Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

Robert Marti

SCX207E

SECURITY

Product MarketingCA Technologies

2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS

© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.

The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.

For Informational Purposes Only Terms of This Presentation


Abstract

Many organizations have a solution to control the access and actions of privileged users. But that’s not enough for a complete privileged user management solution—you must also govern access to make sure that only the correct users have elevated privileges, and that they have only the privileges that they need. In this session, you will get an in-depth understanding of how you can reduce your risk through this capability unique to CA.

Robert MartiCA TechnologiesProduct Marketing, Manager


Agenda

BUSINESS CHALLENGES

INTRODUCING PRIVILEGED IDENTITY GOVERNANCE

SOLUTION OVERVIEW

USE CASES

SUCCESS STORY

1

2

3

4

5


Privileged Identity and Access Are Most Frequently Exploited Attack Vectors

71%of users say they have access to data they shouldn’t.

80%of IT Professionals say their company does not enforce least privilege.

80%of all breaches utilize lost, stolen, or weak credentials.

60%of all malware uses privilege escalation or stolen credentials.


BIGGEST CYBER ATTACKS EXPLOIT PRIVILEGED ACCESSCreating An Expanding Radius of Data Loss

DROPBOX68M Records LINKEDIN

167M Records

YAHOO500M Records

EQUIFAX150M Records

TUMBLR65M Records


Excessive Access CausesEmbarrassing Fraud Cases

Loses 40G of source code for core products

Adobe

Discloses personal data for 25M customers

AT&T Call Center

Rogue trader aggregates privileges for a $7.8B loss

Société Général

Excessive AccessCORRUPTS

PRIVILEGED AccessCORRUPTS ABSOLUTELY


77%

The Reason This is Happening:Pattern is Repeatable

77% attacks Internal Credentials 30%

28%Executives &Administrators

End-users withExcessive privileges

GAIN ACCESS/EXPAND

ELEVATEPRIVILEGE

STEALDATA

THE KILL CHAIN

Identity is the most frequently exploited attack vector


•HITECH•GDPR

• FATCA• FATCA

•PSD2•HSPD

•HIPAA

•POPI

• 201 CMR 17

•OAIC•CalOPPA

•AADHAR•PCI DSS

• FFIEC

Where Companies Have Not Self-RegulatedOthers Have Imposed Requirements

THE GLOBALWEB OF PRIVACY COMPLIANCE


So It Is Not Just a Technology ProblemIt Is a Privileged Governance Problem

Privileged Access RequestStreamline the request, audit and fulfillment of privileged users.

Certify Privileged AccessProvide audit reporting and manager attestation of user access to privileged accounts.

De-provision Privileged AccessWhen users separate from the company, remove or disable the associated privileged accounts.

Remediate Excessive AccessTake workflow driven action to remove excessive access.


Challenges to the BusinessIssues With Legacy IAM Solutions

64%

of enterprises have no IAM monitoring tools

AS A RESULT:

LEGACY IAMSOLUTIONS:

Focused on protecting on-premiseapplications

72%

of enterprises do not do access review or certification

Were highly customizableand required specialists

62%

of enterprises have no access request process in place

Had significant costs to deploy, configure, and maintain


Our Privileged Identity Management SolutionLeverages a Defense in Depth Approach

INTEGRATEDOVERLAPPINGCONTROLS TOREDUCE RISK

PrivilegedIdentity Management Reducing audit risk and achieving least privilege

Advanced Authentication Preventing account takeover with multifactor credentials

Threat Analyticsfor PAM

Monitoring privileged activities for abnormal

usage/behaviors

PAM Server Control Locking down file

systems and server resources

Privileged Access Manager

Securing privileged access and preventing

lateral motion

‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED

Introducing CA Privileged Access Manager

§ Role-based and fine-grained access control over privileged accounts

§ Privileged user credential protection§ Monitor, audit and record privileged sessions§ Multifactor authentication, single sign-on, and federation support

§ Support security and privacy regulations

#CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED

Lower Total Costof Ownership

Faster Time to Value

Hybrid EnvironmentSupport

Performance atScale


Why Is Privileged Access Governance Needed?The Situation Today§ Privileged Access Management (PAM) is mostly a standalonesolution that implements critical security and compliance controls managing and monitoring use of sensitive access.

§ In most cases, it is separated from the corporate Identity Management. The Outcome§ Lack of overall visibility to “who has access to what.”§ Missing approval and auditing information for “why access was granted.”§ Inability to enforce consistent identity policies such as Segregation Of Duties.§ No risk analysis for overall user access.§ Fragmented compliance with regulatory requirements (examples: ISO27002 sections 8.1.2 “ownership of assets” and 9.2.5 “review of access rights”).

