These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Securing Enterprise Identities Centrify Special Edition
by David Seidl
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Securing Enterprise Identities For Dummies®, Centrify Special Edition Published by John Wiley & Sons, Inc. 111 River St. Hoboken, NJ 07030‐5774 www.wiley.com Copyright © 2016 by John Wiley & Sons, Inc., Hoboken, New Jersey No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748‐6011, fax (201) 748‐6008, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, Making Everything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. ISBN 978‐1‐119‐22478‐5 (pbk); ISBN 978‐1‐119‐22479‐2 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
For general information on our other products and services, or how to create a custom For Dummies book for your business or organization, please contact our Business Development Department in the U.S. at 877‐409‐4177, contact
[email protected], or visit www.wiley.com/go/custompub. For information about licensing the For Dummies brand for products or services, contact
[email protected].
Publisher’s Acknowledgments Some of the people who helped bring this book to market include the following: Development Editor: Elizabeth Kuball Copy Editor: Elizabeth Kuball Acquisitions Editor: Amy Fandrei Editorial Manager: Rev Mengle
Business Development Representative: Karen Hattan Production Editor: Antony Sami
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Introduction
F
or years, companies have designed networks around a traditional security model meant to protect local systems. This “network perimeter” included layers of firewalls, intrusion detection systems, and other network security devices and systems intended to keep data safe against attack. But today, attackers are focusing on a specific type of threat — compromised credentials. In fact, the leading point of attack used in data breaches is compromised credentials and the privileges that go with them. Attackers know that with the right credentials, they no longer have to fight through the old “perimeter” defenses. They now use stolen credentials to gain access to your critical data, just like an employee. Your traditional security perimeter is no longer the strong wall that you once envisioned it to be. This new world of advanced threats that leverage deep expertise to maintain long‐term access to networks and systems means that you need to move your first line of defense to the user accounts and privileges that they have — the same things that make them attractive to attackers. Architecting security using identity can allow you to create a new security perimeter to keep your identities and, thus, your organization secure. Of course, your organization is changing in other ways, too: Linux and virtualization have invaded the datacenter, and cloud infrastructure, SaaS apps, mobile devices, and a mobile workforce mean that traditional ways of securing and managing organizational assets just doesn’t work anymore. The same identity platform that enables you to redefine your security perimeter can also allow you to secure access to on‐premises and hosted infrastructure and apps from mobile devices including device management, access monitoring, compliance, and reporting, all without leaving behind your existing infrastructure and systems.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
2
Securing Enterprise Identities For Dummies, Centrify Special Edition
About This Book This book explores the role of identity in cybersecurity. I explain how the traditional datacenter defenses are no longer sufficient and how they need to change to protect against evolving threats. I show you how an identity platform is a critical part of a modern security perimeter, and how you can leverage your existing investments in identity to secure privileged access, enterprise mobility, and remote access. Lastly, I discuss how identity‐based policy can enhance your monitoring, compliance, and operational capabilities across today’s hybrid IT environment of cloud, mobile, and on‐ premises resources.
Icons Used in This Book The margins of this book use several helpful icons that can help guide you through the content: This icon marks tips that can save you time and effort. This icon is for the technical types who are reading the book. The information marked by this icon may be geeky, but it can be useful. too. If you see this icon, make sure to pay attention — you’ll want this knowledge at hand later. This icon marks something that you’ll want to take note of because it can cause problems.
Beyond the Book You can find additional information about Centrify’s identity solutions, including single sign‐on, multifactor authentication, mobile and Mac management, privileged access security, and session monitoring at www.centrify.com.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1
Understanding the Current Anatomy of Enterprise IT In This Chapter ▶▶Looking at the infrastructure of enterprise IT ▶▶Seeing how mobile differs from traditional desktop computing ▶▶Considering users and access requirements
T
he best way to understand how new threats are changing where security perimeters have to be defined is to explore how most organizations currently implement their datacenter and infrastructure security. In this chapter, I explain t raditional and software defined datacenters, new models for cloud operations, user and access requirements, and how those elements interact.
