11

How to Engineer an Effective How to Engineer an Effective Access Review ProgramAccess Review Program

Ram Ramadoss, Ram Ramadoss, Staff Information Security Engineer, Staff Information Security Engineer, Ram.Ramadoss@qwest.comRam.Ramadoss@qwest.com

September 25, 2008September 25, 2008

22

AgendaAgenda DefinitionsDefinitions

Challenges Challenges

Common Mistakes Made by OrganizationsCommon Mistakes Made by Organizations

Access Review – Applications, Systems and Access Review – Applications, Systems and DatabasesDatabases

SummarySummary

Q & AQ & A

33

DefinitionsDefinitionsIdentificationIdentification

Authentication , Authorization and Accounting (AAA)Authentication , Authorization and Accounting (AAA)

Access Control, ACLs (Access Control Lists)Access Control, ACLs (Access Control Lists)

Role Based Access Control & Rule Based Access Role Based Access Control & Rule Based Access ControlControl

Least Privilege (Need to Know) & Segregation of Duties Least Privilege (Need to Know) & Segregation of Duties (SoD)(SoD)

Access ReviewAccess Review

44

Definitions (contd…)Definitions (contd…)

PCI (Payment Card Industry)PCI (Payment Card Industry)

SOX (Sarbanes-Oxley) Act of 2002SOX (Sarbanes-Oxley) Act of 2002SOX Section 404: Assessment of internal SOX Section 404: Assessment of internal

controlcontrol

55

Applications/Databases and Servers – Applications/Databases and Servers – Access OverviewAccess Overview

Application A

Application B

Application C

Server X

Server Y

Database 1

Database 2

Server Z

Database 3

Database 4

AAACentral

Authentication

APPLICATION

USERS

Local Authentication

System Users

System Users

Database Users

Database Users

Database Users

Database Users

66

ChallengesChallenges

Small Organizations:Small Organizations: Many users may have full access to the systemMany users may have full access to the system Users may perform multiple functions - Development, Test and Users may perform multiple functions - Development, Test and Production Production Group/Shared Ids - individual accountability issuesGroup/Shared Ids - individual accountability issues

Large Organizations:Large Organizations: Large number of users and systemsLarge number of users and systems Mainframe and Legacy SystemsMainframe and Legacy Systems User Provisioning managed by multiple groupsUser Provisioning managed by multiple groups Lack of custom tools for access reviewLack of custom tools for access review Contractors, Partners and IT OutsourcingContractors, Partners and IT Outsourcing Validation of non-personal ids, shared ids and ownershipValidation of non-personal ids, shared ids and ownership

77

Common Mistakes Made by Common Mistakes Made by OrganizationsOrganizations

““Compliance Says So”Compliance Says So”

Confusion between compliance and securityConfusion between compliance and security Not taking a risk based approachNot taking a risk based approach Not defining the scope of reviewNot defining the scope of review Tool centric rather than process centric Tool centric rather than process centric Unable to sustain repetitive access reviewsUnable to sustain repetitive access reviews No central compliance monitoring groupNo central compliance monitoring group

88

Access Review – High Level OverviewAccess Review – High Level OverviewPolicies and standardsPolicies and standardsScope of review, frequency, all types of ids (employee / Scope of review, frequency, all types of ids (employee / contractor, group ids, system ids…), authorization levels, contractor, group ids, system ids…), authorization levels, systems, provisioning and de-provisioning processessystems, provisioning and de-provisioning processes

Discovery – Extract ids from sample systems, analyze Discovery – Extract ids from sample systems, analyze ids, reverse engineer and identify access and ids, reverse engineer and identify access and authorization rules based on the current accessauthorization rules based on the current access

Business SMEs, Production / System Admins and Business SMEs, Production / System Admins and DBAs support crucialDBAs support crucial

Validate ids against access and authorization rules; Validate ids against access and authorization rules; Obtain management approvals; Identify ids and Obtain management approvals; Identify ids and authorization levels for clean-up; authorization levels for clean-up;

99

Access Review – High Level OverviewAccess Review – High Level Overview

Set-up scripts to extract ids and authorization levels Set-up scripts to extract ids and authorization levels

Repeat access review process at least every 90 daysRepeat access review process at least every 90 days

Review provisioning process - include management Review provisioning process - include management approvals and access/authorization rulesapprovals and access/authorization rules

De-Provisioning must address terminations, users De-Provisioning must address terminations, users leaving business and moving to other job functions leaving business and moving to other job functions

