Privileged Identity Management Architecture IBM
-
Upload
mike-c -
Category
Technology
-
view
107 -
download
1
Transcript of Privileged Identity Management Architecture IBM
© 2016 IBM Corporation
Architecture and processes
Mike Chung | Associate Partner IBM Security
Seoul, 2016
Privileged Identity Management
2© 2016 IBM Corporation
Table of contents
§ Common understanding of terms
§ Typical architecture and processes
§ Challenges and shortcoming
§ Good practices
§ Limitations
§ Deployment methodology
§ First steps
§ Main processes
§ Contact details
3© 2016 IBM Corporation
Privileged Identity: common understanding of terms
User with high system privileges
Application/System
Elevated Permissions
Privileged account
Privileged identities refer to users and accounts with elevated/root permissions
Application/system credential with high system privileges
Privileged identities
• IT/system administrators
• Database administrators
• Application managers/owners
• Application/system credentials with high/elevated privileges to other systems
4© 2016 IBM Corporation
Privileged Identity: common understanding of terms
User with high system privileges
Application/System
Elevated Permissions
Privileged account
Elevated permissions allow root/administrator activities on target applications/systems
Application/system credential with high system privileges
Privileged identities
• IT/system administrators
• Database administrators
• Application managers/owners
• Application/system credentials with high/elevated privileges to other systems
Elevated permission examples
• Root
• AD Domain Admin
• UNIX File Shares Admin
• SAP Admin
• Security Infrastructure Admin
Privileged identities
Target application/system
(Pre)defined accounts
5© 2016 IBM Corporation
Privileged Identity: common understanding of terms
User with high system privileges
Application/System
Elevated Permissions
Privileged account
Definition of Privileged Identity Management
Application/system credential with high system privileges
Privileged identities
• IT/system administrators
• Database administrators
• Application managers/owners
• Application/system credentials with high/elevated privileges to other systems
Elevated permission examples
• Root
• AD Domain Admin
• UNIX File Shares Admin
• SAP Admin
• Security Infrastructure Admin
Managing the lifecycle of privileged identities
Preventing/blocking misuse by enforcing privileged access policy
Detecting activities and anomalies
Privileged identities
Target application/system
(Pre)defined accounts
Privileged Identity Management
6© 2016 IBM Corporation
Privileged Identity: typical architecture
Privileged identity
Application/System
Elevated Permissions
Privileged account
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Privileged identity management is all about governance/processes related to privileged identities supported by technology
7© 2016 IBM Corporation
Privileged Identity: challenges and shortcomings
Application/System
Elevated Permissions
Privileged account
User(s) sharing account
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Limited approvals and risk-based controls
Authorization creep Limited overview and insight
Shortcomings in identity lifecycle process causing shared use of privileged accounts and authorization creep
Privileged identity
8© 2016 IBM Corporation
Privileged Identity: challenges and shortcomings
Application/System
Elevated Permissions
Privileged account
User(s) sharing account
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Limited approvals and risk-based controls
Limited overview and insight
Weak, single-factor authentication
Lack of specific access policy regarding privileged identities
Weak/known passwords
Limited enforcement of least-privilege principle
Excessive use of root
permissions
Lack of access policy and enforcement mechanisms leading to weak authentication that can be misused easily
Privileged identity
Authorization creep
9© 2016 IBM Corporation
Privileged Identity: challenges and shortcomings
Application/System
Elevated Permissions
Privileged account
User(s) sharing account
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Limited approvals and risk-based controls
Limited overview and insight
Weak, single-factor authentication
Lack of specific access policy regarding privileged identities
Weak/known passwords
Limited enforcement of least-privilege principle
Excessive use of root
permissions
Limited, hard-to-identify traces
Limited monitoring and ways to intervene
Poor awareness of risks concerning privileged identities
Limited expertise and resources
Limited resourcing and forensic capabilities leading to unnoticed account breaches
Privileged identity
Authorization creep
10© 2016 IBM Corporation
Privileged Identity: good practices to manage
Application/System
Elevated Permissions
Privileged account
Workflow/lifecycle engine
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Approval process and risk-based controls
Overview and insight into the scope of privileged identities and their usage
Lifecycle & control processes facilitated by workflow solutions
Privileged identity
11© 2016 IBM Corporation
Privileged Identity: good practices to prevent/block
Application/System
Elevated Permissions
Privileged account
Workflow/lifecycle engine
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Approval process and risk-based controls
Overview and insight into the scope of privileged identities and their usage
Specific access policy regarding privileged identities
Secure credential vault
Enforcement of least-privilege principle
Policy (enforcement) engine
Multi-factor authentication
Access policy enforced by using specific privileged management technology
Privileged identity
12© 2016 IBM Corporation
Privileged Identity: good practices to detect
Application/System
Elevated Permissions
Privileged account
Workflow/lifecycle engine
Identity lifecycle & control process
Audit & forensics standards/ baselines
Secure access standards/baselines
Approval process and risk-based controls
Overview and insight into the scope of privileged identities and their usage
Specific access policy regarding privileged identities
Secure credential vault
Enforcement of least-privilege principle
Policy (enforcement) engine
Anomaly detection/integration with
SIEM
Session recorder/manager
Awareness of risks concerning privileged identities
Expertise and resources on privileged identity management
Multi-factor authentication
Towards higher maturity of Privileged Identity Management
Privileged identity
13© 2016 IBM Corporation
Privileged Identity: key functionality
Application/System
Elevated Permissions
Privileged account
Workflow/lifecycle engine
Secure credential vault
Policy (enforcement) engine
Anomaly detection/integration with
SIEM
Session recorder/manager
Multi-factor authentication
IBM provides the full range of identity and access functionality
Privileged identityWorkflow/lifecycle engine
• Facilitating the request – approval – creation – revalidation process flow
• Providing PIM-specific management/admin dashboard for overview and insight
Multi-factor authentication
• Offering interfaces to various (combinations of) strong authentication mechanisms (soft/hard tokens, certificates, biometrics, etc.)
