Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?
Robert Marti
SCX207E
SECURITY
Product MarketingCA Technologies
2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only Terms of This Presentation
3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Many organizations have a solution to control the access and actions of privileged users. But that’s not enough for a complete privileged user management solution—you must also govern access to make sure that only the correct users have elevated privileges, and that they have only the privileges that they need. In this session, you will get an in-depth understanding of how you can reduce your risk through this capability unique to CA.
Robert MartiCA TechnologiesProduct Marketing, Manager
4 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Agenda
BUSINESS CHALLENGES
INTRODUCING PRIVILEGED IDENTITY GOVERNANCE
SOLUTION OVERVIEW
USE CASES
SUCCESS STORY
1
2
3
4
5
5 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Privileged Identity and Access Are Most Frequently Exploited Attack Vectors
71%of users say they have access to data they shouldn’t.
80%of IT Professionals say their company does not enforce least privilege.
80%of all breaches utilize lost, stolen, or weak credentials.
60%of all malware uses privilege escalation or stolen credentials.
6 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
BIGGEST CYBER ATTACKS EXPLOIT PRIVILEGED ACCESSCreating An Expanding Radius of Data Loss
DROPBOX68M Records LINKEDIN
167M Records
YAHOO500M Records
EQUIFAX150M Records
TUMBLR65M Records
7 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Excessive Access CausesEmbarrassing Fraud Cases
Loses 40G of source code for core products
Adobe
Discloses personal data for 25M customers
AT&T Call Center
Rogue trader aggregates privileges for a $7.8B loss
Société Général
Excessive AccessCORRUPTS
PRIVILEGED AccessCORRUPTS ABSOLUTELY
8 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
77%
The Reason This is Happening:Pattern is Repeatable
77% attacks Internal Credentials 30%
28%Executives &Administrators
End-users withExcessive privileges
GAIN ACCESS/EXPAND
ELEVATEPRIVILEGE
STEALDATA
THE KILL CHAIN
Identity is the most frequently exploited attack vector
9 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
•HITECH•GDPR
• FATCA• FATCA
•PSD2•HSPD
•HIPAA
•POPI
• 201 CMR 17
•OAIC•CalOPPA
•AADHAR•PCI DSS
• FFIEC
Where Companies Have Not Self-RegulatedOthers Have Imposed Requirements
THE GLOBALWEB OF PRIVACY COMPLIANCE
10 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
So It Is Not Just a Technology ProblemIt Is a Privileged Governance Problem
Privileged Access RequestStreamline the request, audit and fulfillment of privileged users.
Certify Privileged AccessProvide audit reporting and manager attestation of user access to privileged accounts.
De-provision Privileged AccessWhen users separate from the company, remove or disable the associated privileged accounts.
Remediate Excessive AccessTake workflow driven action to remove excessive access.
11 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Challenges to the BusinessIssues With Legacy IAM Solutions
64%
of enterprises have no IAM monitoring tools
AS A RESULT:
LEGACY IAMSOLUTIONS:
Focused on protecting on-premiseapplications
72%
of enterprises do not do access review or certification
Were highly customizableand required specialists
62%
of enterprises have no access request process in place
Had significant costs to deploy, configure, and maintain
12 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Our Privileged Identity Management SolutionLeverages a Defense in Depth Approach
INTEGRATEDOVERLAPPINGCONTROLS TOREDUCE RISK
PrivilegedIdentity Management Reducing audit risk and achieving least privilege
Advanced Authentication Preventing account takeover with multifactor credentials
Threat Analyticsfor PAM
Monitoring privileged activities for abnormal
usage/behaviors
PAM Server Control Locking down file
systems and server resources
Privileged Access Manager
Securing privileged access and preventing
lateral motion
‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Introducing CA Privileged Access Manager
§ Role-based and fine-grained access control over privileged accounts
§ Privileged user credential protection§ Monitor, audit and record privileged sessions§ Multifactor authentication, single sign-on, and federation support
§ Support security and privacy regulations
#CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Lower Total Costof Ownership
Faster Time to Value
Hybrid EnvironmentSupport
Performance atScale
14 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Why Is Privileged Access Governance Needed?The Situation Today§ Privileged Access Management (PAM) is mostly a standalonesolution that implements critical security and compliance controls managing and monitoring use of sensitive access.
§ In most cases, it is separated from the corporate Identity Management. The Outcome§ Lack of overall visibility to “who has access to what.”§ Missing approval and auditing information for “why access was granted.”§ Inability to enforce consistent identity policies such as Segregation Of Duties.§ No risk analysis for overall user access.§ Fragmented compliance with regulatory requirements (examples: ISO27002 sections 8.1.2 “ownership of assets” and 9.2.5 “review of access rights”).
‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
Introducing CA IdentitySuite
§ Self-service identity portal§ Business-friendly entitlements catalog§ Proactive analytics§ Deployment Xpress§ Audit and compliance streamlining
Privileged IdentityCompliance
Privileged IdentityLifecycle Management
Improved PrivilegedAccess Security
COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED
16 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity SuiteIntegration With CA Privileged Access Manager
How it integrates§ Provides “out-of-the-box” connector for CA PAM
What is does§ Manages PAM Accounts and their assignments to Roles, Groups, & Devices (provisioning and de-provisioning)
§ Supports for local and LDAP/AD accounts§ Supports for granular assignment including start/end dates, scoping and policies
17 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite & CA PAM Integration Requesting Privileged AccessWhat it does§ Easy-to-use “shopping cart” experience for requesting PAM permissions
§ Workflow approvals for submitted requests§ Risk analysis of a combined privileged and non-privileged access
§ Segregation of duties compliance check§ Automated provisioning fulfillment
18 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite & CA PAM IntegrationRequesting Access to Privileged Account
19 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite & CA PAM IntegrationEvaluating Risk Associated With Requested Account
20 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite & CA PAM IntegrationRequesting Access to Privileged Account
21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite & CA PAM IntegrationCertifying Privileged Access
CA PAM Account certification
Update HR reports
Mitigate access risk
What It Does§ Automated collection of access permissions via CA Identity Suite connector
§ Provides “out-of-the-box” user and access certification processes for CA PAM
§ Easily identifies users with excessive access§ Enriches experience with last login and usage logs
§ Automated removal of access permissions that are rejected by approvers
22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
CA Identity Suite and CA PAM IntegrationReviewing and Certifying Privileged Access
23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
OFFBOARDINGONBOARDING
PROVISIONING
SELF-SERVICE
ACCESS REQUESTS
RISK ANALYSIS
DEPROVISIONING
Privileged Identity GovernanceSummary of Capabilities
CERTIFICATION
FULLPRIVILEGEDIDENTITYLIFECYCLE
MANAGEMENT
24 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Case Study
25 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Business Challenge:Source Code Governance at CA Technologies
3,000 engineers are using over 12 major source code management tools.
Access audits were a drain on people and money.
Compliance audits took more than 20,000 employee hours.
OUR GOAL:Govern access to source code and improve productivity and the overall user experience
OUR CHALLENGE:Manual process that was extremely costly
26 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Solution:CA Identity Governance
• All access reviews are now performed via automation.
• Incorrect access is quicklyremediated.
• IP controls are much easier to execute, and…
• Frequent Engineering personnel changes can be handled quicklywhile still enforcing strong security over the source code.
CA Identity GovernanceEngineers
(>3,000)
ManagerCertifiesAccess
AuditorValidatesCertification
Source CodeRepositories(>5,000)
Requestsaccess
Accessgranted
CA Identity Governance validates access rights to nearly 5,000 source code repositories across all source management tools.
27 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Results:Significant Time & Cost Savings
75%75% reductionin audit time via automated data collection for compliance audits
90%90% dropin administrative overhead
Engineers love the new world-class source code management ecosystem
Orphan source code accessquickly identified and removed
Saved thousands of hoursof employee time thanks to automated certification
28 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Recommended Sessions
SESSION # TITLE DATE/TIME
ABC123DE Magna consectet at lor ipustie modolore 11/16/2016 at 10:00 am
FGH456IJ Magna consectet at lor ipustie modolore 11/17/2016 at 11:00 am
FGH456IJ Magna consectet at lor ipustie modolore 11/18/2016 at 12:00 pm
29 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
The Results:A Closer Look at the Savings
0.00
2.00
4.00
6.00
8.00
10.00
12.00
14.00
16.00
FY14 FY15 FY16 FY17
PERSON YEARS
Savings in Source Code Attestation
30 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Must See Demos
Security Starts With IdentitySecurity ContentArea
Demo NameNameLocation
Control High ValueAccess
Manage Your Software Risk
Let’s Talk Upgrades
DeliverFrictionlessAccess
Security ContentArea
Security ContentArea
Security ContentArea
Security ContentArea
31 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Questions?
32 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at communities.ca.com
Thank you.
33 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Security
For more information on Security,please visit: http://cainc.to/CAW17-Security