Looking at Traditional and Software‐Defined Datacenters You probably have a picture in your head of what a traditional datacenter looks like: a large room filled with rack‐mounted servers with hundreds or thousands of LEDs blinking while the room’s heavy‐duty cooling system blows cold air to keep everything from overheating. That traditional datacenter model has been the standard in one form or another for most organizations for decades. In fact, most organizations are still
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
4
Securing Enterprise Identities For Dummies, Centrify Special Edition using a traditional datacenter — or at least a closet with some servers stuffed into it somewhere in their building! Many organizations have also made significant investments in software‐defined datacenters based on virtualization. This is typically done using a product like VMware, Microsoft’s Hyper‐V, KVM, Xen, or Docker. Using these tools, various applications, systems, and network devices can be created in virtual environments, allowing them to share underlying hardware and network resources while being centrally managed by the virtualization platform. Both traditional and software defined datacenters are typically designed with a layered security approach like the design shown in Figure 1‐1. This design is intended to protect the organization’s critical information and computational assets from outside attackers. It’s built from layers of routers, firewalls, intrusion detection systems, and other security and network devices that provide concentric layers of security.
Figure 1-1: The traditional datacenter security model.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Current Anatomy of Enterprise IT
5
All these security tools are like locked doors: They’re only as strong as the key that unlocks them. Hackers know that trying to break down the door is very hard. But if you have the key to the lock, walking in couldn’t be easier. That means that there is always a way past this layered security: the accounts and remote access systems that administrators use to manage the systems they protect. Of course, that also means that the protective devices themselves can be a route in if administrative credentials are compromised. As organizations move to the cloud and hosted infrastructure, this gets harder because your boundaries are in many places. When you consider identity as part of your organizational security, two terms are very important to remember: AuthZ and AuthN. These stand for authorization (AuthZ), which is the set of rights and roles you are provided, and authentication (AuthN) which is the verification of who you are. Both are needed to ensure security and usability!
Moving to the Cloud The past few years have seen the advent of broadly accessible cloud computing. The cloud provides you with the ability to outsource software, platforms, or even IT infrastructure itself to another organization, which typically has a much larger IT footprint, specialist knowledge, and more staff to handle the environment than you might. Cloud computing offers some significant advantages that are driving many companies away from traditional datacenters, including the following: ✓✓Cost savings on physical datacenter facilities (cheaper space, power, and cooling costs) ✓✓Scalability to fit actual usage, rather than in large chunks by adding a server, storage array, or other large piece of IT infrastructure ✓✓Redundancy and disaster recovery capabilities beyond a single building or datacenter ✓✓Greater reliability without having to build it in‐house ✓✓Faster upgrade and update cycles for software and systems
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
6
Securing Enterprise Identities For Dummies, Centrify Special Edition These benefits are usually delivered in one of three common models that you might encounter: Software as a Service, Platform as a Service, and Infrastructure as a Service. Each offers a different approach to computing outside of a t raditional on‐site datacenter, with different benefits and considerations to keep in mind as you consider cloud services: ✓✓Software as a Service (SaaS): SaaS is a model that provides software via the Internet, as a service. SaaS typically has the least operational overhead because it relies on the vendor to run all the underlying tools, systems, and services that make the software function. Security for SaaS is primarily in the vendor’s hands because they control the underlying hardware, software, and infrastructure, leaving you to provide user‐account‐ based security and integration with your own systems and data. Because SaaS leaves accounts as your primary means of control, integrating SaaS tools with your central identity management system can provide both security control and usability benefits by leveraging centrally managed credentials and access controls. ✓✓Platform as a Service (PaaS): PaaS describes a range of services that underlie a technology platform or service. It provides your organization with the platform but requires more support because you receive the platform and must configure and support it. Here, the security model relies more on your organization’s configuration of and use of the platform, as well as how you handle and integrate identity and access management. ✓✓Infrastructure as a Service (IaaS): IaaS provides outsourced systems, networks, storage, and other components. These are typically provided much like they would be in a virtualized or software‐defined environment, but at a much larger scale by the IaaS provider. Because this is much more like running your own datacenter in the cloud, you’ll have most of the same operational and security requirements as you would in a traditional datacenter, with the caveat that they may need to integrate with your IaaS provider’s systems.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Current Anatomy of Enterprise IT
7
If your organization finds that cloud services are a good fit, it probably won’t just jump directly to the cloud all at once, which means you’ll be partially in a traditional datacenter or software‐defined datacenter model while also using cloud services. These split models are known as hybrid operating models with a split between on‐ premises and off‐premises software and services.
Looking at the Major Models for Applications Whether you run a traditional or software‐defined datacenter, or whether you use cloud services, the reason that your datacenter exists is to run the applications that you need to conduct your business. As you may expect, there are a few major models for applications, and each of them has implications for your security perimeter and operations.
