2013 12 18 webcast - building the privileged identity management business case
DESCRIPTION
How to build a business case for Privileged Identity Management, Privileged Access Control Projects and TechnologyTRANSCRIPT
Webcast: Building the Privileged Identity Management Business Case
Patrick McBrideVice President of MarketingXceedium
© Copyright 2013, Xceedium, Inc. 2
Who Are Privileged Users & Why Should You Care?
How Are The Risks Changing?
How to Build a Privileged Identity Management Business Case
Introducing Xceedium Xsuite®Next Generation Privileged Identity Management
Agenda
© Copyright 2013, Xceedium, Inc. 3
Privileged Identity Management
© Copyright 2013, Xceedium, Inc. 4
A former employee at the U.S. subsidiary of Japanese pharma Shionogi plead guilty to deleting 15 business-critical VMware host systems, costing the company $800,000.
An IT employee at Bank of America admitted that he hacked the bank’s ATMs to dispense cash without recording the activity.
A contract programmer fired by Fannie Mae was convicted of planting malicious code intended to destroy all data on nearly 5,000 internal servers.
A Goldman Sachs programmer was found guilty of stealing computer code for high frequency trading from the investment bank when he left to join a startup.
A Utah computer contractor pleaded guilty to stealing about $2 million from four credit unions for which he worked.
Privileged Insiders Cause Real DamageInsider Threat – Abbreviated Wall of Shame
© Copyright 2013, Xceedium, Inc. 5
Who Are Privileged Users?On Premise
Employees/Partners• Systems Admins• Network Admins• DB Admins• Application Admins
PartnersSystems/NW/DB/Application Admins
EmployeesSystems/NW/DB/Application Admins
Public Cloud
Apps
Apps
Unauthorized User Hacker (Malware/APT)
VMwareAdministrator
AWS Administrator
Microsoft Office 365 Administrator
Internet
© Copyright 2013, Xceedium, Inc. 6
How Bad is the Insider Threat?Percentage of Participants Who Experienced an Insider Incident
Source: 2013 US State of Cybercrime Survey
CSO Magazine, USSS, CERT & Deloitte
(501 respondents)
© Copyright 2013, Xceedium, Inc. 7
Insiders the top source of breaches in the last 12 months; 25% of respondents said a malicious insider was the most common way a breach occurred. (Forrester)
33.73% of respondents find insider crimes likely to cause to more damage to an organization than external attacks (31.34%) (CERT Insider Threat Center)
"...insiders, be they malicious or simply unaware, were responsible for 19.5% of incidents, but a staggering 66.7% of 2012’s exposed records." (Open Security Foundation)
"Insiders continue to be a threat that must be recognized as part of an organization’s enterprise-wide risk assessment." (CERT Insider Threat Center)
Insider Threat Statistics
© Copyright 2013, Xceedium, Inc. 8
ROI - “It will save us money…”
Risk Reduction - “It will
make our systems and data
safer…”
Compliance - “Because we
have to…”
Building Blocks for a PIM Business CaseBeware of the perfect business case
Best Practice Reminder… “Make it your own”
© Copyright 2013, Xceedium, Inc. 9
Investment X (Process & Technology) = Cost Savings Y
Beware of spreadsheet trap!
Is a logic argument good enough?
Return on InvestmentIt will save us money…
© Copyright 2013, Xceedium, Inc. 10
Return on InvestmentPassword Management
ROI Calculation
Total Passwords * Number of Changes/Year (most organizations require monthly or quarterly changes) * Time to Change (some number of seconds) = Time Savings (per annum).
Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded)This does not factor in any savings for the ability to enforce password composition (strong passwords). There may not be much savings for this, but it does save time in audits (we’ll cover that later).
© Copyright 2013, Xceedium, Inc. 11
Return on InvestmentSingle Sign-on
ROI Calculation
**Time Savings per Login (some number of seconds) * Total Logins = Time Savings (over some period of time).
Annual Cost Savings = Time savings (in hours) * Sys Admin Cost/Hour (fully loaded)
**The time the systems administrator saved by being able to SSO to the target, versus looking up a password (passwords should be different for each target system and hard to guess, no?)
© Copyright 2013, Xceedium, Inc. 12
Return on InvestmentShortening Investigations
ROI CalculationInvestigations:
Time Savings per incident (some number of days) * Number of Incidents to Investigate = Time Savings (in days/year).
Annual Cost Savings = Time savings (in days) * Security Investigator/day (fully loaded)
Spot Checks:**Time Savings per spot check (in hours) * Number of Spot-Checks * Sys
Admin Cost/Hour = Total Cost Savings.**With active monitoring and alerting, one could also argue you can reduce the total number of spot-checks. For example only do them when there is a key triggering event–such as when a sys admin leaves the organization, or when you fire a contractor or service provider.
