Implementing ID Governance in Complex Environments-HyTrust & CA Technologies

• 1. Implementing ID Governance inComplex Environments

2. What do these numbers represent in security? $124Average cost of a security breach, per compromised record (2010), with negligence the main cause CA-sponsored survey48%Percent of all breaches that involved privileged user misuse Verizon report, 201087%Percentage of companies that have experienced a data breach IT Compliance Institute74%Percentage of breached companies who lost customers as a result of the breach IT Compliance Institute 3. NIST Special Publication (SP) 800-125 Guide To Security for FullVirtualization TechnologiesRecommendations of the National Institute of Standards and TechnologyTim Grance and Murugiah Souppaya Computer Scientists in the Computer Security DivisionThese slides and the webinar recording will be made available at: 4. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement byNIST nor does it imply that the products mentioned arenecessarily the best available for the purpose. 5. Agenda What is SP 800-125 Why virtualization Full virtualization Security concerns Recommendations for Security for fullvirtualization technologies Summary Questions and answers Resources 6. SP 800-125 Full Virtualization technologies Server and desktop virtualization Security threats Security recommendations for protecting fullvirtualization 7. Why Virtualization? Reduce hardware footprint More efficiency Reduce energy, operations, and maintenancecosts, e.g., disaster recovery, dynamicworkload, security benefits, etc. Consolidation 8. Forms of Virtualization Simulated environment Not cover OS and application virtualization Full virtualization CPU, storage, network,display, etc Hypervisor and host OS Virtual Machine (VM) Guest OS Isolated Encapsulated Portable 9. Full Virtualization Bare metal virtualization Hosted virtualization Server virtualization Desktop virtualization 10. Virtualization and Security Concerns Additional layers of technology Many systems on a physical system Sharing pool of resources Lack of visibility Dynamic environment May increase the attack surface 11. Recommendations for Security for FullVirtualization Technologies Risk based approach Secure all elements of a full virtualization solutionand perform continuous monitoring Restrict and protect administrator access to thevirtualization solution Ensure that the hypervisor is properly secured Carefully plan the security for a full virtualizationsolution before installing, configuring, anddeploying it 12. Summary of Threats and Countermeasures Intra-guest vulnerabilities Hypervisor partitioning Lack of visibility in the guest OS Hypervisor instrumentation and monitoring Hypervisor management Protect management interface, patch management, secure configuration Virtual workload security Management of the guest OS, applications, data protection, patch management, secure configuration, etc Virtualized infrastructure exposure Manage access control to the hardware, hypervisors, network, storage, etc. 13. Questions and Answers 14. Resources Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, isavailable on the following Web page:http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing-unneeded-federal-real-estate NIST publications that provide information and guidance on planning, implementing andmanaging information system security and protecting information include: Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle NIST SP 800-88, Guidelines for Media Sanitization NIST SP 800-115, Technical Guide to Information Security Testing and Assessment NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) For information about these NIST standards and guidelines, as well as other security-relatedpublications, see NISTs Web pagehttp://csrc.nist.gov/publications/index.html 15. Todd Neilson, CISSP, VP, Sr. Advisor Security, CAHemma Prafullchandra, CTO/SVP Products, HyTrustChris Boswell, CIS[A,M,SP], CGEIT, Sr Principal, CA 16. Virtualization Security vs Compliance Compliance: the state of being in accordance with established guidelines, specifications or legislation orthe process of becoming so.Compliance Security (?)(NIST 800-125)Do you know? Whether your organizationhas security guidelinesdefined for its virtualenvironment? Which regulations yourorganization is subject to? Whether your virtualizationefforts will be subject toregulatory scrutiny? Whether your securitybaselines for your virtualenvironment incorporate yourregulatory obligations? 