On‐premises applications For years, most of the applications that your organization used were likely on‐premises, with local servers and infrastructure to keep them running. Both traditional and software‐defined datacenters host on‐premises applications, and even organizations that have moved a lot of their infrastructure and applications to the cloud still use on‐premises applications. This means that security operations still need to account for how existing systems that use Active Directory, LDAP, or other local accounts can integrate into a hybrid environment.
Cloud applications Cloud applications change your identity needs because they require integration with AuthN (authentication) and AuthZ (authorization) services. Many cloud applications rely on technologies like SAML, OpenID, OAuth, or SCIM. Integrating these with existing on‐premises systems can be a challenge if your current systems aren’t built to work with the cloud!
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
8
Securing Enterprise Identities For Dummies, Centrify Special Edition These standards can be confusing, so here’s a quick overview of what they are: ✓✓SAML is the Security Assertion Markup Language, an XML‐based protocol for authorization and authentication, and is frequently used to eliminate the need for text‐ based passwords, and to provide single sign‐on. ✓✓OpenID is often used along with OAuth, where it provides the authentication layer for integrations. ✓✓OAuth is a widely used authorization technology, with similar benefits to SAML, but a different implementation. ✓✓SCIM is the System for Cross‐domain Identity Management. It helps with user management in the cloud by providing ways to represent users and groups amongst other features.
Big data There’s a lot of information in really large datasets, and analyzing them using big data tools can provide a major competitive advantage. The same treasure trove of data and the analysis tools that you need to deal with it can also create new security challenges. Big data tools like Hadoop are often run in a nonsecure mode, particularly during development, and locking them down by requiring AuthZ and AuthN controls can be challenging. Making big data part of your identity infrastructure is key to keeping your big data environment secure.
Mobile applications Mobile applications add yet another layer of complexity. Some are native applications for mobile platforms like Apple iOS or Android, while others are built to work on both traditional PCs via a web browser and on mobile devices. Making the applications work with your infrastructure can be an adventure in much the same way that cloud application integration can be challenging.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Current Anatomy of Enterprise IT
9
Comparing Mobile and Desktop Computing In addition to the move to cloud computing, the growth of mobile computing has been a major driver for enterprise IT change. The changes driven by laptops, and now by smartphones and tablets, have resulted in a desire to be able to work anywhere, from any device, at any time.
Traditional desktop computing Traditional enterprise computing has been built around desktop computers and laptops that were often standardized, centrally managed, and which were in predicable locations on a network owned and managed by the organization. There’s still a lot of enterprise computing platforms that use this model, but mobile computing is growing quickly, and that growth means that the old model of providing security by controlling your organizationally controlled desktops is changing.
Mobile computing Mobile computing covers a broad variety of computing that isn’t conducted at a user’s desk. In very broad terms, mobile computing is composed of two major groups of devices: ✓✓Smartphones and tablets: Smartphones and tablets typically don’t run typical enterprise applications — they’re used to access web and native iOS and Android applications. In addition, they typically don’t provide the same security controls and visibility that a traditional desktop does. To make things even more challenging, many of them are personally owned and yet are still used to conduct organizational business. ✓✓Laptops: Mac and PC laptops, whether they’re personally owned or are the property of your organization, make up the other half of the mobile computing movement. The need to handle personally owned devices in a variety of locations — from the office down the hall to a Starbucks in another country — means that identity, rather than the computing platform is likely to be your first line of defense. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
10
Securing Enterprise Identities For Dummies, Centrify Special Edition
VPN and identity Offsite access can be a security challenge because it’s hard to prove that the user who is logged in is actually who they claim to be. In fact, in 2013, the Verizon Risk team reported that they investigated a software developer in the United States who had outsourced his own job to China! During a normal security audit, a user’s account was discovered to be logging in from China every day, despite the user being at his desk. Further investigation showed that he was paying a Chinese contractor to do his work at a discounted rate while he himself surfed the web all
day from his desk. It turned out that he was also employed elsewhere and had contracted those jobs out as well! This story is just one example of how identity is an important part of security management. In this case, matching identity to location data and access logs would’ve helped catch the issue far sooner. If you’d like to read the whole story, you can find it here: https://securityblog. verizonenterprise. com/?p=1626.
