Identity is the ‘New’ Perimeter Technical Director, SolvIT Networks [email protected] Cristi Iliescu
Jan 15, 2015
Identity is the ‘New’ Perimeter
Technical Director, SolvIT Networks
Cristi Iliescu
Short overview on security evolution
Current trends and challenges
Pragmatic solutions for security implementation
SolvIT and CA Technologies short overview
AGENDA
2 Copyright © 2013 CA. All rights reserved.
1st Generation
Gates, Guns, Guards
Management
Time
2nd
Generation
Reactive Security
3rd
Generation
Security as an Enabler
4th
Generation
Proactive Security and Accountability
Evolution of Security
Copyright © 2013 CA. All rights reserved. www.ca.com
USER
5th
Generation
IT Service Security
CLOUDCOMPUTING
SOCIALNETWORK
BIG DATAANALYTICS
MOBILEDEVICE
INTERNET OF THINGS
Blurring of work & personal brought on
by Consumerization of IT
Trends impacting security
4Copyright © 2013 CA. All rights reserved.
www.ca.com
Externalizationof the business
Sensitive data and applications –
accessible anytime, anywhere
Loss of Identity Control
Loss of DataControl
Traditional Enterprise with Network Perimeter
5Copyright © 2013 CA. All rights reserved.
www.ca.com
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Mobile employee
Customer
Partner User
Internal Employee
…and remote employees …and cloud applications …and external users
VPN Network Perimeter
Traditional Enterprise with Network Perimeter
6Copyright © 2013 CA. All rights reserved.
www.ca.com
Cloud Apps/Platforms& Web Services
SaaS
EnterpriseApps
On Premise
Mobile employee
Customer
Partner User
Internal Employee
…and remote employees …and cloud applications …and external users
Network Perimeter is gone!
security threats as we knowthem are changingThe traditional dangers IT security teams have been facing - and
overcoming - for years are being replaced by a far more hazardous,
advanced form of attacks: Advanced Persistent ThreatsThe financial impact
of a threat cannot be
underestimated.
RSA SecurID Hack
In 2011, an APT compromised
the systems containing
information about RSA SecurID
two-factor authentication
tokens, including the values the
company uses to generate one-
time passwords.1
Operation Aurora
Hackers stole sensitive
intellectual property, including
source code, from Google,
Adobe, and other high-profile
companies using highly
sophisticated, well-coordinated
techniques.2
how an Advanced Persistent Threat worksNearly every APT follows four phases:
Reconnaissance
1An investigation into
the organization’s
weaknesses, which
often includes domain
queries and port and
vulnerability scans.
Initial Entry
2Discovered exposures
are exploited and a
foothold in the target
network is established
using sophisticated
technical methods or
social engineeringtechniques, such as
spear phishing.
Escalation of
Privileges
3Following initial
penetration, hackers work
to acquire more rights
and gain control over
additional systems -
and install a “back door”
that makes future access
easier.
Continuous
Exploitation
4Once control has been
established, the
assailant will be able to
continuously identify,
compromise and exploit
sensitive data.
And since the third and fourth stages often occur
over a matter of years, detecting an APT can be
incredibly difficult.
Copyright © 2013 CA. All rights reserved.www.ca.com
A defense-in-depth strategy extends traditional perimeter and system security with
identity and access management tools, providing protection against APTs across all
four phases of the attack.
Reconnaissance Initial Entry
Perimeter security
Server hardening
Capture and review server and device audit logs
Anti-virus
Escalation of ContinuousPrivileges Exploitation
Shared account management
Least privilege access
Session recording
Unexpected andPhishing protectionexternalized security
Virtualization security
Employee education Identity management and governance
Advanced authentication
Data controls
07
Copyright © 2013 CA. All rights reserved.www.ca.com
CA Security
defense-in-depth is the key to stopping APTs
Successful protection
against APTs shouldcomplement traditional
perimeter and
What’s needed, then, is “defense-in-depth,” a strategy that complements traditional
security solutions with such identity and access management capabilities as:
infrastructure security
measures, so theorganization is able to:
• Make the initial penetration
difficult
• Reduce the potential for
privilege escalation in the event
an account is compromised
• Limit the damage that can be
done by a compromised account
• Detect suspicious activity early
in the intrusion attempt
• Gather the information forensic
investigators need to determine
what damage occurred, when
and by whom
shared accountmanagement
least privilege
access
session
recording
server
hardening
Centralized Web Security
virtualizationsecurity
identity management
and governance
advanced
authentication
datacontrols
Copyright © 2013 CA. All rights reserved.www.ca.com
Carefully protecting user identities is an essential step in
minimizing the effectiveness of an APT attack. To this end,
identity management and governance functionality must be able
to:
Provision Identities and account based on strict security policies
and approval process
De-provision and de-authorize identities as soon as an individual
leaves the company
Find and remove orphaned, or unused, identities
Identity Management and Governance
Identity Administration and Provisioning
– Automate the creation and management of user identities
– And their access rights to applications and data
– Delegate user administration
– Manage entitlements
– Provide user self service capabilities
CA IdentityMinder
12 October 3, 2013 Security Management Copyright © 2008 CA. All rights reserved.
CA Identity Minder – How it works
1. Account, entitlement or password change
requests sent either through automated
feeds, requests from delegated administrators
or users.