• Enabling context/event-based authentication
Secure credential vault
• Providing a controlled single check-in/check-out for privileged identities
• Automating the change of (hidden) passwords to target applications/systems
Policy engine
• Enforcing the (pre)defined rules and controls
Session recorder/manager
• Visual recording of activities with on-demand search and playback functionality
• Meeting regulatory compliance - proof for auditors that sessions are recorded/monitored
Anomaly detection
• Detecting suspicious behavior of privileged identities
• Correlating data between various sources to detect/forecast misuse/attacks
14© 2016 IBM Corporation
Privileged Identity: limitations of processes-only approach
Application/System
Elevated Permissions
Privileged account
Privileged Identity Management goes beyond traditional IAM process approaches
Privileged identity
Account sharing
§ Risk of losing individual accountability
§ Issues with password management and security
§ Out of step with regulatory thinking
Application/System
Elevated Permissions
Privileged account
Privileged identity
Application/System
Elevated Permissions
Privileged account
Application/System
Elevated Permissions
Privileged account
Individual account on every application/system
§ Exponential increase in privileged accounts
§ Increased risk of mismanagement of privileged accounts
§ Increased administration costs
15© 2016 IBM Corporation
Privileged Identity: processes & technology approach
Application/System
Elevated Permissions
Privileged account
Effective Privileged Identity Management encompasses processes and technology
Privileged identity
Application/System
Elevated Permissions
Privileged account
Privileged identity
Application/System
Elevated Permissions
Privileged account
Application/System
Elevated Permissions
Privileged account
PIM technology
Use of individual IDs
§ Assuring individual accountability
§ Automated password management and security
§ Compliant with regulatory standards
Using individual ID to access multiple applications/systems
§ One interface to use privileged accounts
§ Improved approach of managing privileged accounts
§ Lower administrative burden
PIM technology
16© 2016 IBM Corporation
Privileged Identity: limitations of PIM-only approach
Application/System
Elevated Permissions
Privileged account
Privileged identities refer to users and accounts with elevated/root permissions
PIM technology
Authorized users committing fraudMultiple front attack
Social engineering, extortion, bribery
17© 2016 IBM Corporation
Privileged Identity: deployment methodologyIBM’s proven methodology as used at IBM, our partners, and at our enterprise customers
Operational PIMTest & AcceptanceRollout
Identifying the necessity• Regulatory compliance• Security risks• Operational risks
Design Business case
Defining the requirements• Functional requirements• Procedural requirements• Technical requirements
Defining the scope• Users & identities• Organizational scope• Technical scope
Identifying constraints• Contractual/legal• Financial (budget)• Operational
Delivering the business case• Necessity• Scope• Constraints• Options• Recommended steps
Drafting the concept• Process framework• Runtime architecture• Static architecture
Validating the concept• Operational• Technical (PoC)• Financial
Delivering the detailed design• Requirements• Process flows/use-cases• Runtime architecture• Static architecture• Implementation steps
Detailed planning• Rollout steps• Prerequisites• Risks & mitigations
Testing• Functional/operational• Technology/performance• Security
Development• Infrastructure setup• Installation, configuration• Process implementation
Realizing quick-wins• Highly visible and needed• Easy and quick to deploy
Delivering the PIM solution• Quick-wins• Governance framework• Processes• Technology• Next steps
Accepting • Functional/operational• Technology/performance• Security
Validating the solution• Solution vs. risks• Delivery vs. design• Result vs. planning
Preparing the handover to Operations• Operational criteria• Knowledge transfer• Documentation• Service levels• Aftercare
Identity lifecycle & control process in
operation
Audit & forensics standards/ baselines implemented
Secure access standards/baselines
implemented
18© 2016 IBM Corporation
Privileged Identity: deployment methodologyEssential steps and areas of specific attention
Operational PIMTest & AcceptanceRollout
Identifying the necessity• Regulatory compliance• Security risks• Operational risks
Design Business case
Defining the requirements• Functional requirements• Procedural requirements• Technical requirements
Defining the scope• Users & identities• Organizational scope• Technical scope
Identifying constraints• Contractual/legal• Financial (budget)• Operational
Delivering the business case• Necessity• Scope• Constraints• Options• Recommended steps
Drafting the concept• Process framework• Runtime architecture• Static architecture
Validating the concept• Operational• Technical (PoC)• Financial
Delivering the detailed design• Requirements• Process flows/use-cases• Runtime architecture• Static architecture• Implementation steps
Detailed planning• Rollout steps• Prerequisites• Risks & mitigations
Testing• Functional/operational• Technology/performance• Security
Development• Infrastructure setup• Installation, configuration• Process implementation
Realizing quick-wins• Highly visible and needed• Easy and quick to deploy
Delivering the PIM solution• Quick-wins• Governance framework• Processes• Technology• Next steps
Accepting • Functional/operational• Technology/performance• Security
Validating the solution• Solution vs. risks• Delivery vs. design• Result vs. planning
Preparing the handover to Operations• Operational criteria• Knowledge transfer• Documentation• Service levels• Aftercare
Identity lifecycle & control process in
operation
Audit & forensics standards/ baselines implemented
Secure access standards/baselines
implemented
19© 2016 IBM Corporation
Privileged Identity: first essential steps
What risks are to be mitigated?