‹#› #CAWORLD #NOBARRIERS COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED

Introducing CA IdentitySuite

§ Self-service identity portal§ Business-friendly entitlements catalog§ Proactive analytics§ Deployment Xpress§ Audit and compliance streamlining

Privileged IdentityCompliance

Privileged IdentityLifecycle Management

Improved PrivilegedAccess Security

COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED


CA Identity SuiteIntegration With CA Privileged Access Manager

How it integrates§ Provides “out-of-the-box” connector for CA PAM

What is does§ Manages PAM Accounts and their assignments to Roles, Groups, & Devices (provisioning and de-provisioning)

§ Supports for local and LDAP/AD accounts§ Supports for granular assignment including start/end dates, scoping and policies


CA Identity Suite & CA PAM Integration Requesting Privileged AccessWhat it does§ Easy-to-use “shopping cart” experience for requesting PAM permissions

§ Workflow approvals for submitted requests§ Risk analysis of a combined privileged and non-privileged access

§ Segregation of duties compliance check§ Automated provisioning fulfillment


CA Identity Suite & CA PAM IntegrationRequesting Access to Privileged Account


CA Identity Suite & CA PAM IntegrationEvaluating Risk Associated With Requested Account


CA Identity Suite & CA PAM IntegrationRequesting Access to Privileged Account


CA Identity Suite & CA PAM IntegrationCertifying Privileged Access

CA PAM Account certification

Update HR reports

Mitigate access risk

What It Does§ Automated collection of access permissions via CA Identity Suite connector

§ Provides “out-of-the-box” user and access certification processes for CA PAM

§ Easily identifies users with excessive access§ Enriches experience with last login and usage logs

§ Automated removal of access permissions that are rejected by approvers


CA Identity Suite and CA PAM IntegrationReviewing and Certifying Privileged Access


OFFBOARDINGONBOARDING

PROVISIONING

SELF-SERVICE

ACCESS REQUESTS

RISK ANALYSIS

DEPROVISIONING

Privileged Identity GovernanceSummary of Capabilities

CERTIFICATION

FULLPRIVILEGEDIDENTITYLIFECYCLE

MANAGEMENT


Case Study


The Business Challenge:Source Code Governance at CA Technologies

3,000 engineers are using over 12 major source code management tools.

Access audits were a drain on people and money.

Compliance audits took more than 20,000 employee hours.

OUR GOAL:Govern access to source code and improve productivity and the overall user experience

OUR CHALLENGE:Manual process that was extremely costly


The Solution:CA Identity Governance

• All access reviews are now performed via automation.

• Incorrect access is quicklyremediated.

• IP controls are much easier to execute, and…

• Frequent Engineering personnel changes can be handled quicklywhile still enforcing strong security over the source code.

CA Identity GovernanceEngineers

(>3,000)

ManagerCertifiesAccess

AuditorValidatesCertification

Source CodeRepositories(>5,000)

Requestsaccess

Accessgranted

CA Identity Governance validates access rights to nearly 5,000 source code repositories across all source management tools.


The Results:Significant Time & Cost Savings

75%75% reductionin audit time via automated data collection for compliance audits

90%90% dropin administrative overhead

Engineers love the new world-class source code management ecosystem

Orphan source code accessquickly identified and removed

Saved thousands of hoursof employee time thanks to automated certification


Recommended Sessions

SESSION # TITLE DATE/TIME

ABC123DE Magna consectet at lor ipustie modolore 11/16/2016 at 10:00 am

FGH456IJ Magna consectet at lor ipustie modolore 11/17/2016 at 11:00 am

FGH456IJ Magna consectet at lor ipustie modolore 11/18/2016 at 12:00 pm


The Results:A Closer Look at the Savings

0.00

2.00

4.00

6.00

8.00

10.00

12.00

14.00

16.00

FY14 FY15 FY16 FY17

PERSON YEARS

Savings in Source Code Attestation


Must See Demos

Security Starts With IdentitySecurity ContentArea

Demo NameNameLocation

Control High ValueAccess

Manage Your Software Risk

Let’s Talk Upgrades

DeliverFrictionlessAccess

Security ContentArea





Questions?


Stay connected at communities.ca.com

Thank you.


Security

For more information on Security,please visit: http://cainc.to/CAW17-Security

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

Technology

Transcript of Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?