Access Review – HighAccess Review – High Level FlowLevel Flow

Review access rules

Employee Information - HR

Validation of rules and next steps

Reviewids with no access

rulesaccess rules require revision

access and/or authority levels require revisions

requiresmanagement approval

Management Approval

Document Revisions

Access /Authority changes

Complete Access Review

A

A

User List – Access Levels

1111

Access Review – ApplicationsAccess Review – ApplicationsOverviewOverviewJ2EE, DotNet, Mainframe, Legacy, COTS and ERP J2EE, DotNet, Mainframe, Legacy, COTS and ERP Business Unit users – large population Business Unit users – large population Large number of applicationsLarge number of applications

ChallengesChallengesLack of process, documentation andLack of process, documentation and access / authorization access / authorization rulesrulesNo consistent user id or naming standards – difficulty in No consistent user id or naming standards – difficulty in mapping individual usersmapping individual usersProvisioning managed by multiple groupsProvisioning managed by multiple groups

1212

Access Review – ApplicationsAccess Review – ApplicationsChallengesChallengesApplications may not use central/core authentication systemsApplications may not use central/core authentication systemsGroup/Shared Ids, System Ids – Ownership and AccountabilityGroup/Shared Ids, System Ids – Ownership and AccountabilityTransfer of users within the companyTransfer of users within the companyNo third party tool to address access review for complex application No third party tool to address access review for complex application environmentenvironment

ApproachApproachRule based access and periodic access reviewRule based access and periodic access reviewConduct reverse engineering – Map ids to users, Job Titles, Business Conduct reverse engineering – Map ids to users, Job Titles, Business Units, DepartmentUnits, DepartmentWork with business unit contacts to extract access /authorization rulesWork with business unit contacts to extract access /authorization rulesIdentify owners for non-personal ids and obtain access and authorization Identify owners for non-personal ids and obtain access and authorization approvalapprovalMajority of the ids can be mapped to access /authorization rulesMajority of the ids can be mapped to access /authorization rules

1313

Access Review – ApplicationsAccess Review – ApplicationsApproach (contd…)Approach (contd…)Ids with no access/authorization rules – Management approval is Ids with no access/authorization rules – Management approval is requiredrequired

Important ThingsImportant ThingsAccess/Authorization rules must be used as part of provisioningAccess/Authorization rules must be used as part of provisioningApplications with local authentication – Daily process review must be Applications with local authentication – Daily process review must be in place to disable/remove employees and users leaving the businessin place to disable/remove employees and users leaving the business90 day access review – Validation of user ids against access and 90 day access review – Validation of user ids against access and authorization rulesauthorization rulesManagement approval for remaining ids; Conduct ongoing clean-upManagement approval for remaining ids; Conduct ongoing clean-upAuto Process to suspend Ids with no activity for more than Auto Process to suspend Ids with no activity for more than XX number number of daysof days

1414

Access Review – ApplicationsAccess Review – ApplicationsId Privileges Name Job Title Department

Personal ID1 READ / UPDATE John Sales Consultant Business Unit A

Personal ID3 READ / UPDATE Linda Sales Consultant Business Unit A

Personal ID4 READ / UPDATE Joe Sales Consultant Business Unit A

Personal ID6 READ Ruby Sales Consultant Business Unit A

Personal ID2 READ Mary Repair Consultant Business Unit B

Personal ID7 READ Terry Repair Consultant Business Unit B

Personal ID8 READ / UPDATE Mike Repair Consultant Business Unit B

Personal ID9 READ Wendy Repair Consultant Business Unit B

Personal ID5READ /UPDATE /

DELETE Ron Development Engineer Department IT

SystemId1READ / UPDATE /

DELETE

SystemId2READ / UPDATE /

DELETE

GroupId1 READ / UPDATE

GroupId2 READ / UPDATE

Administrator Id

READ / UPDATE / DELETE / Add Users Business Unit A

1515

Access Review – ApplicationsAccess Review – ApplicationsSample Access and Authorization Rules:Sample Access and Authorization Rules:1.1. Sales Consultant from Business Unit A shall have READ / Sales Consultant from Business Unit A shall have READ /

UPDATE access to “UPDATE access to “SalesSales” application” application2.2. Repair Consultant from Business Unit B shall have READ access Repair Consultant from Business Unit B shall have READ access

to “Sales” applicationto “Sales” application3.3. Administrator Id must be approved by XXX (Segregation of Administrator Id must be approved by XXX (Segregation of

Duties)Duties)

Further Research Required:Further Research Required:1.1. Owner must be identified for System Id1,Systems Id2, GroupId1 Owner must be identified for System Id1,Systems Id2, GroupId1

and GroupId2; Access and authorization levels must be and GroupId2; Access and authorization levels must be validated; Rules can be created based on the validationvalidated; Rules can be created based on the validation

2.2. Personal Id5 must be challenged – Why does an IT user require Personal Id5 must be challenged – Why does an IT user require update access?update access?

