Solvit identity is the new perimeter

Identity is the ‘New’ Perimeter

Technical Director, SolvIT Networks

[email protected]

Cristi Iliescu

Short overview on security evolution

Current trends and challenges

Pragmatic solutions for security implementation

SolvIT and CA Technologies short overview

AGENDA

2 Copyright © 2013 CA. All rights reserved.

1st Generation

Gates, Guns, Guards

Management

Time

2nd

Generation

Reactive Security

3rd

Generation

Security as an Enabler

4th

Generation

Proactive Security and Accountability

Evolution of Security

Copyright © 2013 CA. All rights reserved. www.ca.com

USER

5th

Generation

IT Service Security

CLOUDCOMPUTING

SOCIALNETWORK

BIG DATAANALYTICS

MOBILEDEVICE

INTERNET OF THINGS

Blurring of work & personal brought on

by Consumerization of IT

Trends impacting security

4Copyright © 2013 CA. All rights reserved.

www.ca.com

Externalizationof the business

Sensitive data and applications –

accessible anytime, anywhere

Loss of Identity Control

Loss of DataControl

Traditional Enterprise with Network Perimeter

5Copyright © 2013 CA. All rights reserved.

www.ca.com

Cloud Apps/Platforms& Web Services

SaaS

EnterpriseApps

On Premise

Mobile employee

Customer

Partner User

Internal Employee

…and remote employees …and cloud applications …and external users

VPN Network Perimeter

GOOGLE

Traditional Enterprise with Network Perimeter

6Copyright © 2013 CA. All rights reserved.

www.ca.com

Cloud Apps/Platforms& Web Services

SaaS

EnterpriseApps

On Premise

Mobile employee

Customer

Partner User

Internal Employee

…and remote employees …and cloud applications …and external users

Network Perimeter is gone!

GOOGLE

security threats as we knowthem are changingThe traditional dangers IT security teams have been facing - and

overcoming - for years are being replaced by a far more hazardous,

advanced form of attacks: Advanced Persistent ThreatsThe financial impact

of a threat cannot be

underestimated.

RSA SecurID Hack

In 2011, an APT compromised

the systems containing

information about RSA SecurID

two-factor authentication

tokens, including the values the

company uses to generate one-

time passwords.1

Operation Aurora

Hackers stole sensitive

intellectual property, including

source code, from Google,

Adobe, and other high-profile

companies using highly

sophisticated, well-coordinated

techniques.2

how an Advanced Persistent Threat worksNearly every APT follows four phases:

Reconnaissance

1An investigation into

the organization’s

weaknesses, which

often includes domain

queries and port and

vulnerability scans.

Initial Entry

2Discovered exposures

are exploited and a

foothold in the target

network is established

using sophisticated

technical methods or

social engineeringtechniques, such as

spear phishing.

Escalation of

Privileges

3Following initial

penetration, hackers work

to acquire more rights

and gain control over

additional systems -

and install a “back door”

that makes future access

easier.

Continuous

Exploitation

4Once control has been

established, the

assailant will be able to

continuously identify,

compromise and exploit

sensitive data.

And since the third and fourth stages often occur

over a matter of years, detecting an APT can be

incredibly difficult.

Copyright © 2013 CA. All rights reserved.www.ca.com

A defense-in-depth strategy extends traditional perimeter and system security with

identity and access management tools, providing protection against APTs across all

four phases of the attack.

Reconnaissance Initial Entry

Perimeter security

Server hardening

Capture and review server and device audit logs

Anti-virus

Escalation of ContinuousPrivileges Exploitation

Shared account management

Least privilege access

Session recording

Unexpected andPhishing protectionexternalized security

Virtualization security

Employee education Identity management and governance

Advanced authentication

Data controls

07

Copyright © 2013 CA. All rights reserved.www.ca.com

CA Security

defense-in-depth is the key to stopping APTs

Successful protection

against APTs shouldcomplement traditional

perimeter and

What’s needed, then, is “defense-in-depth,” a strategy that complements traditional

security solutions with such identity and access management capabilities as:

infrastructure security

measures, so theorganization is able to:

• Make the initial penetration

difficult

• Reduce the potential for

privilege escalation in the event

an account is compromised

• Limit the damage that can be

done by a compromised account

• Detect suspicious activity early

in the intrusion attempt

• Gather the information forensic

investigators need to determine

what damage occurred, when

and by whom

shared accountmanagement

least privilege

access

session

recording

server

hardening

Centralized Web Security

virtualizationsecurity

identity management

and governance

advanced

authentication

datacontrols

Copyright © 2013 CA. All rights reserved.www.ca.com

Carefully protecting user identities is an essential step in

minimizing the effectiveness of an APT attack. To this end,

identity management and governance functionality must be able

to:

Provision Identities and account based on strict security policies

and approval process

De-provision and de-authorize identities as soon as an individual

leaves the company

Find and remove orphaned, or unused, identities

Identity Management and Governance

Identity Administration and Provisioning

– Automate the creation and management of user identities

– And their access rights to applications and data

– Delegate user administration

– Manage entitlements

– Provide user self service capabilities

CA IdentityMinder

12 October 3, 2013 Security Management Copyright © 2008 CA. All rights reserved.

CA Identity Minder – How it works

1. Account, entitlement or password change

requests sent either through automated

feeds, requests from delegated administrators

or users.

