privleged access management
DESCRIPTION
PAM presentation delivered at BSides-Charlotte. video of the presentation can be found at https://www.youtube.com/watch?v=G2UY3bm8_WQTRANSCRIPT
![Page 1: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/1.jpg)
Privileged Access
Management (PAM)Securing the 21st Century Enterprise
Lance Peterman
![Page 2: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/2.jpg)
Agenda� What is PAM?
� Industry perspective
� Why PAM is necessary?� Identity is the New Perimeter
� In the News � Recent Data Loss / Breaches
� PAM as a Program/Service� The Practice� Collaboration is Key� Use Cases
� Adoption Approach/Keys to Success
![Page 3: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/3.jpg)
What is PAM?
![Page 4: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/4.jpg)
Privileged access: is defined as any feature or facility of a multi-user
information system that enables the user to override system or application
controls (e.g. Administrator, Root, or similar high-level privileges)
Privileged accounts hold special or extra permissions within a system,
application or database and can significantly affect the organization’s business. These accounts can grant broad access to underlying business
information in databases, grant “super user” privileges, or can be used by authorized individuals when elevated privileges are required to fix urgent
problems. Privileged Accounts include but are not limited to Windows
Administrator, UNIX root, Oracle SYS, DBA, and Firecall accounts
The use of privileged accounts should be managed and the password
monitored when stored digitally. Privileged account activity should be logged
and traceable to a unique user.
If privileged account passwords are stored in a physical location, then
passwords associated with the privileged accounts should be secured and
access monitored between uses.
What is Privileged Access Management?
![Page 5: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/5.jpg)
Identity is the New Perimeter
Only one security control exists today that can unequivocally determine what you are authorized to do, regardless of your location
Old Model New Reality
![Page 6: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/6.jpg)
Breaches, old and new…
![Page 7: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/7.jpg)
SC Department of Revenue� Compromise of privileged accounts resulted in
3.4m individual taxpayers and businesses losing sensitive data 1
� Uber account compromised? Nope…
� Good taxpayers were compensated for this with…1 year of credit monitoring
![Page 8: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/8.jpg)
Saudi Aramco� 30,000 PCs had hard drives erased
through compromise of a privileged account 2
� Insider attack suspected, abusing privileged accounts
� Most common privileged account?
� Local admin on the user’s workstation
� Does your organization vary that
password?
http://www.infosecurity-magazine.com/view/28973/insiders-exploiting-privileged-accounts-likely-behind-saudi-aramco-attack-/
![Page 9: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/9.jpg)
EBay� Spear Phishing targeted
key IT resources
� Does your primary network account have privileged access?
� Two factor authentication…anyone?
![Page 10: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/10.jpg)
Default
Passwords?
http://www.theguardian.com/technology/2014/jun/10/canadian-
teengers-hack-cash-machine-atm-montreal
![Page 11: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/11.jpg)
What does that tell us?�The threat landscape is changing…DAILY� “The compromise of privileged access is a key stage
in 100% of all advanced attacks.” – CyberSheath Report 4/13 3
�This is the critical attack vector for internal and external threats
�Verizon DBIR – “97% of all breaches are preventable through basic and intermediate controls.”
� 43% of respondents in a 2012 survey did not have a PAM practice or wasn’t sure if they did
![Page 12: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/12.jpg)
The Practice of Privileged Access
Management (PAM)� Designed to answer:
� Who has access
� When it was used
� Where it was used from
� What was done
Technology is only One part of the equation – People & Process are essential
Has to be part of your governance process, not just a one off enrollment
![Page 13: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/13.jpg)
PAM is a Collaborative Effort
Key takeaways….Make PAM part of your security DNA
Ask questions about privileged access when reviewing applications & risk
Educate business owners when possible
Cleanup of current privilegedaccess in all environments
Define & run a new/modified process to manage access
(Grant, revoke, manage exceptions. All aligned with policy)
Integrate the new model with Enterprise IT Processes
![Page 14: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/14.jpg)
Sample of Some PAM Use Cases
![Page 15: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/15.jpg)
Other PAM Use Cases� Script/batch management
� Local workstation admin management
� Cloud infrastructure, SaaS accounts
� Virtualization platforms
� Look at ALL hardware platforms
![Page 16: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/16.jpg)
Adoption Approach�Pre-Engagement - business area
• Inventory of privileged accounts & their use
• Documentation of access processes (if available)
• List of candidate systems
• Prioritization of critical systems based on key criteria
• Regulatory constraints
• Data Type (PII / IPSI)
• Create/Revise access processes
![Page 17: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/17.jpg)
Adoption ApproachEngagement/Onboarding - PAM team and business area
• Review inventory & target systems
• Setup schedule for deployment
• Test – Verify results
• Update business processes
• Deploy into production
![Page 18: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/18.jpg)
Keys to Success� Fault tolerance (MUST be redundant)
� Adoption MUST have senior leadership support & driven by policy
� Process First Approach, then focus on tooling
� Be creative, one size does not fit all
� When selecting a vendor, consider cloud implications
� Eat your own dog food first
� Don’t think you’re too small for this…
![Page 19: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/19.jpg)
Questions?
![Page 20: Privleged Access Management](https://reader036.vdocuments.us/reader036/viewer/2022062513/555e8b58d8b42abd468b5638/html5/thumbnails/20.jpg)
Contact� Twitter: @lpeterman
� LinkedIn: Lance Peterman