1616

Access Review – Operating SystemAccess Review – Operating System

OverviewOverviewMany users may have privileged accessMany users may have privileged accessSome ids have standard access and authorization levelsSome ids have standard access and authorization levelsWindows / UNIX and MainframeWindows / UNIX and Mainframe

ChallengesChallengesProvisioning managed by multiple groupsProvisioning managed by multiple groupsDifficult to derive access and authorization rulesDifficult to derive access and authorization rulesDifficult to re-validate access permissionsDifficult to re-validate access permissionsUNIX systems – may not use central authenticationUNIX systems – may not use central authenticationUNIX servers may have several invalid/inactive idsUNIX servers may have several invalid/inactive ids

1717

Access Review – Operating SystemAccess Review – Operating SystemApproachApproach Sys Admins, Production Support Users and DBAs play a Sys Admins, Production Support Users and DBAs play a crucial rolecrucial role Extract ids and privileges. Access Review must cover all Extract ids and privileges. Access Review must cover all ids at the serverids at the server Identify system accounts, global groups and privileges for Identify system accounts, global groups and privileges for each platform (Windows / UNIX)each platform (Windows / UNIX) Access/Authorization Rules for system Ids and Ids/groups Access/Authorization Rules for system Ids and Ids/groups supporting multiple servers and Ids for application/database supporting multiple servers and Ids for application/database accessaccess

-Administrators, Back-up Operators, Help Desk or Administrators, Back-up Operators, Help Desk or Support teamsSupport teams

Remaining ids require management approvalRemaining ids require management approval

1818

Access Review – Windows ServerAccess Review – Windows ServerId Privilege Group Group Name Job Title Department

Persoanl ID1 Administrator Domain\Administrator John System Administrator Department IT

Persoanl ID3 Administrator Domain\Administrator Linda System Administrator Department IT

Persoanl ID4 Administrator Domain\Administrator Joe System Administrator Department IT

Persoanl ID6 Administrator Domain\Administrator Ruby

System Engineer - ProductionApplication Support Department IT

Persoanl ID2 Administrator Domain\Domain Administrator Mary

System Engineer - ProductionApplication Support Department IT

Persoanl ID7 Administrator Domain\Administrator Terry Development Engineer Department IT

Persoanl ID8 Backup Operator Domain\Back-up Operator Mike Analyst Department IT

Persoanl ID9 Administrator Domain\Administrator Wendy Project Manager Business Unit 1

Persoanl ID5 Power User Domain\Global_Group_1 Ron Business Analyst Business Unit 2

SystemId1 Power User Application X

SystemId2 Power User Application Y

GroupId1 User Right

Developers, Department IT

GroupId2 User Right Business Unit 1

1919

Windows Built-in Users Windows Built-in Users and Built-in Groupsand Built-in Groups

Built-in GroupsBuilt-in Groups Built-in UsersBuilt-in Users

Account OperatorsAccount Operators AdministratorAdministrator

AdministratorsAdministrators AnonymousAnonymous

Authenticated Users Authenticated Users GuestGuest

Backup Operators Backup Operators Local SystemLocal System

Domain Admins Domain Admins

Domain Computers Domain Computers

Domain Controllers Domain Controllers

Domain Users Domain Users

Enterprise Admins Enterprise Admins

Everyone Everyone

Group Policy Creators Owners Group Policy Creators Owners

Guests Guests

Network Network

Power Users Power Users

Print Operators Print Operators

RAS and IAS Servers RAS and IAS Servers

Remote Desktop UsersRemote Desktop Users

Server Operators Server Operators

2020

Access Review – Mid-Range DatabasesAccess Review – Mid-Range DatabasesOverviewOverviewOracle, SQL Server, Informix, SybaseOracle, SQL Server, Informix, SybasePotential data exposure areasPotential data exposure areasCritical data - Company financial data, Customer financial Critical data - Company financial data, Customer financial datadata

ChallengesChallengesDatabases may not follow consistent user id or naming Databases may not follow consistent user id or naming standards – difficulty in mapping individual usersstandards – difficulty in mapping individual usersProvisioning may be managed by multiple groupsProvisioning may be managed by multiple groupsUser ids may be used for database processesUser ids may be used for database processesDevelopers / Business user access to databasesDevelopers / Business user access to databases

