ZERO TRUST IDENTITY
ZERO TRUST IDENTITY
Identity is the Center of Security– The Future is Now!– Zero Trust Identity
• Users Data, and Devices are uniquely tied together
• Users and devices are untrustworthy
SESSIONSTime Session Partners
2:30 Access Management Verifies Enterprise Mobility Management Status of Mobile Device
Ping Identity / VMware
3:00 Complete Security for your AWS deployment Okta / Netskope / LogRhythm / CyberArk
3:30 Adaptive Access Management for Enterprises SecureAuth / Netskope / LogRhythm
4:00 Delegation of Access Management and trust elevation for privileged access
Gemalto / Ping Identity / BeyondTrust
4:30 Access Management checks for Cloud Access Security Broker
Ping Identity / Netskope / Optiv
5:00 Identity Governance Attestation of Privileged Account Management
SailPoint / CyberArk / LogRhythm
q Problem – Customers want the flexibility to choose different vendors for different modules that
make up their overall security solution.
– This session demonstrates how Ping Identity / Gemalto / BeyondTrust products can be configured to deliver a SSOàAMàMFAàPAM chain of service to customers.
q Zero Trust Capabilities– Password is not enough, need MFA to access resource
– MFA is done not just for initial access but for latter privilege escalation commands– Based on risk level and/or pre-defined conditions, access can be automatically rejected,
or granted for a limited time
– PAM for privileged commands, enforced through step-up authentication
q IDSA Use Cases– MFA For Public / Private Cloud Application Consolidation– Step-up Authentication to the Privileged Access Management Application
+
Access Management
Identity Governance
Identity Administration
SIEM
EMM
DLP
CASB
PAM
GRC
Network Security
UEBA
Service Mgmt
Fraud & Risk
DAG
IDENTITY SECURITY
Delegation of Access Management and trust elevation for privileged access
SAS
Ping Identity : PingFederate§ PingFederate provides SSO service to SP’s and a well
defined method to delegate MFA to 3rd party
§ This MFA delegation is done through adaptors, integration kits or configuration from admin console
Gemalto : STA/SAS§ SafeNet Trusted Access (STA) provides SSO and access
management (AM) capabilities
§ SafeNet Authentication Service (SAS) supports a wide range of MFA options
STA
Gemalto
2FA
Enterprise Apps
SSO AM
The Building Blocks
BeyondTrust : PowerBroker§ BeyondTrust offers privileged access management (PAM) through its
PowerBroker platform
§ PowerBroker platform handles management of enterprise password, least privilege on end points and server privilege on Windows and Linux servers
The Building Blocks
The Building Blocks
The Building Blocks
The Integrated Solution : Ping Identity + Gemalto + BeyondTrust
Demonstrates how different components from different IDSA member companies can work together to offer SSOàAMàMFAàPAM chain of service to customers.
Ping Identity using PingFederate
Gemalto using STA / SAS
BeyondTrust using PowerBroker
SP1e.g. Salesforce
Point SP1 to STA
STA
PingFederate
SAS
1
3
2c
2b
2a
User
On Premises
5b
5a
5c
Configuration:§ A service provider SP1 (e.g. Salesforce) relies on Ping
Identity for SSO. Behind the scenes, access management
and MFA is provided by Gemalto. The solution works in a seamless way.
§ Conversely service providers that rely on Gemalto can now
instead point to Ping Identity for SSO, while still maintaining AM and MFA services from Gemalto.
Workflow steps:1. User goes to SP1 portal via web browser, clicks Login
2. SP1 redirects login to PingFederate; e.g. SAML RequestPingFederate delegates request to STA
3. STA use access policies to determine if login is automatically
allowed, needs authentication, etc.
4. If authentication is needed, MFA is handled by SAS
5. STA decision + user information returned to PingFederatePingFederate sends responses to SP1; e.g. SAML Response
Result:§ Seamless interchangeability of Ping Identity
and Gemalto components to demonstrate zero trust principle
4
Cloud
High-Level Flow of the Integrated Solution: Scenario 1
WorkstationAdmin Console
Point SP2 to STA
STA
PingFederate
SAS
1 2
2
On Premises
33
Configuration:§ BeyondTrust Admin Console relies on Ping Identity for SSO. Behind
the scenes, access management and MFA is provided by Gemalto. The solution works in a seamless way.
§ After initial authentication the Admin issues a privilege command on Linux and/or Windows which requires a step-up authentication.
Workflow steps:1. Admin at workstation, opens browser, clicks Login
2. Login redirected to PingFederate, which delegates AM and MFA (if needed) to Gemalto.
3. Admin is logged in with least privilege
4. Admin issues an elevated command in Linux or Windows
5. A step-up authentication request is sent to Gemalto
6. Gemalto does step-up MFA and sends response to BeyondTrust
7. BeyondTrust allows the elevated command to be executed
Result:§ Seamless integration of Ping, BeyondTrust and
Gemalto components to demonstrate zero trust, and PAM principles
6
Cloud
High-Level Flow of the Integrated Solution: Scenario 2
3
45
67
23
$ xyz
Admin
DEMOTwo Scenarios :§ SSO + AM + MFA§ PAM + MFA (Linux & Windows)
PingFederate configuration – IdP Connection
STA configuration – connection to PingFederate
PingFederate configuration – connection to PingFederate (details)
STA Policy Definition
BeyondTrust – Windows “regedit” privilege escalation
BeyondTrust – Windows “regedit” privilege escalation
BeyondTrust – Linux command privilege escalations
BeyondTrust – Linux command privilege escalations
## IMPORTANT These commands will execute as root#EnableDemoRole = true;DemoUsers = {"demouser","michael","aali"};DemoCommands = {"id", "whoami","useradd","userdel"};DemoHosts = {submithost};runconfirmpasswdservice="Gemalto_Radius";runconfirmuser=user;runuser = "root";DemoRole();
QUESTIONS
IDSA Members
THANK YOUFor more information https://www.idsalliance.org