Defining Users and Access Requirements As computing environments have become more complex, the number and types of users have increased. At the same time, the set of rights, roles, and policies that control access have become even harder to maintain, making automation and centralization key to success. The final major element of enterprise IT is the set of users who use and maintain the IT infrastructure, applications, and data that it exists to support. There are many types of users in a typical enterprise, including the following: ✓✓Administrators and power users: The most trusted users, and those who have the most power granted to them are administrative and power uses. Their accounts give them greater rights, so they’re likely targets for attackers.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 1: Understanding the Current Anatomy of Enterprise IT
11
✓✓Privileged accounts: IT administrators have access to a special type of shared system or application accounts, which provide access to sensitive data, to change or grant access or provide the ability to delete or damage critical systems. These so called “privileged accounts,” such as the root account or local administrator account are the digital equivalent to a master key. Special care needs to be taken in order to protect these accounts and their associated privileges, including auditing, monitoring, and logging. ✓✓Employees: Typical employees make up the bulk of your users for enterprise IT systems, and they can create complexity due to the variety of roles and positions they can hold. Over time, many employees end up accumulating a broad range of rights if they aren’t carefully managed, and even a normal employee account can be useful to attackers as a way into your systems and applications. ✓✓Contractors and outsourced IT: Contractors can create a unique set of requirements because they’re typically time limited, but they can require special access to do what you’ve hired them to do. A contractor like a developer or outsourced IT staff member may need system access or rights and privileges unique to their role, but may not have the rest of the access that a normal employee does. In addition, they may work for a period of time and then stop when their contracts end. Later, they may be rehired, or be asked to perform further services. This makes traditional account lifecycles challenging to follow. In addition, many contractors work from a remote location, making their identity hard to verify. That means that using identity management services to audit, monitor, and manage contractor accounts is particularly important. ✓✓Partners: Business partners, both as individuals and as organizations, often need accounts and rights to access data and applications that your organizations share to work together. Partner accounts may require interorganizational coordination and oversight, and may need to support trust relationships or federation. Federation allows a user to log in to various unrelated systems or applications, using credentials from his own organization. It’s accomplished by having a shared set of policies and practices, as well as supporting technologies that establish delegated or trusted authentication between members of the “federation.” These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
12
Securing Enterprise Identities For Dummies, Centrify Special Edition ✓✓Customers: Customer account management is sometimes an entirely separate process from managing internal accounts and privileges, but many of the challenges are the same. Customer accounts need to have a lifecycle and management process that allows them to be easily handled in a customer‐friendly way that also meets your organizational needs, and supports customer accounts in an effective way. ✓✓Third‐party vendors: Third‐party vendors create different identity issues than contractors and outsourced IT. Instead of requiring access to your systems, the challenge is usually how you can integrate with them. Fortunately, open standards like SAML, OAuth, and others can help you build bridges between your identity management system and standards‐compliant vendors, changing what used to be custom integrations taking days or weeks to a matter of a few hours of configuration work. You may find that some (or many!) of your users fit into multiple categories and roles. That can add a lot of complexity to your identity management process as you try to track what access rights they should have. Remember that accumulated access can be a major risk as your users move around the organization and acquire rights and roles! A key part of both the security and usability of enterprise IT is how you provide and control access. Traditional IT environments have often relied on access controls that were built and managed at each individual server or application, resulting in a massive amount of overhead, as well as a major challenge when you try to monitor or validate access rights. Centralization, identity consolidation, privileged access security and shared account management, as well as the growth of single sign‐on and security standards like SAML and multifactor authentication, have resulted in the ability to use identity management services to control, monitor, audit, and report on access rights and access usage across all your enterprise resources.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2
Exploring the Role of Identity in Cyber Security In This Chapter ▶▶Identifying today’s cyber security challenges ▶▶Protecting on‐premises and cloud infrastructure ▶▶Securing external and mobile users and systems ▶▶Expanding your security perimeter when data is everywhere
K
eeping your network, systems, and data secure probably seems like it has become harder over time. New threats appear daily, and organized attackers are defeating the security of major organizations despite their best efforts to stop them. In this chapter, I discuss current cyber threats and explain what a breach can mean to your organization. I also explain how you can use identity as a key element in your strategy to secure your systems, applications, and data, including how to address new trends like mobile devices, big data, cloud computing, and open networks.
Understanding Current Cyber Security Challenges There are many current cyber security challenges such as cyber threats, breaches, hackers, attackers, and advanced persistent threats. Many of these challenges start because of compromise credentials and poor security around how user accounts and rights are created, monitored, and maintained. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
14
Securing Enterprise Identities For Dummies, Centrify Special Edition
Cyber threats Today’s organizations must be protected against a broad range of cyber threats. These can include things like ✓✓Directed attacks focused on your organization, its operations, and data ✓✓Indirect cyber threats like drive‐by downloads, which install malware on your PCs and devices ✓✓Insider threats, including purposeful attacks, as well as honest mistakes If you’re thinking about how user credentials play a role in each of those attacks, you’re already ahead of the game: Privileged credentials often play a big part in cyber attacks like these.
