300 likes | 389 Views
Successful IAM Deployment. Mike Futty, Midrange Platform Server Security Engineering Bank of America. About Mike Futty. VP, Platform Security Engineering Responsible for Midrange server systems security engineering Platform security baselines
E N D
Successful IAM Deployment Mike Futty, Midrange Platform Server Security Engineering Bank of America
About Mike Futty • VP, Platform Security Engineering • Responsible for • Midrange server systems security engineering • Platform security baselines • Security product selection, design and deployment • 30+ years technology experience • 12 years with Bank of America Page 2
Covering a Global Environment 1BAC 2012 Corporate Social Responsibility report 2BAC 2013 Third Quarter Financial Results report 40 Countries1 50 US States1 24,014 Global Offices and Facilities Worldwide1 248K Full-time Employees2 One of the world’s largest AD environments Page 3
Why focus on IAM? Page 4
Recognizing a clear and present danger 9,140,000 results 98,200,000 results Unit 61398 Hacktivists Organized Crime Advanced Persistent Threat databreaches.net indefenseofdata.com privacyrights.org Page 5
Recognizing a clear and present danger 2013 Verizon Data Breach Investigations Report: A global study performed by the Verizon RISK team http://www.verizonenterprise.com/DBIR/2013/ “76% of network intrusions exploited weak or stolen credentials” “13% resulted from privilege misuse and abuse” Page 6
Data breaches are costly 2013 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by Symantec - Independently Conducted by Ponemon Institute LLC - May 2013 https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf On average, 28,765 records are compromised at an organizational cost of $5,403,644 per data breach in the US Page 7
Protect your REPUTATION - Every company’s most valuable asset Customer and Shareholder Trust Page 8
The IAM Challenge Page 9
Privileged Accounts They are EVERYWHERE and can be complex to find and manage. DMZ Dev/UAT Production Environments Page 10
Objectives and Requirements Page 11
Basic Concept Eliminate static and easily guessable passwords to non-human IDs with elevated privileges • Set passwords to random values - scheduled and after access • Apply uniform policy of who can sign into what • Implement access policies based on: • Risk • Organization (business unit) • Environment (production, development, DMZs, etc.) • Location • Eliminate persistent access by developers to production systems • Create transparent audit logs of privileged access • Record activity during privileged logins Page 12
Business Requirements Satisfy numerous process requirements • Meet regulatory requirements: • Different jurisdictions with different mandates • Requirements for on-boarding, access control, approvals, audit logs and more • Can’t slow down or impact current access • Pre-authorized access for administrators with an audit trail • Request/approval workflow for everybody else • Minimal ongoing support • Manageable process for on-boarding many systems, accounts at once • Training: up front and ongoing • Forensic audits: who broke this server? Page 13
Security Requirements The whole point is enhanced security Overarching principle: minimize the number of people with persistent administrative access Damage containment Eliminate full-time developer access from production systems Provide a temporary access mechanism Session logging Audit trail: who had and used access to this system? Page 14
Technical Requirements • Fault tolerant (fire, flood, earthquake, hurricane, etc.) • Scalable: • Hundreds of thousands of systems • Thousands of people • Tens of thousands of daily logins • Record 10,000 concurrent sessions globally • Ability to integrate with: • Existing security infrastructure • Many platforms (Windows, Unix, Linux, iLO, DRAC, ESXi, etc.) • Multiple AD domains • Systems in DMZ zones • Administrator-friendly: • Support for multiple SSH clients • Support for other admin tools (SQL Studio, vSphere, etc.) • Easily expandable • Automatic discovery and classification of systems. Page 15
Deployment Page 16
Ingredients of a Successful IAM Deployment 1 Needs analysis 2 Product selection 3 Testing (Proof of Concept, User Acceptance, etc.) 4 Create development and troubleshooting processes 5 Develop rollout plan, key project reporting metrics, and a good communications plan 6 Production rollout Page 17
Needs Analysis • Team members and skills • Project Champion (executive support) • Analysts (systems/accounts discovery) • Product Engineering • Product Operations • Project manager(s) • Communications and product marketing • Business requirements • Technical requirements • Tactical and strategic target systems/accounts (roadmap) • Infrastructure hardware and storage • Request process and tracking • Reporting Page 18
Development Cycle Identified Needs For success, IAM must be a permanent program, not a one-time project. Page 19
Rollout Plan Tips • Design and document your processes end-to-end from your end user’s perspective • Assess and prioritize target systems/accounts • Develop a deployment roadmap (functionality/environment) • Pre-educate your IAM product consumers • Information Security • Business executives • Server Administrators • Application Owners • Auditors • Identify, recruit and work with early adopters Page 20
Key Metrics and Reporting Tips • What doesn’t get measured doesn’t get done • Measure what’s important, not just what’s easy to measure! • Accurate target server/application/account inventories are critical • Eliminates blind spots - you can’t secure what you can’t see • Never be tempted to “cook” metrics • Call it like you see it (audit-proof your records) • Report and communicate progress • Report by support organizations • Total targets and what’s complete (scope of effort) • Percentage complete • Trending (weekly, monthly or quarterly) • This creates self-governance Page 21
Challenges Page 22
Project • Funding: up-front and ongoing • Gain early experience with easiest large-risk use-cases • Setting realistic expectations • Stakeholders who want things before they are available (boiling the ocean) • Recognizing not every problem will be solved at once (magic bullet) • Stakeholder recognition that strategic success is directly tied to a prioritized and incremental deployment • Stopping additional “non-compliant” account creation or usages • Balancing or combining with other projects competing for resources • Driving continual progress Page 23
Organizational • Resistance to change • Convincing support teams to use uniform access control model • Ensuring the system isn’t used to simply automate existing insecure processes (insist on a policy of least privilege) • Training can be a revolving door of new users and consumers • Ensuring timely communications are received by all stakeholders • Early marketing of the program and benefits • What functionality is available? • What environment is it available in? (production, development, DMZs, etc.) • Future functionality/environment roadmap • Issues and challenges (knowledge base) Page 24
Technical Gaining appropriate global rights for the product to work without creating new risk Modeling a production environment with a large number of platform and systems combinations in development and UAT environments Testing is easy with one system, hard with a thousand Maintaining reliable system and account ownership data in the context of a large dynamic organization OS settings, patches and security policies that can cause performance degradation Deactivating legacy password management processes Gradual activation without disrupting existing IDs or processes Page 25
Current State Page 26
Current State • Available and running: 5 replicated PAM nodes on 3 continents • Multi-master architecture • Each node has an app server, a database server and a session monitoring server • Load balanced globally - nodes can fail without service disruption • On-boarding accounts from • Windows servers • UNIX/Linux servers • Active Directory Page 27
Future Direction Page 28
Future Direction • Continue deployment based on prioritized target system/account use cases • Further integration with corporate IT Security Fabric toolset • Fine-tune detection and notification of • Users with high number of request rejections • Users with abnormally high access events • Other outlier or abnormal events Page 29
? ? ? Questions? Page 30