1 / 30

Successful IAM Deployment

Successful IAM Deployment. Mike Futty, Midrange Platform Server Security Engineering Bank of America. About Mike Futty. VP, Platform Security Engineering Responsible for Midrange server systems security engineering Platform security baselines

Download Presentation

Successful IAM Deployment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Successful IAM Deployment Mike Futty, Midrange Platform Server Security Engineering Bank of America

  2. About Mike Futty • VP, Platform Security Engineering • Responsible for • Midrange server systems security engineering • Platform security baselines • Security product selection, design and deployment • 30+ years technology experience • 12 years with Bank of America Page 2

  3. Covering a Global Environment 1BAC 2012 Corporate Social Responsibility report 2BAC 2013 Third Quarter Financial Results report 40 Countries1 50 US States1 24,014 Global Offices and Facilities Worldwide1 248K Full-time Employees2 One of the world’s largest AD environments Page 3

  4. Why focus on IAM? Page 4

  5. Recognizing a clear and present danger 9,140,000 results 98,200,000 results Unit 61398 Hacktivists Organized Crime Advanced Persistent Threat databreaches.net indefenseofdata.com privacyrights.org Page 5

  6. Recognizing a clear and present danger 2013 Verizon Data Breach Investigations Report: A global study performed by the Verizon RISK team http://www.verizonenterprise.com/DBIR/2013/ “76% of network intrusions exploited weak or stolen credentials” “13% resulted from privilege misuse and abuse” Page 6

  7. Data breaches are costly 2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec - Independently Conducted by Ponemon Institute LLC - May 2013 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf On average, 28,765 records are compromised at an organizational cost of $5,403,644 per data breach in the US Page 7

  8. Protect your REPUTATION - Every company’s most valuable asset Customer and Shareholder Trust Page 8

  9. The IAM Challenge Page 9

  10. Privileged Accounts They are EVERYWHERE and can be complex to find and manage. DMZ Dev/UAT Production Environments Page 10

  11. Objectives and Requirements Page 11

  12. Basic Concept Eliminate static and easily guessable passwords to non-human IDs with elevated privileges • Set passwords to random values - scheduled and after access • Apply uniform policy of who can sign into what • Implement access policies based on: • Risk • Organization (business unit) • Environment (production, development, DMZs, etc.) • Location • Eliminate persistent access by developers to production systems • Create transparent audit logs of privileged access • Record activity during privileged logins Page 12

  13. Business Requirements Satisfy numerous process requirements • Meet regulatory requirements: • Different jurisdictions with different mandates • Requirements for on-boarding, access control, approvals, audit logs and more • Can’t slow down or impact current access • Pre-authorized access for administrators with an audit trail • Request/approval workflow for everybody else • Minimal ongoing support • Manageable process for on-boarding many systems, accounts at once • Training: up front and ongoing • Forensic audits: who broke this server? Page 13

  14. Security Requirements The whole point is enhanced security Overarching principle: minimize the number of people with persistent administrative access Damage containment Eliminate full-time developer access from production systems Provide a temporary access mechanism Session logging Audit trail: who had and used access to this system? Page 14

  15. Technical Requirements • Fault tolerant (fire, flood, earthquake, hurricane, etc.) • Scalable: • Hundreds of thousands of systems • Thousands of people • Tens of thousands of daily logins • Record 10,000 concurrent sessions globally • Ability to integrate with: • Existing security infrastructure • Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.) • Multiple AD domains • Systems in DMZ zones • Administrator-friendly: • Support for multiple SSH clients • Support for other admin tools (SQL Studio, vSphere, etc.) • Easily expandable • Automatic discovery and classification of systems. Page 15

  16. Deployment Page 16

  17. Ingredients of a Successful IAM Deployment 1 Needs analysis 2 Product selection 3 Testing (Proof of Concept, User Acceptance, etc.) 4 Create development and troubleshooting processes 5 Develop rollout plan, key project reporting metrics, and a good communications plan 6 Production rollout Page 17

  18. Needs Analysis • Team members and skills • Project Champion (executive support) • Analysts (systems/accounts discovery) • Product Engineering • Product Operations • Project manager(s) • Communications and product marketing • Business requirements • Technical requirements • Tactical and strategic target systems/accounts (roadmap) • Infrastructure hardware and storage • Request process and tracking • Reporting Page 18

  19. Development Cycle Identified Needs For success, IAM must be a permanent program, not a one-time project. Page 19

  20. Rollout Plan Tips • Design and document your processes end-to-end from your end user’s perspective • Assess and prioritize target systems/accounts • Develop a deployment roadmap (functionality/environment) • Pre-educate your IAM product consumers • Information Security • Business executives • Server Administrators • Application Owners • Auditors • Identify, recruit and work with early adopters Page 20

  21. Key Metrics and Reporting Tips • What doesn’t get measured doesn’t get done • Measure what’s important, not just what’s easy to measure! • Accurate target server/application/account inventories are critical • Eliminates blind spots - you can’t secure what you can’t see • Never be tempted to “cook” metrics • Call it like you see it (audit-proof your records) • Report and communicate progress • Report by support organizations • Total targets and what’s complete (scope of effort) • Percentage complete • Trending (weekly, monthly or quarterly) • This creates self-governance Page 21

  22. Challenges Page 22

  23. Project • Funding: up-front and ongoing • Gain early experience with easiest large-risk use-cases • Setting realistic expectations • Stakeholders who want things before they are available (boiling the ocean) • Recognizing not every problem will be solved at once (magic bullet) • Stakeholder recognition that strategic success is directly tied to a prioritized and incremental deployment • Stopping additional “non-compliant” account creation or usages • Balancing or combining with other projects competing for resources • Driving continual progress Page 23

  24. Organizational • Resistance to change • Convincing support teams to use uniform access control model • Ensuring the system isn’t used to simply automate existing insecure processes (insist on a policy of least privilege) • Training can be a revolving door of new users and consumers • Ensuring timely communications are received by all stakeholders • Early marketing of the program and benefits • What functionality is available? • What environment is it available in? (production, development, DMZs, etc.) • Future functionality/environment roadmap • Issues and challenges (knowledge base) Page 24

  25. Technical Gaining appropriate global rights for the product to work without creating new risk Modeling a production environment with a large number of platform and systems combinations in development and UAT environments Testing is easy with one system, hard with a thousand Maintaining reliable system and account ownership data in the context of a large dynamic organization OS settings, patches and security policies that can cause performance degradation Deactivating legacy password management processes Gradual activation without disrupting existing IDs or processes Page 25

  26. Current State Page 26

  27. Current State • Available and running: 5 replicated PAM nodes on 3 continents • Multi-master architecture • Each node has an app server, a database server and a session monitoring server • Load balanced globally - nodes can fail without service disruption • On-boarding accounts from • Windows servers • UNIX/Linux servers • Active Directory Page 27

  28. Future Direction Page 28

  29. Future Direction • Continue deployment based on prioritized target system/account use cases • Further integration with corporate IT Security Fabric toolset • Fine-tune detection and notification of • Users with high number of request rejections • Users with abnormally high access events • Other outlier or abnormal events Page 29

  30. ? ? ? Questions? Page 30

More Related