Privileged Identity Management Architecture IBM

© 2016 IBM Corporation

Architecture and processes

Mike Chung | Associate Partner IBM Security

Seoul, 2016

Privileged Identity Management

2© 2016 IBM Corporation

Table of contents

§ Common understanding of terms

§ Typical architecture and processes

§ Challenges and shortcoming

§ Good practices

§ Limitations

§ Deployment methodology

§ First steps

§ Main processes

§ Contact details


Privileged Identity: common understanding of terms

User with high system privileges

Application/System

Elevated Permissions

Privileged account

Privileged identities refer to users and accounts with elevated/root permissions

Application/system credential with high system privileges

Privileged identities

• IT/system administrators

• Database administrators

• Application managers/owners

• Application/system credentials with high/elevated privileges to other systems




Application/System


Privileged account

Elevated permissions allow root/administrator activities on target applications/systems







Elevated permission examples

• Root

• AD Domain Admin

• UNIX File Shares Admin

• SAP Admin

• Security Infrastructure Admin


Target application/system

(Pre)defined accounts




Application/System


Privileged account

Definition of Privileged Identity Management







Elevated permission examples

• Root

• AD Domain Admin

• UNIX File Shares Admin

• SAP Admin

• Security Infrastructure Admin

Managing the lifecycle of privileged identities

Preventing/blocking misuse by enforcing privileged access policy

Detecting activities and anomalies


Target application/system

(Pre)defined accounts

Privileged Identity Management


Privileged Identity: typical architecture

Privileged identity

Application/System


Privileged account

Identity lifecycle & control process

Audit & forensics standards/ baselines

Secure access standards/baselines

Privileged identity management is all about governance/processes related to privileged identities supported by technology


Privileged Identity: challenges and shortcomings

Application/System


Privileged account

User(s) sharing account




Limited approvals and risk-based controls

Authorization creep Limited overview and insight

Shortcomings in identity lifecycle process causing shared use of privileged accounts and authorization creep

Privileged identity



Application/System


Privileged account






Limited overview and insight

Weak, single-factor authentication

Lack of specific access policy regarding privileged identities

Weak/known passwords

Limited enforcement of least-privilege principle

Excessive use of root

permissions

Lack of access policy and enforcement mechanisms leading to weak authentication that can be misused easily

Privileged identity

Authorization creep



Application/System


Privileged account






Limited overview and insight

Weak, single-factor authentication

Lack of specific access policy regarding privileged identities

Weak/known passwords

Limited enforcement of least-privilege principle

Excessive use of root

permissions

Limited, hard-to-identify traces

Limited monitoring and ways to intervene

Poor awareness of risks concerning privileged identities

Limited expertise and resources

Limited resourcing and forensic capabilities leading to unnoticed account breaches

Privileged identity

Authorization creep


Privileged Identity: good practices to manage

Application/System


Privileged account

Workflow/lifecycle engine




Approval process and risk-based controls

Overview and insight into the scope of privileged identities and their usage

Lifecycle & control processes facilitated by workflow solutions

Privileged identity


Privileged Identity: good practices to prevent/block

Application/System


Privileged account







Specific access policy regarding privileged identities

Secure credential vault

Enforcement of least-privilege principle

Policy (enforcement) engine

Multi-factor authentication

Access policy enforced by using specific privileged management technology

Privileged identity


Privileged Identity: good practices to detect

Application/System


Privileged account







Specific access policy regarding privileged identities


Enforcement of least-privilege principle


Anomaly detection/integration with

SIEM

Session recorder/manager

Awareness of risks concerning privileged identities

Expertise and resources on privileged identity management


Towards higher maturity of Privileged Identity Management

Privileged identity


Privileged Identity: key functionality

Application/System


Privileged account




Anomaly detection/integration with

SIEM



IBM provides the full range of identity and access functionality

Privileged identityWorkflow/lifecycle engine

• Facilitating the request – approval – creation – revalidation process flow

• Providing PIM-specific management/admin dashboard for overview and insight


• Offering interfaces to various (combinations of) strong authentication mechanisms (soft/hard tokens, certificates, biometrics, etc.)