Breaches It seems like nearly every day you hear news of a new breach. In fact, large‐ and small‐scale breaches have become so common that they’re a topic of discussion in our daily lives — even for people outside of IT. That doesn’t mean that the impact of a breach isn’t significant. The average cost of a breach — according to research conducted by the Ponemon Institute — is $3.8 million, a number that has gone up by 23 percent since 2013. The same study says that the average cost per individual affected is $154, meaning that even a small breach can quickly add up to significant costs. Want to know more about the risks you face? Check out Centrify’s State of the Corporate Perimeter Survey. It includes data on how employees treat credentials, what other organizations are facing, and how leaders are dealing with issues. You can find it at www.centrify.com/why‐centrify/ corporate‐perimeter‐survey. The leading cause of breaches are compromised credentials. The 2015 Data Breach Investigation Report from Verizon concludes that over half of all breaches are caused by compromised credentials. And Mandiant states that close to 100 percent of breaches it investigates involve compromised credentials. Clearly, enterprise identities have become a leading area of risk that needs to be managed and mitigated. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Exploring the Role of Identity in Cyber Security
15
Hackers, attackers, and advanced persistent threats The biggest change in cyber security in recent years has been the appearance of advanced persistent threats (APTs). Attacker groups use advanced tools and techniques to compromise and control targeted systems and networks for long periods of time. When they gain the deepest levels of access, they place an emphasis on retaining and using their control of their targets to gather sensitive data including credentials to access additional systems. You probably already recognize APT attacks even if you don’t realize it. One of the most recognizable was Stuxnet, which targeted the Iranian nuclear program. Others include Operation Aurora which targeted Yahoo!, Symantec, Dow Chemical, and other major U.S. companies, and Flame which targeted systems in the Middle East. To see a list of all major attacks and their relationships since 2007 visit https://apt. securelist.com. APTs are scary, but everyday threats like phishing emails and drive‐by infections that leverage browser and browser plugin flaws to compromise PCs and capture credentials in order to access systems are a big part of the threat your organization faces, too. It’s safe to assume that at least some of the PCs and devices used in any organization will be compromised during any given year, and that means that security needs to presume that the devices and the data they contain could be at risk.
Providing Security for External and Mobile Users and Systems External systems can take on many forms including hosted infrastructure at remote facilities, Infrastructure as a Service environments, which provide a home for your systems in the cloud, and other off‐site computing environments. Combined with the explosive growth of mobile and personally owned devices, traditional security methods haven’t kept up.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
16
Securing Enterprise Identities For Dummies, Centrify Special Edition The old methods of securing on‐site servers and desktop PCs had the advantage of central control: They were usually in a secure location, on a known network, with a centrally managed operating system and known software and configuration. The broad range of external and mobile systems means that doesn’t work across the entire enterprise anymore.
Hosted infrastructure Hosted infrastructure moves your security boundaries outside the traditional physical boundaries of your organization. That means that building a static security infrastructure around a controlled network won’t work. Linking multiple sites, cloud providers, or other locations can be a challenge if you don’t find ways to securely connect them. Fortunately, as you’ll see later in this chapter, identity can provide that link, as well as helping secure the remote environments.
Mobile devices and remote workers Both mobile devices and remote workers bring new cyber security challenges. Devices that are offsite often require users to have a higher degree of control over the device so that they can install applications, change settings, or perform other actions that enable them to conduct business. In a traditional desktop IT environment, you might have sent out an IT staff member to help them. When your users are mobile, IT staff simply can’t reach them, so they may need more control. In many cases, mobile devices are personally owned, rather than company‐issued devices. That makes some form of management even more desirable when it comes to access to organizational data and applications. This used to be done by attempting to control the whole device, much like a desktop, but that’s difficult and unwieldy for devices that need flexibility, or when device owners don’t want their device “locked down” by IT. Fortunately, much like hosted and cloud infrastructure, identity can provide greater security for mobile devices by providing context to the users of those devices.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Exploring the Role of Identity in Cyber Security
17
The dangers of jailbreaking Many people choose to break out of the controls that their mobile device provides by default. Apple devices are frequently jailbroken to provide additional functionality that Apple doesn’t allow in the App Store. The same thing happens in the Android world where devices are frequently rooted to install custom software or versions of the Android OS. Jailbreaking can look like a harmless way to get more functionality from your device, but in August 2015, WeipTech found more than 225,000 valid Apple accounts stored on a server. The source of those accounts
were jailbroken phones that had been compromised by malware now known as “KeyRaider.” KeyRaider used those stolen accounts to buy apps and other items from the App Store. Although this attack didn’t target corporate data, it had enough access to do so. That means that having a way to detect jailbroken and rooted devices can be an important tool in your security arsenal when you need to prevent possibly compromised devices from accessing your corporate resources.