© Copyright 2013, Xceedium, Inc. 13
Return on Investment…and more
Federated Identity vs. Islands of Identity
Simplified Audits
© Copyright 2013, Xceedium, Inc. 14
Impact of a Loss
Key Risks PIM Can
Mitigate
Best Practices
Risk ReductionIt will make our systems and data safer…
© Copyright 2013, Xceedium, Inc. 15
Hard dollar financial losses – theft of cash and financial instruments Intellectual property loss – theft of strategic plans, inventions, important
corporate data, etc. Reduced/deferred revenue – the operational impact caused by network and
system outages stemming from a breach Fines – fines imposed by regulators Contractual losses – financial penalties imposed by customers through
contracts or lawsuits Recovery Cost – the cost of investigating and cleaning up from a breach (a
recent Ponemon Institute study notes it takes an average of 44 days–and multiple employees–to recover from a breach by an insider)
Risk ReductionImpact of a Loss…
Calculating an actual dollar figure for potential loss is difficult to impossible.
© Copyright 2013, Xceedium, Inc. 16
Lost or stolen privileged account credentials Unauthorized administrative access to systems Ability to “land and move laterally” Over-privileged Anonymous use of privileged accounts Inability to enforce least privilege for critical systems Minimal or missing forensic data for investigating and
adjudicating insider threat cases
Risk ReductionKey Risks PIM Can Mitigate…
17
1. Create a process for on/off boarding privilege users• Background checks• Ensure policy review & training• Periodic (ongoing) entitlement reviews
2. Implement Least Privilege (least everything)• Least device access• Least functional access (Console, CLI, FTP)• Least command execution (“drop”, “telnet”, “reboot”)
3. Implement strong authentication• Strengthen legacy UID and password mechanism• Implement two or three factor authentication
4. Separate authentication from authorization (entitlements)
• Remove direct end-point access 5. Protect privileged account credentials
Risk ReductionBest Practices for Managing Privileged User Risks
18
6. No anonymous activity - ensure privileged sessions can be “attributed” to a specific individual (not just an IP address or shared account)
7. Implement extra protections for the most critical assets/privileged accounts (e.g., management consoles)
8. Alert on violations (proactive controls), Lock out account/session on violations
9. Log & record EVERYTHING (Forensics)
10.Mind the Virtualization API Gap
Risk ReductionBest Practices for Managing Privileged User Risks
New requirements aroundprivileged/administrative users • FISMA/NIST 800 53(r4)• PCI/DSS• NERC Critical Infrastructure
Protection• HIPAA, SOX, etc.• International Security/Privacy
Regulations
Increased Regulatory and Auditor Scrutiny
© Copyright 2013, Xceedium, Inc. 19
© Copyright 2013, Xceedium, Inc. 20
NIST 800-125“Guide to Security for Full Virtualization Technology”
Restrict and protect administrator access to the virtualization solution
• “The security of the entire virtual infrastructure relies on the security of the virtualization management system”
• “…start guest OSs, create new guest OS images, and perform other administrative actions. Because of the security implications of these actions, access to the virtualization management system should be restricted to authorized administrators only.”
• “Secure each management interface, whether locally or remotely accessible.”
• “For remote administration, the confidentiality of communications should be protected, such as through use of FIPS-approved cryptographic algorithms and modules.”
© Copyright 2013, Xceedium, Inc. 21
ROI - “It will save us money…”
Risk Reduction - “It will
make our systems and data
safer…”
Compliance - “Because we
have to…”
Building Blocks for a PIM Business CaseBeware of the perfect business case!
© Copyright 2013, Xceedium, Inc. 22
1. Comprehensive/Integrated
Control Set
2. Protect Systems, Applications,
Consoles Across Hybrid-Cloud
3. Architected Specifically for
Highly Dynamic Public/Private
Clouds
June 2013
Next Generation PIM Requirements
© Copyright 2013, Xceedium, Inc. 23
Identity Integration Enterprise-Class Core
Hardware Appliance AWS AMIOVF Virtual Appliance
Unified Policy Management
Control and Audit All Privileged Access• Vault Credentials• Centralized Authentication• Federated Identity• Privileged Single Sign-on
• Role-Based Access Control• Prevent Leapfrogging• Monitor & Record Sessions • Full Attribution
Introducing Xsuite®Next Generation Privileged Identity Management
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
New Hybrid Enterprise
Virtualized Data Center
VMware Console
SaaS Applications
Office 365 Console
Public Cloud - IaaS
AWS Console & APIs
© Copyright 2013, Xceedium, Inc. 24
Xsuite is the Only Platform With:• Comprehensive, integrated controls enforced across hybrid environments• Unified policy management• Protection for management consoles and guest systems• Integration with VMware, AWS and Microsoft Office 365• Control and Auditing of AWS management API calls• Architected for dynamic, elastic cloud environments• Deployment Choice: hardware, OVF or AMI appliances
Superior Performance & Scalability Integration With Existing Systems and Infrastructure Most Highly Certified Solution Available
What Sets Xsuite Apart?Next Generation Privileged Identity Management
© Copyright 2013, Xceedium, Inc. 25
2214 Rock Hill Road, Suite 100Herndon, VA 20170Phone: 866-636-5803
Contact Us
facebook.com/xceedium
@Xceedium@pmcbrideva1