Typically:• Regulatory compliance• Insider threat• Errors and omissions• Account hijacking
Why PIM?
20© 2016 IBM Corporation
Privileged Identity: first essential steps
What users are privileged identities?
Typically:• IT admins• Database admins• Application managers• Application credentials
What risks are to be mitigated?
Typically:• Regulatory compliance• Insider threat• Errors and omissions• Account hijacking
What privileged identities must be controlled?
21© 2016 IBM Corporation
Privileged Identity: first essential steps
What users are privileged identities?
Typically:• IT admins• Database admins• Application managers• Application credentials
What are systems/services in scope?
Typically:• Containing valuable
data• Operation-critical
systems
What are constraints and limitations?
Typically:• Contractual• Technical• Financial• Operational
What risks are to be mitigated?
Typically:• Regulatory compliance• Insider threat• Errors and omissions• Account hijacking
Correct scope definition with taking constraints into account
22© 2016 IBM Corporation
Privileged Identity: main processes
User management
Authoritative source(s)
Target systems
On-premise target systems
Cloud/SaaS
User management• Creating, changing
and disabling of privileged accounts
• Administration of PIM-related data (attributes)
User lifecycle management
Privileged identities
23© 2016 IBM Corporation
Privileged Identity: main processes
User management
Authoritative source(s)
Authentication Access policy Target systems
On-premise target systems
Cloud/SaaS
User management• Creating, changing
and disabling of privileged accounts
• Administration of PIM-related data (attributes)
Authentication• Verification of claimed
identity to the vault• Authentication:o Multi factor authenticationo Certificateso Digital signatures
Access policy• Assigning system
permissions to privileged users
• Access based on:o Need to accesso Least privilegeo Limited time
Privileged identities Credential vault + policy db
Tightly controlled authentication and access
24© 2016 IBM Corporation
Privileged Identity: main processes
User management
Authoritative source(s)
Authentication Access policy Target systems
On-premise target systems
Cloud/SaaS
Governance Monitoring
User management• Creating, changing
and disabling of privileged accounts
• Administration of PIM-related data (attributes)
Authentication• Verification of claimed
identity to the vault• Authentication:o Multi factor authenticationo Certificateso Digital signatures
Access policy• Assigning system
permissions to privileged users
• Access based on:o Need to accesso Least privilegeo Limited time
Monitoring• Session monitoring• Reporting
Credential vault + policy db
Governance• Defining scope• Identifying risks• Identifying mitigations and control measures• Defining procedures• Managing processes
IST
SOLL
Governance and monitoring
Privileged identities
25© 2016 IBM Corporation
Privileged Identity: onboarding process (high-level)
Request
Privileged userProcess administrator Team manager Security officer System administrator
Request for account for
privileged userRequest
administration
Approval
Risk manager
Approval/ rejection
(SoD)
AcceptanceAcceptance of conditions and accountability
Acceptance of conditions and responsibility
Creation
Receipt and use of account
Creation of accountRequest closure
Approval/ rejection
(security risk)
Approvals based on risk and segregation of responsibilities
26© 2016 IBM Corporation
Privileged Identity: recertification process (high-level)
Request
Privileged userProcess administrator Team manager Auditor System administrator
Request administration
Audit
Risk manager
AcceptanceVerification and acceptance of
findings
Recertification
Recertification Corrective actionsRequest closure
SOLL-IST comparison
Request for recertification
Providing IST data
Providing SOLL data
Verification and acceptance of
findings
Periodic recertification ensuring the enforcement of access policy
27© 2016 IBM Corporation
Contact details
Drs. Mike Chung RE CISSP
Associate Partner IBM Security
+31 6 2565 7593 (the Netherlands)
+82 10 3521 7754 (South Korea)