2013 12 18 webcast - building the privileged identity management business case

Webcast: Building the Privileged Identity Management Business Case

Patrick McBrideVice President of MarketingXceedium

© Copyright 2013, Xceedium, Inc. 2

Who Are Privileged Users & Why Should You Care?

How Are The Risks Changing?

How to Build a Privileged Identity Management Business Case

Introducing Xceedium Xsuite®Next Generation Privileged Identity Management

Agenda


Privileged Identity Management


A former employee at the U.S. subsidiary of Japanese pharma Shionogi plead guilty to deleting 15 business-critical VMware host systems, costing the company $800,000.

An IT employee at Bank of America admitted that he hacked the bank’s ATMs to dispense cash without recording the activity.

A contract programmer fired by Fannie Mae was convicted of planting malicious code intended to destroy all data on nearly 5,000 internal servers.

A Goldman Sachs programmer was found guilty of stealing computer code for high frequency trading from the investment bank when he left to join a startup.

A Utah computer contractor pleaded guilty to stealing about $2 million from four credit unions for which he worked.

Privileged Insiders Cause Real DamageInsider Threat – Abbreviated Wall of Shame


Who Are Privileged Users?On Premise

Employees/Partners• Systems Admins• Network Admins• DB Admins• Application Admins

PartnersSystems/NW/DB/Application Admins

EmployeesSystems/NW/DB/Application Admins

Public Cloud

Apps

Apps

Unauthorized User Hacker (Malware/APT)

VMwareAdministrator

AWS Administrator

Microsoft Office 365 Administrator

Internet


How Bad is the Insider Threat?Percentage of Participants Who Experienced an Insider Incident

Source: 2013 US State of Cybercrime Survey

CSO Magazine, USSS, CERT & Deloitte

(501 respondents)


Insiders the top source of breaches in the last 12 months; 25% of respondents said a malicious insider was the most common way a breach occurred. (Forrester)

33.73% of respondents find insider crimes likely to cause to more damage to an organization than external attacks (31.34%) (CERT Insider Threat Center)

"...insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records." (Open Security Foundation)

"Insiders continue to be a threat that must be recognized as part of an organization’s enterprise-wide risk assessment." (CERT Insider Threat Center)

Insider Threat Statistics


ROI - “It will save us money…”

Risk Reduction - “It will

make our systems and data

safer…”

Compliance - “Because we

have to…”

Building Blocks for a PIM Business CaseBeware of the perfect business case

Best Practice Reminder… “Make it your own”


Investment X (Process & Technology) = Cost Savings Y

Beware of spreadsheet trap!

Is a logic argument good enough?

Return on InvestmentIt will save us money…


Return on InvestmentPassword Management

ROI Calculation

Total Passwords * Number of Changes/Year (most organizations require monthly or quarterly changes) * Time to Change (some number of seconds) = Time Savings (per annum).

Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded)This does not factor in any savings for the ability to enforce password composition (strong passwords). There may not be much savings for this, but it does save time in audits (we’ll cover that later).


Return on InvestmentSingle Sign-on

ROI Calculation

**Time Savings per Login (some number of seconds) * Total Logins = Time Savings (over some period of time).

Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded)

**The time the systems administrator saved by being able to SSO to the target, versus looking up a password (passwords should be different for each target system and hard to guess, no?)


Return on InvestmentShortening Investigations

ROI CalculationInvestigations:

Time Savings per incident (some number of days) * Number of Incidents to Investigate = Time Savings (in days/year).

Annual Cost Savings = Time savings (in days) * Security Investigator/day (fully loaded)

Spot Checks:**Time Savings per spot check (in hours) * Number of Spot-Checks * Sys

Admin Cost/Hour = Total Cost Savings.**With active monitoring and alerting, one could also argue you can reduce the total number of spot-checks. For example only do them when there is a key triggering event–such as when a sys admin leaves the organization, or when you fire a contractor or service provider.