• Enabling context/event-based authentication


• Providing a controlled single check-in/check-out for privileged identities

• Automating the change of (hidden) passwords to target applications/systems

Policy engine

• Enforcing the (pre)defined rules and controls


• Visual recording of activities with on-demand search and playback functionality

• Meeting regulatory compliance - proof for auditors that sessions are recorded/monitored

Anomaly detection

• Detecting suspicious behavior of privileged identities

• Correlating data between various sources to detect/forecast misuse/attacks


Privileged Identity: limitations of processes-only approach

Application/System


Privileged account

Privileged Identity Management goes beyond traditional IAM process approaches

Privileged identity

Account sharing

§ Risk of losing individual accountability

§ Issues with password management and security

§ Out of step with regulatory thinking

Application/System


Privileged account

Privileged identity

Application/System


Privileged account

Application/System


Privileged account

Individual account on every application/system

§ Exponential increase in privileged accounts

§ Increased risk of mismanagement of privileged accounts

§ Increased administration costs


Privileged Identity: processes & technology approach

Application/System


Privileged account

Effective Privileged Identity Management encompasses processes and technology

Privileged identity

Application/System


Privileged account

Privileged identity

Application/System


Privileged account

Application/System


Privileged account

PIM technology

Use of individual IDs

§ Assuring individual accountability

§ Automated password management and security

§ Compliant with regulatory standards

Using individual ID to access multiple applications/systems

§ One interface to use privileged accounts

§ Improved approach of managing privileged accounts

§ Lower administrative burden

PIM technology


Privileged Identity: limitations of PIM-only approach

Application/System


Privileged account

Privileged identities refer to users and accounts with elevated/root permissions

PIM technology

Authorized users committing fraudMultiple front attack

Social engineering, extortion, bribery


Privileged Identity: deployment methodologyIBM’s proven methodology as used at IBM, our partners, and at our enterprise customers

Operational PIMTest & AcceptanceRollout

Identifying the necessity• Regulatory compliance• Security risks• Operational risks

Design Business case

Defining the requirements• Functional requirements• Procedural requirements• Technical requirements

Defining the scope• Users & identities• Organizational scope• Technical scope

Identifying constraints• Contractual/legal• Financial (budget)• Operational

Delivering the business case• Necessity• Scope• Constraints• Options• Recommended steps

Drafting the concept• Process framework• Runtime architecture• Static architecture

Validating the concept• Operational• Technical (PoC)• Financial

Delivering the detailed design• Requirements• Process flows/use-cases• Runtime architecture• Static architecture• Implementation steps

Detailed planning• Rollout steps• Prerequisites• Risks & mitigations

Testing• Functional/operational• Technology/performance• Security

Development• Infrastructure setup• Installation, configuration• Process implementation

Realizing quick-wins• Highly visible and needed• Easy and quick to deploy

Delivering the PIM solution• Quick-wins• Governance framework• Processes• Technology• Next steps

Accepting • Functional/operational• Technology/performance• Security

Validating the solution• Solution vs. risks• Delivery vs. design• Result vs. planning

Preparing the handover to Operations• Operational criteria• Knowledge transfer• Documentation• Service levels• Aftercare

Identity lifecycle & control process in

operation

Audit & forensics standards/ baselines implemented


implemented


Privileged Identity: deployment methodologyEssential steps and areas of specific attention

Operational PIMTest & AcceptanceRollout

Identifying the necessity• Regulatory compliance• Security risks• Operational risks

Design Business case

Defining the requirements• Functional requirements• Procedural requirements• Technical requirements

Defining the scope• Users & identities• Organizational scope• Technical scope

Identifying constraints• Contractual/legal• Financial (budget)• Operational

Delivering the business case• Necessity• Scope• Constraints• Options• Recommended steps

