24,014 Global Offices and Facilities Worldwide1
248K Full-time Employees2
One of the world’s largest AD environments
1BAC
2BAC
Page 3
2012 Corporate Social Responsibility report
2013 Third Quarter Financial Results report
Why focus on IAM?
Page 4
Recognizing a clear and present danger
9,140,000 results
98,200,000 results
Unit 61398
Hacktivists
Organized Crime
Advanced Persistent Threat
Page 5
databreaches.net
indefenseofdata.com
privacyrights.org
Recognizing a clear and present danger
“76% of network intrusions exploited weak or
stolen credentials”
“13% resulted from privilege misuse and abuse”
Page 6
2013 Verizon Data Breach Investigations Report:
A global study performed by the Verizon RISK team
http://www.verizonenterprise.com/DBIR/2013/
Data breaches are costly
On average,
28,765 records are compromised
at an organizational cost of $5,403,644
per data breach in the US
Page 7
2013 Cost of Data Breach Study: Global Analysis
Benchmark research sponsored by Symantec - Independently Conducted by Ponemon Institute LLC - May 2013
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
Protect your REPUTATION Every company’s most valuable asset
Customer and Shareholder Trust
Page 8
The IAM Challenge
Page 9
Privileged Accounts
They are EVERYWHERE and can be complex to find and manage.
DMZ
Environments
Page 10
Dev/UAT
Production
Objectives and Requirements
Page 11
Basic Concept
Eliminate static and easily guessable passwords
to non-human IDs with elevated privileges
Set passwords to random values - scheduled and after access
Apply uniform policy of who can sign into what
Implement access policies based on:
Risk
Organization (business unit)
Environment (production, development, DMZs, etc.)
Location
Eliminate persistent access by developers to production systems
Create transparent audit logs of privileged access
Record activity during privileged logins
Page 12
Business Requirements
Satisfy numerous process requirements
Meet regulatory requirements:
- Different jurisdictions with different mandates
- Requirements for on-boarding, access control, approvals, audit logs and more
Can’t slow down or impact current access
- Pre-authorized access for administrators with an audit trail
- Request/approval workflow for everybody else
Minimal ongoing support
Manageable process for on-boarding many systems, accounts at once
Training: up front and ongoing
Forensic audits: who broke this server?
Page 13
Security Requirements
The whole point is enhanced security
Overarching principle: minimize the number of people with
persistent administrative access
Damage containment
Eliminate full-time developer access from production systems
Provide a temporary access mechanism
Session logging
Audit trail: who had and used access to this system?
Page 14
Technical Requirements
Fault tolerant (fire, flood, earthquake, hurricane, etc.)
Scalable:
- Hundreds of thousands of systems
- Thousands of people
- Tens of thousands of daily logins
- Record 10,000 concurrent sessions globally
Ability to integrate with:
- Existing security infrastructure
- Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.)
- Multiple AD domains
- Systems in DMZ zones
Administrator-friendly:
- Support for multiple SSH clients
- Support for other admin tools (SQL Studio, vSphere, etc.)
Easily expandable
Automatic discovery and classification of systems.
Page 15
Deployment
Page 16
Ingredients of a Successful IAM
Deployment
1
Needs analysis
2
Product selection
3
Testing (Proof of Concept, User Acceptance, etc.)
4
Create development and troubleshooting processes
5
Develop rollout plan, key project reporting metrics, and a
good communications plan
6
Production rollout
Page 17
Needs Analysis
Team members and skills
- Project Champion (executive support)
- Analysts (systems/accounts discovery)
- Product Engineering
- Product Operations
- Project manager(s)
- Communications and product marketing
Business requirements
Technical requirements
Tactical and strategic target systems/accounts (roadmap)
Infrastructure hardware and storage
Request process and tracking
Reporting
Page 18
Development Cycle
Assess and
Prioritize
Targets
Identified Needs
Monitor
and
Control
Design
For success, IAM must
be a permanent program,
not a one-time project.
Transition
to
Operations
Develop
and Test
Deploy to
Production
Page 19
Rollout Plan Tips
Design and document your processes end-to-end from your end
user’s perspective
Assess and prioritize target systems/accounts
Develop a deployment roadmap (functionality/environment)
Pre-educate your IAM product consumers
- Information Security
- Business executives
- Server Administrators
- Application Owners
- Auditors
Identify, recruit and work with early adopters
Page 20
Key Metrics and Reporting Tips
What doesn’t get measured doesn’t get done
Measure what’s important, not just what’s easy to measure!
Accurate target server/application/account inventories are critical
- Eliminates blind spots - you can’t secure what you can’t see
Never be tempted to “cook” metrics
- Call it like you see it (audit-proof your records)
Report and communicate progress
- Report by support organizations
- Total targets and what’s complete (scope of effort)
- Percentage complete
- Trending (weekly, monthly or quarterly)
- This creates self-governance
Page 21
Challenges
Page 22
Project
Funding: up-front and ongoing
Gain early experience with easiest large-risk use-cases
Setting realistic expectations
- Stakeholders who want things before they are available (boiling the ocean)
- Recognizing not every problem will be solved at once (magic bullet)
Stakeholder recognition that strategic success is directly tied to a
prioritized and incremental deployment
Stopping additional “non-compliant” account creation or usages
Balancing or combining with other projects competing for resources
Driving continual progress
Page 23
Organizational
Resistance to change
Convincing support teams to use uniform access control model
Ensuring the system isn’t used to simply automate existing insecure
processes (insist on a policy of least privilege)
Training can be a revolving door of new users and consumers
Ensuring timely communications are received by all stakeholders
- Early marketing of the program and benefits
- What functionality is available?
- What environment is it available in? (production, development, DMZs, etc.)
- Future functionality/environment roadmap
- Issues and challenges (knowledge base)
Page 24
Technical
Gaining appropriate global rights for the product to work without
creating new risk
Modeling a production environment with a large number of platform
and systems combinations in development and UAT environments
Testing is easy with one system, hard with a thousand
Maintaining reliable system and account ownership data in the
context of a large dynamic organization
OS settings, patches and security policies that can cause
performance degradation
Deactivating legacy password management processes
Gradual activation without disrupting existing IDs or processes
Page 25
Current State
Page 26
Current State
Available and running: 5 replicated PAM nodes on 3 continents
Multi-master architecture
Each node has an app server, a database server and a session
monitoring server
Load balanced globally - nodes can fail without service disruption
On-boarding accounts from
- Windows servers
- UNIX/Linux servers
- Active Directory
Page 27
Future Direction
Page 28
Future Direction
Continue deployment based on prioritized target system/account
use cases
Further integration with corporate IT Security Fabric toolset
Fine-tune detection and notification of
- Users with high number of request rejections
- Users with abnormally high access events
- Other outlier or abnormal events
Page 29
Questions?
Page 30