Return on Investment…and more

Federated Identity vs. Islands of Identity

Simplified Audits


Impact of a Loss

Key Risks PIM Can

Mitigate

Best Practices

Risk ReductionIt will make our systems and data safer…


Hard dollar financial losses – theft of cash and financial instruments Intellectual property loss – theft of strategic plans, inventions, important

corporate data, etc. Reduced/deferred revenue – the operational impact caused by network and

system outages stemming from a breach Fines – fines imposed by regulators Contractual losses – financial penalties imposed by customers through

contracts or lawsuits Recovery Cost – the cost of investigating and cleaning up from a breach (a

recent Ponemon Institute study notes it takes an average of 44 days–and multiple employees–to recover from a breach by an insider)

Risk ReductionImpact of a Loss…

Calculating an actual dollar figure for potential loss is difficult to impossible.


Lost or stolen privileged account credentials Unauthorized administrative access to systems Ability to “land and move laterally” Over-privileged Anonymous use of privileged accounts Inability to enforce least privilege for critical systems Minimal or missing forensic data for investigating and

adjudicating insider threat cases

Risk ReductionKey Risks PIM Can Mitigate…

17

1. Create a process for on/off boarding privilege users• Background checks• Ensure policy review & training• Periodic (ongoing) entitlement reviews

2. Implement Least Privilege (least everything)• Least device access• Least functional access (Console, CLI, FTP)• Least command execution (“drop”, “telnet”, “reboot”)

3. Implement strong authentication• Strengthen legacy UID and password mechanism• Implement two or three factor authentication

4. Separate authentication from authorization (entitlements)

• Remove direct end-point access 5. Protect privileged account credentials

Risk ReductionBest Practices for Managing Privileged User Risks

18

6. No anonymous activity - ensure privileged sessions can be “attributed” to a specific individual (not just an IP address or shared account)

7. Implement extra protections for the most critical assets/privileged accounts (e.g., management consoles)

8. Alert on violations (proactive controls), Lock out account/session on violations

9. Log & record EVERYTHING (Forensics)

10.Mind the Virtualization API Gap

Risk ReductionBest Practices for Managing Privileged User Risks

New requirements aroundprivileged/administrative users • FISMA/NIST 800 53(r4)• PCI/DSS• NERC Critical Infrastructure

Protection• HIPAA, SOX, etc.• International Security/Privacy

Regulations

Increased Regulatory and Auditor Scrutiny



NIST 800-125“Guide to Security for Full Virtualization Technology”

Restrict and protect administrator access to the virtualization solution

• “The security of the entire virtual infrastructure relies on the security of the virtualization management system”

• “…start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only.”

• “Secure each management interface, whether locally or remotely accessible.”

• “For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.”


ROI - “It will save us money…”

Risk Reduction - “It will

make our systems and data

safer…”

Compliance - “Because we

have to…”

Building Blocks for a PIM Business CaseBeware of the perfect business case!


1. Comprehensive/Integrated

Control Set

2. Protect Systems, Applications,

Consoles Across Hybrid-Cloud

3. Architected Specifically for

Highly Dynamic Public/Private

Clouds

June 2013

Next Generation PIM Requirements


Identity Integration Enterprise-Class Core

Hardware Appliance AWS AMIOVF Virtual Appliance

Unified Policy Management

Control and Audit All Privileged Access• Vault Credentials• Centralized Authentication• Federated Identity• Privileged Single Sign-on

• Role-Based Access Control• Prevent Leapfrogging• Monitor & Record Sessions • Full Attribution

Introducing Xsuite®Next Generation Privileged Identity Management

Traditional Data Center

Mainframe, Windows, Linux, Unix, Networking

New Hybrid Enterprise

Virtualized Data Center

VMware Console

SaaS Applications

Office 365 Console

Public Cloud - IaaS

AWS Console & APIs


Xsuite is the Only Platform With:• Comprehensive, integrated controls enforced across hybrid environments• Unified policy management• Protection for management consoles and guest systems• Integration with VMware, AWS and Microsoft Office 365• Control and Auditing of AWS management API calls• Architected for dynamic, elastic cloud environments• Deployment Choice: hardware, OVF or AMI appliances

Superior Performance & Scalability Integration With Existing Systems and Infrastructure Most Highly Certified Solution Available

What Sets Xsuite Apart?Next Generation Privileged Identity Management


2214 Rock Hill Road, Suite 100Herndon, VA 20170Phone: 866-636-5803

Contact Us

facebook.com/xceedium

[email protected]

@Xceedium@pmcbrideva1

2013 12 18 webcast - building the privileged identity management business case

Technology

Transcript of 2013 12 18 webcast - building the privileged identity management business case