2. CA IdentityMinder initiates an approval

workflow, determines impact to targets

systems and initiates changes on impacted

target systems

3. Changes to target systems are

automatically executed

4. All changes are audited and reviewed by

security and audit personnel

CA Identity Lifecycle Management Copyright © 2009 CA

Process Steps

CA Role & Compliance

Manager

Any server that hosts sensitive information must be configured in a

way that protects it from being compromised by an APT. This should

include:

Access should not be treated as an “all or nothing” decision. Instead,

individuals should be given the credentials required to accomplish their

assigned tasks. (least privelege access)

Limit the number of people who have access to privileged accounts by

providing emergency account access (shared account management)

Tracking what actions are being performed by privileged accounts is a

critical (session recording)

Server Protection

Using a firewall to control communications, restrict packets and block

unsecure protocols

Employing application whitelisting to allow only explicitly specified

executions and installations

Defining a specific set of actions for high-risk applications

Preventing changes to log files

Monitoring the integrity of key files

Controlling access to files and processes

Server Protection (part 2)

CA Control Minder

16

Access to privileged accounts is often “all or nothing”—an

unnecessary security risk that leads to users with more

privileges than they need.

Manage privileged user access after login. Control what

access users have based on their individual identity, even

when using a shared administrative account.

Reduces risk by providing administrators with only the

minimum privileges they need to do their jobs.

Fine-Grained Access Controls

17

Shared Account Password Management

Privileged accounts, such as ‘root’ on

UNIX and ‘Administrator’ on Windows,

are often shared, reducing

accountability.

Control access to privileged,

administrative accounts with password

storage and automatic login capabilities.

This is the starting point for most

privileged identity

Reduces the risk of unauthorized users

gaining access to privileged accounts.

Prevents password sharing.

18

Track all user actions to determine what occurred and “who did what” in an investigation. Not all

user activities are recorded and many applications do not produce logs, reducing accountability and

making forensic investigations difficult.

Makes it simple to find out “who did what” in a forensic investigation, using an

understandable video instead of searching through incomprehensible log files.

User Activity Reporting / Video Session Recording

19

Managing user accounts and access on individual UNIX and

Linux servers is an administrative burden that can lead to

errors and oversights.

Authenticate users on UNIX and Linux systems to Microsoft

Active Directory.

Automatic user login for Unix/linux

Integration with Windows Event Log

UNIX Authentication Bridging

20

Virtualization adds a new infrastructure layer that must be

secured—the hypervisor.

Manage privileged users on VMware, while providing

virtualization-aware automation of security controls on

virtual machines.

Virtualization adds a new infrastructure layer that must be secured—the hypervisor.

21

Two-factor authentication and risk-based evaluations help to protect against

the initial penetration of an APT by denying or detecting inappropriate access

attempts. To be as effective as possible, advanced authentication capabilities

should include:

• Software-based, two-factor credentials that vary by device

• Versatile authentication methods that can be matched to a specific scenario

• Rules that adjust to protect against different APT tactics

• Device identification, geo-location, IP blacklisting and case management for

suspicious activities

• The ability to step up authentication when stronger identity assurance is required

Advanced Authentication and Centralized Web Access

22Copyright © 2013 CA. All rights reserved.

www.ca.com

Application

Layer

User Store

Operating

System

Security

Layer

High security administration costs

Expensive coding and maintenance

Poor user experience

No centralized security enforcement

No standardized security process

No central auditing capability

EmployeesEmployees Administrators PartnersExecutives Customers End Users

Web security administrationthe current state

23 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved.