2. CA IdentityMinder initiates an approval
workflow, determines impact to targets
systems and initiates changes on impacted
target systems
3. Changes to target systems are
automatically executed
4. All changes are audited and reviewed by
security and audit personnel
CA Identity Lifecycle Management Copyright © 2009 CA
Process Steps
CA Role & Compliance
Manager
Any server that hosts sensitive information must be configured in a
way that protects it from being compromised by an APT. This should
include:
Access should not be treated as an “all or nothing” decision. Instead,
individuals should be given the credentials required to accomplish their
assigned tasks. (least privelege access)
Limit the number of people who have access to privileged accounts by
providing emergency account access (shared account management)
Tracking what actions are being performed by privileged accounts is a
critical (session recording)
Server Protection
Using a firewall to control communications, restrict packets and block
unsecure protocols
Employing application whitelisting to allow only explicitly specified
executions and installations
Defining a specific set of actions for high-risk applications
Preventing changes to log files
Monitoring the integrity of key files
Controlling access to files and processes
Server Protection (part 2)
CA Control Minder
16
Access to privileged accounts is often “all or nothing”—an
unnecessary security risk that leads to users with more
privileges than they need.
Manage privileged user access after login. Control what
access users have based on their individual identity, even
when using a shared administrative account.
Reduces risk by providing administrators with only the
minimum privileges they need to do their jobs.
Fine-Grained Access Controls
17
Shared Account Password Management
Privileged accounts, such as ‘root’ on
UNIX and ‘Administrator’ on Windows,
are often shared, reducing
accountability.
Control access to privileged,
administrative accounts with password
storage and automatic login capabilities.
This is the starting point for most
privileged identity
Reduces the risk of unauthorized users
gaining access to privileged accounts.
Prevents password sharing.
18
Track all user actions to determine what occurred and “who did what” in an investigation. Not all
user activities are recorded and many applications do not produce logs, reducing accountability and
making forensic investigations difficult.
Makes it simple to find out “who did what” in a forensic investigation, using an
understandable video instead of searching through incomprehensible log files.
User Activity Reporting / Video Session Recording
19
Managing user accounts and access on individual UNIX and
Linux servers is an administrative burden that can lead to
errors and oversights.
Authenticate users on UNIX and Linux systems to Microsoft
Active Directory.
Automatic user login for Unix/linux
Integration with Windows Event Log
UNIX Authentication Bridging
20
Virtualization adds a new infrastructure layer that must be
secured—the hypervisor.
Manage privileged users on VMware, while providing
virtualization-aware automation of security controls on
virtual machines.
Virtualization adds a new infrastructure layer that must be secured—the hypervisor.
21
Two-factor authentication and risk-based evaluations help to protect against
the initial penetration of an APT by denying or detecting inappropriate access
attempts. To be as effective as possible, advanced authentication capabilities
should include:
• Software-based, two-factor credentials that vary by device
• Versatile authentication methods that can be matched to a specific scenario
• Rules that adjust to protect against different APT tactics
• Device identification, geo-location, IP blacklisting and case management for
suspicious activities
• The ability to step up authentication when stronger identity assurance is required
Advanced Authentication and Centralized Web Access
22Copyright © 2013 CA. All rights reserved.
www.ca.com
Application
Layer
User Store
Operating
System
Security
Layer
High security administration costs
Expensive coding and maintenance
Poor user experience
No centralized security enforcement
No standardized security process
No central auditing capability
EmployeesEmployees Administrators PartnersExecutives Customers End Users
Web security administrationthe current state
23 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved.
Intranet
JDoe
Active
Directory
E-Commerce
John Doe
A23JJ4
LDAP
SCM
JD456912
Oracle OID
ERP / HR
PKI Cert
Oracle
RDBMS
Portal
John Doe
SQL 2008
Partner Extranet
Johnd
SunONE
LDAP
CMS
John_D
Siemens
DirX
Reduced security administration costs
Minimized coding and maintenance
Much improved user experience
Centralized security enforcement
Standardized security process
Unified central auditing
CA SiteMinder
Cloud/Outsourced services
Standards based
Federation
Centralized Administration of Web accesswith CA SiteMinder
24 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved.