2121

Access Review – Mid-Range Access Review – Mid-Range DatabasesDatabases

Challenges (contd…)Challenges (contd…)Oracle databases may not be using central authenticationOracle databases may not be using central authenticationApplication Ids with DBA privileges Application Ids with DBA privileges

ApproachApproachIdentify users with DBA and Non-DBA privileges for each Identify users with DBA and Non-DBA privileges for each databasedatabaseProvisioning -strict management approvals for DBA access Provisioning -strict management approvals for DBA access SoD – Restrict Developers and Testers access SoD – Restrict Developers and Testers access Identify owners for Non-Personal Ids – access and passwords Identify owners for Non-Personal Ids – access and passwords restrictionsrestrictionsMinimize Group/Shared Ids access to the databaseMinimize Group/Shared Ids access to the database

2222

Access Review – Mid-Range Access Review – Mid-Range DatabasesDatabases

ApproachApproach Risk based approach – identify critical tables that contain Risk based approach – identify critical tables that contain sensitive data sensitive data Identify users with DBA and Non-DBA privileges for each Identify users with DBA and Non-DBA privileges for each databasedatabase Provisioning process - strict management approvals for Provisioning process - strict management approvals for DBA accessDBA access SoD – Restrict Developers and Testers access to productionSoD – Restrict Developers and Testers access to production

2323

Access Review – Mid-Range Access Review – Mid-Range DatabasesDatabases

Approach (contd…)Approach (contd…) Explore AAA central authenticationExplore AAA central authentication Authorization - Tables that contain sensitive dataAuthorization - Tables that contain sensitive data Logging and Auditing - monitor privileged user accessLogging and Auditing - monitor privileged user access Access and Authorization rules for users with DBA Job Access and Authorization rules for users with DBA Job Tiles and System Ids, Tiles and System Ids, Quarterly review of all user idsQuarterly review of all user ids

• Ids with access and authorization rulesIds with access and authorization rules• Remaining ids require management approvalRemaining ids require management approval

2424

Access Review – Mainframe Access Review – Mainframe DatabasesDatabases

OverviewOverviewDB2, IMS and Legacy DatabasesDB2, IMS and Legacy DatabasesRACF AuthenticationRACF Authentication

ChallengesChallengesAccess can be granted independently databases, tables, Access can be granted independently databases, tables, views and datasetsviews and datasetsSome databases may have 1000s of tablesSome databases may have 1000s of tablesDevelopment/Test users - access to production environmentDevelopment/Test users - access to production environmentDifficult to encrypt data in mainframe databasesDifficult to encrypt data in mainframe databases

2525

Stakeholders - EngagementStakeholders - Engagement

Engage Business unit contacts, Application contacts, Engage Business unit contacts, Application contacts, System Administrators, Application Administrators, DBAsSystem Administrators, Application Administrators, DBAs• Access and Authorization RulesAccess and Authorization Rules• Provisioning and De-provisioningProvisioning and De-provisioning• Management approvalsManagement approvals

Engage Security Compliance, Internal Audit and External Engage Security Compliance, Internal Audit and External Auditor to review for complianceAuditor to review for compliance

2626

Summary – Access ReviewSummary – Access Review Access Review Standards and ProcessesAccess Review Standards and Processes

Access Review should include validation of access/authorization Access Review should include validation of access/authorization rules and management approvalsrules and management approvals

Provisioning processes - access/authorization rules and Provisioning processes - access/authorization rules and management approvalsmanagement approvals

De-Provisioning process - terminations and users leaving the De-Provisioning process - terminations and users leaving the business. Automated processes to de-activate invalid user idsbusiness. Automated processes to de-activate invalid user ids

Central authentication - AAA (Authentication, Authorization and Central authentication - AAA (Authentication, Authorization and Accounting)Accounting)

2727

Summary – Access Review (contd…)Summary – Access Review (contd…) Contractors, Service Providers and Partners access review - Contractors, Service Providers and Partners access review -

contractual requirements and oversight contractual requirements and oversight

Group/Shared Ids - ownership and access restrictions. Group/Shared Ids - ownership and access restrictions. (password expiration at periodic intervals and when users leave (password expiration at periodic intervals and when users leave the business or transfer within the company)the business or transfer within the company)

Development/Business users - restricted access to production Development/Business users - restricted access to production databases and operating systems and least privileged accessdatabases and operating systems and least privileged access

Logging and Auditing - monitor privileged user accessLogging and Auditing - monitor privileged user access

Remote Network Access, Network Element Access & Central Remote Network Access, Network Element Access & Central Authentication - Access ReviewAuthentication - Access Review

2828

Q & AQ & A