Intranet

JDoe

Active

Directory

E-Commerce

John Doe

A23JJ4

LDAP

SCM

JD456912

Oracle OID

ERP / HR

PKI Cert

Oracle

RDBMS

Portal

John Doe

SQL 2008

Partner Extranet

Johnd

SunONE

LDAP

CMS

John_D

Siemens

DirX

Reduced security administration costs

Minimized coding and maintenance

Much improved user experience

Centralized security enforcement

Standardized security process

Unified central auditing

CA SiteMinder

Cloud/Outsourced services

Standards based

Federation

Centralized Administration of Web accesswith CA SiteMinder

24 CA Solutions for Web Access Security Overview Copyright © 2012 CA. All rights reserved.

Siemens

DirXOracle OID

SunONE

LDAP

Oracle

RDBMS

Active

DirectorySQL 2008LDAP

Application

Layer

User Store

Operating

System

Security

Layer

Intranet E-Commerce Portal ERP / HR CMSPartner Extranet

SCM

EmployeesEmployees Administrators PartnersExecutives Customers End Users

Restrict access by user, role, groups, dynamic groups, or exclusions

Fine-grained authorization at the file, page, or object level

Determine access based on location, time, & authentication context

Send static, dynamic (SQL queries), or profile attributes in responses

Redirect users based on type of

authentication or authorization failure

policy-based authorization

25 Copyright © 2013 CA. All rights reserved.

SITEMINDERRESPONSE

CUSTOMIP ADDRESSTIMEUSER IDENTITYOR ROLE

SITEMINDERRULE

SITEMINDERVARIABLES

What? Who? Optional Conditions Action

Action that Resultsfrom Processing

ExternalFactors

NetworkRestriction

TimeRestriction

Is the UserIncluded orExcluded?

Describes theResource BeingAccessed

RequestCharacteristics

SiteMinderPolicy

Authentication Management Broad Support for Authentication Systems & Technologies

Methods

Passwords

Two factor tokens

X.509 certificates

Passwords over SSL

Smart cards

SAML & WS-Federation/ADFS

Combination of methods

Forms-based

Custom methods

Full CRL & OCSP support

Biometric devices

Management

Authentication Levels

Type of authentication for given application

Directory chaining

Configured fallbacks to other authentication schemes

SSO Zones

Web access control and advanced authentication

Capabilities1. Authentication

2. Single sign-on

3. Policy-based authorization

4. Auditing and reporting

5. Web service security

6. Identity federation

Customer

Citizen

Employee

Partner

Websites

Back-endTransactions

Audit Logs Partner Website

1

2

3

4

5

6

Benefits Improved user experience

Reduced risk

Greater administrative efficiency

Increased agility

Since the end goal of any APT is to steal sensitive information,

having firm control over this data is a core component of a

successful defense.

To safeguard these assets, data must be:

• Classified according to sensitivity and type - at access, in

use, in motion,at rest, etc.

• Controlled as it is transferred between sources, such as

email and physical drives

Information Control

28Copyright © 2013 CA. All rights reserved.

www.ca.com

Data Loss Prevention

29Copyright © 2013 CA. All rights reserved.

www.ca.com

Identity Aware Policies

30

Copyright © 2013 CA. All rights reserved.

a holistic approach to security reduces riskThe concept of defense-in-depth is an essential component of any proactive, holistic APT

protection strategy. The techniques supporting this approach work in concert to enable

you to build and apply a security model that allows or denies actions based on business

rules, data sensitivity and specific types of behavior.

Because this model can be applied uniformly across platforms and separated from

operating system security, it provides an effective means of preventing and detecting

APTs. As such, defense in-depth helps your organization stay one step ahead of APTs and

reduce the effects such an attack can have on the business and its employees, customers

and partners.

about the solutionsfrom CA Technologies

CA security solutions are comprised of a broad, comprehensive and

integrated suite of capabilities that simplifies operations and reduces the

total cost of management across cloud, on-premise, virtual, physical,

distributed and mainframe environments - helping you significantly

increase business agility.

Unlike traditional solutions, the CA suite controls not only user identities

and the availability of critical IT resources, but also access to sensitive

information assets. This provides more layers of security than conventional

solutions - and helps to reduce the risk of breaches, minimize information

loss and simplify compliance audits.

These offerings are complemented by a range of cloud-based identity

services, which give you the flexibility to deploy security services how and

when you choose, so you can adopt cloud or hybrid models in a way that

fits your unique needs.

The CA Identity and Access Management suite covers the following areas:

• Identity Management and Governance

• Privileged Identity Management and Virtualization Security

• Advanced Authentication

• Data Protection

• Cloud Security

• Secure Single Sign-On and Access Management

13

Company Introduction

Market Entry•April 27, 2005 in Bucharest, Romania

Strategic Positioning• Leading provider of IT Management & Security and Business Solutions

International PositioningRepresentative offices in:•Bucharest, Romania•Belgrade, Serbia•Sofia, Bulgaria•Chisinau, Republic of Moldova

Main Markets•Europe and Middle East

Registration Number J40/7907/2005VAT Number RO 17534593

Facts•25 highly qualified IT specialists with more than 150 certifications•Experience in large projects implementation •More than 60 clients in 9 countries over the years

Republic of Moldova

Greece

Bulgaria

Turkey

Romania

Serbia

References (1)

Banking

Telecom

Romania

Grecia

Industry

Romania

Serbia

Greece

References (2)

Government & Public Administration

Republic of Moldova

Bulgaria

Saudi Arabia

Cyprus

Romania

Serbia

Insurance

Romania

References (3)

questions & answers