Siemens
DirXOracle OID
SunONE
LDAP
Oracle
RDBMS
Active
DirectorySQL 2008LDAP
Application
Layer
User Store
Operating
System
Security
Layer
Intranet E-Commerce Portal ERP / HR CMSPartner Extranet
SCM
EmployeesEmployees Administrators PartnersExecutives Customers End Users
Restrict access by user, role, groups, dynamic groups, or exclusions
Fine-grained authorization at the file, page, or object level
Determine access based on location, time, & authentication context
Send static, dynamic (SQL queries), or profile attributes in responses
Redirect users based on type of
authentication or authorization failure
policy-based authorization
25 Copyright © 2013 CA. All rights reserved.
SITEMINDERRESPONSE
CUSTOMIP ADDRESSTIMEUSER IDENTITYOR ROLE
SITEMINDERRULE
SITEMINDERVARIABLES
What? Who? Optional Conditions Action
Action that Resultsfrom Processing
ExternalFactors
NetworkRestriction
TimeRestriction
Is the UserIncluded orExcluded?
Describes theResource BeingAccessed
RequestCharacteristics
SiteMinderPolicy
Authentication Management Broad Support for Authentication Systems & Technologies
Methods
Passwords
Two factor tokens
X.509 certificates
Passwords over SSL
Smart cards
SAML & WS-Federation/ADFS
Combination of methods
Forms-based
Custom methods
Full CRL & OCSP support
Biometric devices
Management
Authentication Levels
Type of authentication for given application
Directory chaining
Configured fallbacks to other authentication schemes
SSO Zones
Web access control and advanced authentication
Capabilities1. Authentication
2. Single sign-on
3. Policy-based authorization
4. Auditing and reporting
5. Web service security
6. Identity federation
Customer
Citizen
Employee
Partner
Websites
Back-endTransactions
Audit Logs Partner Website
1
2
3
4
5
6
Benefits Improved user experience
Reduced risk
Greater administrative efficiency
Increased agility
Since the end goal of any APT is to steal sensitive information,
having firm control over this data is a core component of a
successful defense.
To safeguard these assets, data must be:
• Classified according to sensitivity and type - at access, in
use, in motion,at rest, etc.
• Controlled as it is transferred between sources, such as
email and physical drives
Information Control
28Copyright © 2013 CA. All rights reserved.
www.ca.com
Data Loss Prevention
29Copyright © 2013 CA. All rights reserved.
www.ca.com
Identity Aware Policies
30
Copyright © 2013 CA. All rights reserved.
a holistic approach to security reduces riskThe concept of defense-in-depth is an essential component of any proactive, holistic APT
protection strategy. The techniques supporting this approach work in concert to enable
you to build and apply a security model that allows or denies actions based on business
rules, data sensitivity and specific types of behavior.
Because this model can be applied uniformly across platforms and separated from
operating system security, it provides an effective means of preventing and detecting
APTs. As such, defense in-depth helps your organization stay one step ahead of APTs and
reduce the effects such an attack can have on the business and its employees, customers
and partners.
about the solutionsfrom CA Technologies
CA security solutions are comprised of a broad, comprehensive and
integrated suite of capabilities that simplifies operations and reduces the
total cost of management across cloud, on-premise, virtual, physical,
distributed and mainframe environments - helping you significantly
increase business agility.
Unlike traditional solutions, the CA suite controls not only user identities
and the availability of critical IT resources, but also access to sensitive
information assets. This provides more layers of security than conventional
solutions - and helps to reduce the risk of breaches, minimize information
loss and simplify compliance audits.
These offerings are complemented by a range of cloud-based identity
services, which give you the flexibility to deploy security services how and
when you choose, so you can adopt cloud or hybrid models in a way that
fits your unique needs.
The CA Identity and Access Management suite covers the following areas:
• Identity Management and Governance
• Privileged Identity Management and Virtualization Security
• Advanced Authentication
• Data Protection
• Cloud Security
• Secure Single Sign-On and Access Management
13
Company Introduction
Market Entry•April 27, 2005 in Bucharest, Romania
Strategic Positioning• Leading provider of IT Management & Security and Business Solutions
International PositioningRepresentative offices in:•Bucharest, Romania•Belgrade, Serbia•Sofia, Bulgaria•Chisinau, Republic of Moldova
Main Markets•Europe and Middle East
Registration Number J40/7907/2005VAT Number RO 17534593
Facts•25 highly qualified IT specialists with more than 150 certifications•Experience in large projects implementation •More than 60 clients in 9 countries over the years
Republic of Moldova
Greece
Bulgaria
Turkey
Romania
Serbia
References (1)
Banking
Telecom
Romania
Grecia
Industry
Romania
Serbia
Greece
References (2)
Government & Public Administration
Republic of Moldova
Bulgaria
Saudi Arabia
Cyprus
Romania
Serbia
Insurance
Romania
References (3)
questions & answers