Drafting the concept• Process framework• Runtime architecture• Static architecture

Validating the concept• Operational• Technical (PoC)• Financial

Delivering the detailed design• Requirements• Process flows/use-cases• Runtime architecture• Static architecture• Implementation steps

Detailed planning• Rollout steps• Prerequisites• Risks & mitigations

Testing• Functional/operational• Technology/performance• Security

Development• Infrastructure setup• Installation, configuration• Process implementation

Realizing quick-wins• Highly visible and needed• Easy and quick to deploy

Delivering the PIM solution• Quick-wins• Governance framework• Processes• Technology• Next steps

Accepting • Functional/operational• Technology/performance• Security

Validating the solution• Solution vs. risks• Delivery vs. design• Result vs. planning

Preparing the handover to Operations• Operational criteria• Knowledge transfer• Documentation• Service levels• Aftercare

Identity lifecycle & control process in

operation

Audit & forensics standards/ baselines implemented


implemented


Privileged Identity: first essential steps

What risks are to be mitigated?

Typically:• Regulatory compliance• Insider threat• Errors and omissions• Account hijacking

Why PIM?



What users are privileged identities?

Typically:• IT admins• Database admins• Application managers• Application credentials



What privileged identities must be controlled?



What users are privileged identities?

Typically:• IT admins• Database admins• Application managers• Application credentials

What are systems/services in scope?

Typically:• Containing valuable

data• Operation-critical

systems

What are constraints and limitations?

Typically:• Contractual• Technical• Financial• Operational



Correct scope definition with taking constraints into account


Privileged Identity: main processes

User management

Authoritative source(s)

Target systems

On-premise target systems

Cloud/SaaS

User management• Creating, changing

and disabling of privileged accounts

• Administration of PIM-related data (attributes)

User lifecycle management




User management


Authentication Access policy Target systems


Cloud/SaaS




Authentication• Verification of claimed

identity to the vault• Authentication:o Multi factor authenticationo Certificateso Digital signatures

Access policy• Assigning system

permissions to privileged users

• Access based on:o Need to accesso Least privilegeo Limited time

Privileged identities Credential vault + policy db

Tightly controlled authentication and access



User management


Authentication Access policy Target systems


Cloud/SaaS

Governance Monitoring




Authentication• Verification of claimed

identity to the vault• Authentication:o Multi factor authenticationo Certificateso Digital signatures

Access policy• Assigning system

permissions to privileged users

• Access based on:o Need to accesso Least privilegeo Limited time

Monitoring• Session monitoring• Reporting

Credential vault + policy db

Governance• Defining scope• Identifying risks• Identifying mitigations and control measures• Defining procedures• Managing processes

IST

SOLL

Governance and monitoring



Privileged Identity: onboarding process (high-level)

Request

Privileged userProcess administrator Team manager Security officer System administrator

Request for account for

privileged userRequest

administration

Approval

Risk manager

Approval/ rejection

(SoD)

AcceptanceAcceptance of conditions and accountability

Acceptance of conditions and responsibility

Creation

Receipt and use of account

Creation of accountRequest closure

Approval/ rejection

(security risk)

Approvals based on risk and segregation of responsibilities


Privileged Identity: recertification process (high-level)

Request

Privileged userProcess administrator Team manager Auditor System administrator

Request administration

Audit

Risk manager

AcceptanceVerification and acceptance of

findings

Recertification

Recertification Corrective actionsRequest closure

SOLL-IST comparison

Request for recertification

Providing IST data

Providing SOLL data

Verification and acceptance of

findings

Periodic recertification ensuring the enforcement of access policy


Contact details

Drs. Mike Chung RE CISSP

Associate Partner IBM Security

[email protected]

+31 6 2565 7593 (the Netherlands)

+82 10 3521 7754 (South Korea)

Privileged Identity Management Architecture IBM

Technology

Transcript of Privileged Identity Management Architecture IBM