ZERO TRUST IDENTITY

ZERO TRUST IDENTITY

Identity is the Center of Security– The Future is Now!– Zero Trust Identity

• Users Data, and Devices are uniquely tied together

• Users and devices are untrustworthy

SESSIONSTime Session Partners

2:30 Access Management Verifies Enterprise Mobility Management Status of Mobile Device

Ping Identity / VMware

3:00 Complete Security for your AWS deployment Okta / Netskope / LogRhythm / CyberArk

3:30 Adaptive Access Management for Enterprises SecureAuth / Netskope / LogRhythm

4:00 Delegation of Access Management and trust elevation for privileged access

Gemalto / Ping Identity / BeyondTrust

4:30 Access Management checks for Cloud Access Security Broker

Ping Identity / Netskope / Optiv

5:00 Identity Governance Attestation of Privileged Account Management

SailPoint / CyberArk / LogRhythm

q Problem – Customers want the flexibility to choose different vendors for different modules that

make up their overall security solution.

– This session demonstrates how Ping Identity / Gemalto / BeyondTrust products can be configured to deliver a SSOàAMàMFAàPAM chain of service to customers.

q Zero Trust Capabilities– Password is not enough, need MFA to access resource

– MFA is done not just for initial access but for latter privilege escalation commands– Based on risk level and/or pre-defined conditions, access can be automatically rejected,

or granted for a limited time

– PAM for privileged commands, enforced through step-up authentication

q IDSA Use Cases– MFA For Public / Private Cloud Application Consolidation– Step-up Authentication to the Privileged Access Management Application

+

Access Management

Identity Governance

Identity Administration

SIEM

EMM

DLP

CASB

PAM

GRC

Network Security

UEBA

Service Mgmt

Fraud & Risk

DAG

IDENTITY SECURITY

Delegation of Access Management and trust elevation for privileged access

SAS

Ping Identity : PingFederate§ PingFederate provides SSO service to SP’s and a well

defined method to delegate MFA to 3rd party

§ This MFA delegation is done through adaptors, integration kits or configuration from admin console

Gemalto : STA/SAS§ SafeNet Trusted Access (STA) provides SSO and access

management (AM) capabilities

§ SafeNet Authentication Service (SAS) supports a wide range of MFA options

STA

Gemalto

2FA

Enterprise Apps

SSO AM

The Building Blocks

BeyondTrust : PowerBroker§ BeyondTrust offers privileged access management (PAM) through its

PowerBroker platform

§ PowerBroker platform handles management of enterprise password, least privilege on end points and server privilege on Windows and Linux servers

The Building Blocks

The Building Blocks

The Building Blocks

The Integrated Solution : Ping Identity + Gemalto + BeyondTrust

Demonstrates how different components from different IDSA member companies can work together to offer SSOàAMàMFAàPAM chain of service to customers.

Ping Identity using PingFederate

Gemalto using STA / SAS

BeyondTrust using PowerBroker

SP1e.g. Salesforce

Point SP1 to STA

STA

PingFederate

SAS

1

3

2c

2b

2a

User

On Premises

5b

5a

5c

Configuration:§ A service provider SP1 (e.g. Salesforce) relies on Ping

Identity for SSO. Behind the scenes, access management

and MFA is provided by Gemalto. The solution works in a seamless way.

§ Conversely service providers that rely on Gemalto can now

instead point to Ping Identity for SSO, while still maintaining AM and MFA services from Gemalto.

Workflow steps:1. User goes to SP1 portal via web browser, clicks Login

2. SP1 redirects login to PingFederate; e.g. SAML RequestPingFederate delegates request to STA

3. STA use access policies to determine if login is automatically

allowed, needs authentication, etc.

4. If authentication is needed, MFA is handled by SAS

5. STA decision + user information returned to PingFederatePingFederate sends responses to SP1; e.g. SAML Response

Result:§ Seamless interchangeability of Ping Identity

and Gemalto components to demonstrate zero trust principle

4

Cloud

High-Level Flow of the Integrated Solution: Scenario 1

WorkstationAdmin Console

Point SP2 to STA

STA

PingFederate

SAS

1 2

2

On Premises

33

Configuration:§ BeyondTrust Admin Console relies on Ping Identity for SSO. Behind

the scenes, access management and MFA is provided by Gemalto. The solution works in a seamless way.

§ After initial authentication the Admin issues a privilege command on Linux and/or Windows which requires a step-up authentication.

Workflow steps:1. Admin at workstation, opens browser, clicks Login

2. Login redirected to PingFederate, which delegates AM and MFA (if needed) to Gemalto.

3. Admin is logged in with least privilege

4. Admin issues an elevated command in Linux or Windows

5. A step-up authentication request is sent to Gemalto

6. Gemalto does step-up MFA and sends response to BeyondTrust

7. BeyondTrust allows the elevated command to be executed

Result:§ Seamless integration of Ping, BeyondTrust and

Gemalto components to demonstrate zero trust, and PAM principles

6

Cloud

High-Level Flow of the Integrated Solution: Scenario 2

3

45

67

23

$ xyz

Admin

DEMOTwo Scenarios :§ SSO + AM + MFA§ PAM + MFA (Linux & Windows)

PingFederate configuration – IdP Connection

STA configuration – connection to PingFederate

PingFederate configuration – connection to PingFederate (details)

STA Policy Definition

BeyondTrust – Windows “regedit” privilege escalation

BeyondTrust – Windows “regedit” privilege escalation

BeyondTrust – Linux command privilege escalations

BeyondTrust – Linux command privilege escalations

## IMPORTANT These commands will execute as root#EnableDemoRole = true;DemoUsers = {"demouser","michael","aali"};DemoCommands = {"id", "whoami","useradd","userdel"};DemoHosts = {submithost};runconfirmpasswdservice="Gemalto_Radius";runconfirmuser=user;runuser = "root";DemoRole();

QUESTIONS

IDSA Members

THANK YOUFor more information https://www.idsalliance.org