17. Traditional Horizontal Controls RationalizationCSA Cloud Control Matrix IS-08:NIST 800-125 SecurityNormal and privileged user access to applications, Recommendation: Restrict andsystems, databases, network configurations, and sensitivedata and functions shall be restricted and approved by protect administrator access to themanagement prior to access granted.virtualization solution NIST 800-53 (AC-3, AC-5, AC-6, IA-2, IA-4, IA-5, IA-8, MA-5, PS-6, SA-7, SI-9)CIP-003-3 R5.1.1 - R5.3; COBIT 4.1 DS5.4CIP-004-3 R2.3;CIP-007-3 R5.1 - R5.1.245 CFR 164.308 (a)(3)(i)45 CFR 164.308(a)(3)(ii)(A)45 CFR 164.308 (a)(4)(i) PCI DSS 2.0 (7.1, 7.1.1,45 CFR 164.308 7.1.2, 7.1.3, 7.2.1, 7.2.2,(a)(4)(ii)(B)8.5.1, 12.5.4)45 CFR 164.308(a)(4)(ii)(C)Source:45 CFR 164.312 (a)(1)https://cloudsecurityalliance.org/research/ccm/ Other Source: www. unifiedcompliance.com 18. Vertical Controls Rationalization using 800-53 with OverlayFrameworks NIST 800- Recommended Security Controls for Federal Information Systems53 Subset of 800-53 controls tailored to provide FedRamp standardized approach to security assessment, authorization, and continuous monitoring for cloud products and servicesDoDMapped their DoDi 8500.2 controls used to secure defense systems to NIST 800-53 Created a set of Acceptable Risk Safeguards DHHSbased on 800-53 controls to secure electronic protected health information Issued a special publication 1075 which outlines IRS a subset of 800-53 controls that need to be implemented for those systems processing Federal Taxpayer Information.Did you knowThe Initial Public Draft of 800-53 Revision 4 encourages agencies with specific security needs to develop their own security overlays based oncontrols within NIST 800-53? 19. Compliance Impact Moving to the Cloud [based on applicable FedRamp controls mapped to NIST 800-53 Rev 4]IMPACT800-53 Security Control Impact#Family ControlsHighAccess Control (AC) 17 Medium PLAwareness & Training (AT) 4 LowAudit and Accountability (AU) 12IR PSSecurity Assessment and MPAuthorization (CA) 6Configuration Management(CM) 9CPContingency Planning (CP) 9 SIIdentification and 8 RACMAuthentication (IA) CAIncident Response (IR) 8Maintenance (MA) 6Media Protection (MP) 6MA AU IAPhysical and Environmental SCProtection (PE) 18Planning (PL) 5Personnel Security (PS) 8 ATRisk Assessment (RA) 4 SASystem and Services 12Acquisition (SA)System and Communications PEACProtection (SC) 24System and InformationIntegrity (SI) 12 20. FISMA Compliance GapsUS Navy and Defense Logistics Agency found that native VMware tools were inadequateto meet FISMA requirements as prescribed by NIST 800-53: Restricted, protected and automatically managed access to hypervisor (NIST 800-53controls AC1-6, AC8 P1, IA1 - 8) Local accounts and their roles are managed manually No automated password management available No multi-factor authentication available RBAC is managed separately for every entry / management point; audit and accountabilityof virtualization operations (NIST 800-53 controls AU1-6, 8-10, 12 P1) Denied operations are not logged Access policies are not archived Event content doesnt provide the details of the change in many cases Application partitioning and boundary protection is enforced (NIST 800-53 controls SC-2,SC-7) No enforcement of resource pool assignment Hypervisor needs to be configured and hardened (NIST 800-53 controls CM 1-3, 5-9) Hardening templates are not available or customizable Hardware root of trust can not be tied to policies CA & HyTrust address these gaps, enabling FISMA compliance in virtualized environments 2012, HyTrust, Inc. www.hytrust.com20 21. Recap Core Security & Compliance Capabilities in Virtual EnvironmentsProvides account vaulting, two-factorDynamic isolation of multi-tenantauthentication and fine-grainedenvironments through automatedauthorization for privileged user access orchestration with vShieldwithin the hypervisorpoliciesProvides seamless auditing of Provides host configurationuser activities across both hardening and continuousguest and host environments.monitoring and assessment 22. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Access Gaps Virtualization Platform Gap ControlMinder with HyTrust Solution Multiple administrators can log into guests and Uses password vaulting (check-in/out) to hosts anonymously by sharing a privileged ensure admins are individually accountable account An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organizationsEnsures that admins can only access their virtualized workloads in multi-tenant own organizations data and applications, environmentsenabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account22 23. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Authorization GapsVirtualization Platform GapControlMinder with HyTrust SolutionAn administrator can shut down any Protects business continuity by controllingvirtualized application or switchwhat resources an admin can manageAn admin can create unapproved VMs, with Prevents damaging outcomes by controllingnegative operations or compliance impactsVM creation privilegesAn admin can disable security such asPreserves security by blocking unapprovedvirtualized firewalls and antivirusshutdowns of virtual security measuresAn admin can copy sensitive data from aKeeps sensitive data confidential by applyingVM to external storage controls to virtual resourcesAn admin can replace a critical VM with aExposes tampering by creating a permanent,compromised copy while leaving no tracks unchangeable record of every operationAn admin can move a low trust virtualized Mitigates security and compliance risks byworkload to a high trust server or virtual preventing mixing of trust levelssubnet, and vice versa 23 24. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Monitoring GapsVirtualization Platform Gap ControlMinder with HyTrust SolutionSeparate log files for vCenter, each host and Consolidated, centrally managed logsguest must be collected and aggregated forcovering all aspects of your virtualcomplete monitoring.environment.Captures all activity within the virtualFailed or blocked authorization attemptsinfrastructure, not just authorized, successfulare not captured and recorded in audit logstransactions.Automated assessment and remediationNative configuration managementcapabilities enable continuous compliancecapabilities do not promote ongoingmonitoring of hypervisor configuration settingscompliance monitoring for hypervisoragainst industry standard or custom-configuration drift.configured security templates.Native platform log entries may lack sufficientAudit records contain greater detail neededdetail to support operational and securityfor compliance and internal audit needsactivities.24 25. Complete solution for both physical and virtualenvironments CA ControlMinder with HyTrust is actually only one component within a broader suite of solutions in the ControlMinder family which provides comprehensive access controls across both physical and virtual infrastructures.Privileged UserHost Access Control (AC) CA ControlMinder with HyTrust Central UNIXRisk ManagementPrivileged User Password Management (PUPM) Session Recording Audit and Reporting (CA User Activity Reporting Module)EnvironmentUNIX/Linux Windows Virtual DATABASESNETWORK APPLICATIONS Servers Servers Servers 25 26. Challenges membership has its privileges and consequences Privileged Users All POWERFUL ACCESS to resources Typically a SHARED ACCOUNT lack ACCOUNTABILITY NO SEGREGATION of duties Poor LOG INTEGRITY Lack of TRANSPARENCY on access VIRTUALIZATION and CLOUD amplify the challenges26 Copyright 2011 CA. All rights reserved. CA confidential and proprietary information for CA internal use only. No unauthorized copying or distribution permitted. 27. Single solution provides best coverageCA ControlMinderPremium Edition1 Privileged User Password Manager3 UNIX Authentication Broker (UNAB) Control access to shared accounts Centralized UNIX administration Authorization workflow including break Active Directory (AD) authenticationglass Native integration with AD Accountability of shared account access Kerberos-based Single Sign-On Manage application passwords Windows services/scheduled tasks2 4 Session Recording and User ActivityAccess ControlReporting Server security (physical/virtual) Centrally managed audit logs across Manage fine-grained accessphysical and virtual environments Centralized policy management across Privileged user access reportingdisparate systems Unix keystroke logging Segregation of duty Full session recording integration Auditing privileged access 28. Questions You Should Be Asking Today Do you allow shared privileged access to your sensitive servers? How do you account for privileged users actions? Can your system administrators access sensitive data on the servers? Do you have controls to prevent/log that? Can you trace administrative action back to administrative users? Have you had system down incidents where you needed to do so? Do you have any controls in place to prevent shared account access on your sensitive servers? What server operating systems do you have deployed? How do you manage security across them? How do you provide evidence of compliance?2828 29. benefits to youRapidly achieveReduce risk andAccelerate newbusiness agility improve compliance business services Leverage elasticProtect yourDeploy new service levels, and critical assets services more flexible cloudacross physical,quickly and securely. virtual, and cloudRetain customers and deployment environments. engage with business options and hybrid coverage. partners. 29 30. QUESTIONS?