Nessus and CyberArk Enterprise Password Vault Integration ...
CyberArk Privilege as a Service - Cyber Security Summit
Transcript of CyberArk Privilege as a Service - Cyber Security Summit
PRIVILEGE AS A SERVICE
Safeguarding Access In The Ever-Evolving Cloud
Alex Flores – Principal Solutions Engineer, Central US
THE CLOUD IS BEAUTIFUL– AND I.T. IS TRANSFORMING
Speed to
Market
ROI from
Innovative
Cloud Tech
Allure of
Modern
Automation
3
PRIVILEGE IS EVERYWHERE
POWERFUL CONSOLE ACCESS
Org Root
Account Root
Global Admin
Domain/Limited
Admin
Super Admin
Project Owner
RISE OF THE MACHINES
WHAT CAN BE DONE?
Discover, vault
and rotate these
credentials– and
protect with MFA
Control and
monitor sessions
using these creds
Take
programmatic
action against
anomalies
NATIVE ACCESS IS KEY TO SUCCESS
7
So allow users to leverage their own native
clients!
NO CODE CHANGES: MICROSERVICES
https://secretless.io
NO CODE CHANGES: OFF THE SHELF APPS
CYBERARK VAULT
WORKFUSION
CONTROL TOWER
CLIENT APP
CYBERARK PROVIDER
#REST API CALL#
Username = GetUserName()
Password = GetPassword()
Host = GetHost()
ConnectDatabase(Host, Username, Password)
HTTPS
RPA BOT
RPA VDI FARM
CLIENT APP
CLIENT APP
CLOUD LEAST PRIVILEGE
10
You need to be precise in all the three aspects:
Azure has more than
5,000 permissions!
The identity
The scope
The permission
11
SHADOW ADMINS – SUBSCRIPTION LEVEL
Permissions Actions permitted
Microsoft.Authorization/classicAdministrators/write Add new classic administrators
Microsoft.Authorization/roleAssignments/write Grant permissions
Microsoft.Authorization/roleDefinition/write Change permissions’ definitions
Microsoft.Authorization/elevateAccess/Action Elevate to user access admin
Microsoft.Authorization/roleDefinition/*
Sensitive wildcard character “*”Microsoft.Authorization/roleAssignments/*
Microsoft.Authorization/*/Write
Microsoft.Authorization/*
12
Scans Cloud Entities
Needs Read Only Access
Discovers Privileged Users
and Shadow Admins
https://github.com/cyberark/SkyArk
https://kobura.io
SkyArk – Free Cloud Security Tool
CYBERARK BLUEPRINT STAGES OVERVIEW
GOAL
RISK REDUCTION
STAGE 1
STAGE 2
STAGE 3
STAGE 4
STAGE 5
Secure privileged ids
that have the potential
to control an entire
environment
Focus on locking
down the most
universal technology
platforms
Build PAS into the
fabric of enterprise
security strategy and
application pipelines
Mature existing
controls and expand
into advanced
privileged access
security
Look for new
opportunities to
shore up privileged
access across the
enterprise
Critical Major Moderate
PREVENT
CREDENTIAL THEFT
STOP LATERAL &
VERTICAL MOVEMENT
LIMIT PRIVILEGE
ESCALATION & ABUSE
Foundational
Privileged Access
Management
Least Privilege App Secrets
Management
PAM CONTROLS & TECHNOLOGIES
IaaS Admins, Domain
Admins, VM &
Hypervisor, Windows
Server Local, MFA
CI/CD Consoles,
Workstation Local
Admin, Privileged
AD Users, *NIX Root
Cred boundaries,
*NIX Root Similar,
3rd Party Vendors,
Out of Band access,
Database Built-In
Admins
Web Apps (Top),
Business Apps
(Top), Network &
Infra Admins, Named
DBA
Web Apps (All),
Business Apps (All),
Mainframe Admins,
Windows Services
IT Admin
Workstations
Windows Servers,
All Workstations
Windows Servers,
*NIX Servers
3rd Party Security
Tools (via C3
Integrations)
3rd Party Business
Tools (via C3
Integrations)
Dynamic Apps
Static Apps
Static Apps (Adv)
CYBERARK BLUEPRINT STAGES OVERVIEW
GOAL
RISK REDUCTION
STAGE 1
STAGE 2
STAGE 3
STAGE 4
STAGE 5
Secure privileged ids
that have the potential
to control an entire
environment
Focus on locking
down the most
universal technology
platforms
Build PAS into the
fabric of enterprise
security strategy and
application pipelines
Mature existing
controls and expand
into advanced
privileged access
security
Look for new
opportunities to
shore up privileged
access across the
enterprise
Critical Major Moderate
PREVENT
CREDENTIAL THEFT
STOP LATERAL &
VERTICAL MOVEMENT
LIMIT PRIVILEGE
ESCALATION & ABUSE
Foundational
Privileged Access
Management
Least Privilege App Secrets
Management
PAM CONTROLS & TECHNOLOGIES
IaaS Admins, Domain
Admins, VM &
Hypervisor, Windows
Server Local, MFA
CI/CD Consoles,
Workstation Local
Admin, Privileged
AD Users, *NIX Root
Cred boundaries,
*NIX Root Similar,
3rd Party Vendors,
Out of Band access,
Database Built-In
Admins
Web Apps (Top),
Business Apps
(Top), Network &
Infra Admins, Named
DBA
Web Apps (All),
Business Apps (All),
Mainframe Admins,
Windows Services
IT Admin
Workstations
Windows Servers,
All Workstations
Windows Servers,
*NIX Servers
3rd Party Security
Tools (via C3
Integrations)
3rd Party Business
Tools (via C3
Integrations)
Dynamic Apps
Static Apps
Static Apps (Adv)
THINGS TO CONSIDER
Consistency, Adoption, Visibility
• Multi-Cloud Console Access
• IaaS
• Cloud Shadow Admins
Free Things to Help
• SkyArk
• https://github.cyberark.com/skyark
• Kobura
• https://kobura.io
• CyberArk Conjur and Secretless
• https://conjur.org
• https://secretless.io
• Blueprint for PAS Success
• https://cyberark.com/blueprint
Thank you!