External users In addition to mobile devices, organizations are also seeing an explosion in the number and types of external users they need to support. From contractors to vendors to outsourced IT, each additional type of external user brings additional complexity to the account lifecycle and security models that you have to maintain. Each of these new users needs a way to access organizational resources, and the traditional answer of a single one‐size‐fits‐all remote access VPN doesn’t fit. Fortunately, leveraging identity information can help. Matching roles and rights and provisioning users to both on‐site and off‐ site systems and infrastructure can help reduce or eliminate the need for a VPN. In fact, when a VPN is still needed, that identity information can provide the basis for secure VPN groups.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
18
Securing Enterprise Identities For Dummies, Centrify Special Edition
Addressing big data challenges If big data is a tool in your organization’s portfolio, you already know that keeping it secure is also a big deal. Securing big data requires enterprise‐grade identity and access management for authentication, implementing least privilege access and auditing to ensure that administrators and users have the access and privileges their job
function requires. Integrating big data into your identity management platform ensures nodes, clusters, and applications are secured along with the rest of your infrastructure. When that happens, you can simply treat compliance, monitoring, and response problems the same way you treat any other managed system!
Dealing with a Misplaced Security Perimeter Cloud and hosted services, as well as the massive growth in the use of personally owned devices, greater mobility, and the diverse user populations that I’ve discussed mean that your traditional security perimeter only surrounds a small part of your sensitive apps, infrastructure, and data. This means that you need to provide flexible security where your infrastructure and users are. Figure 2‐1 shows how new workflows and requirements have changed most traditional network boundaries into what is effectively a single, flat network. Each of the groups needs access to organizational data and systems in a secure way. Identity can provide that layer of security for cloud and outsourced systems, mobile devices, and the wide variety of partners, contractors, and other users you may encounter. That means that identity can provide a consistent and effective layer of security where traditional firewalls and other security infrastructure can’t.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Exploring the Role of Identity in Cyber Security
19
Figure 2-1: Access everywhere, at any time, for anyone.
Multifactor authentication Multifactor authentication (MFA) is a means of authenticating that requires both something you have and something you know (or, in some cases, something you are). For example, a common method of multifactor authentication is a generated passcode and a password. The generated passcode normally comes from a key‐fob‐style token or from your smartphone (something you have) and the password is the “something you know.” Because there are two elements to this authentication process, it’s sometimes called two‐factor authentication. MFA can have a big impact on the security of your services because it prevents attackers from using a stolen or guessed password to get in. Unless attackers have both the key fob or smartphone that can generate the code or authorization, and the password for an account, they only have half of the key.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
20
Securing Enterprise Identities For Dummies, Centrify Special Edition MFA is one of the most effective ways to mitigate the risk of compromised credentials.
The role of authorization and authentication in breaches Many breaches in recent history have involved attackers who gained administrative access to internal networks and systems. From there, they have been able to acquire sensitive data which they then extract from the compromised network. In other cases, attackers have used phishing attacks to get user credentials or have used malware to compromise systems belonging to employees of the compromised organization. These attacks typically use that access as a foothold to allow further attacks against key infrastructure and systems, and then move laterally to gain access to servers and the sensitive data they contain. These attacks could be prevented in many cases by better leveraging authorization and authentication systems: ✓✓An attacker who captures a password and uses it to log in to systems will be stopped by multifactor systems. ✓✓Ensuring that users only have the permissions and rights that they require will help limit the scope of a successful attack. ✓✓Monitoring for user behavior and identifying logins and access that don’t match normal user behavior, can detect many types of attacks ✓✓Maintaining accounts, including deletion of unused accounts or those belonging to employees who have left the organization, can make sure that bad guys don’t take advantage of neglected accounts. Identity has become both one of the most valuable resources that an organization has and, at the same time, a first line defense against attackers and misuse.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 2: Exploring the Role of Identity in Cyber Security
21
Identity as a defense mechanism Fortunately, identity is that next layer of security. Combining multifactor authentication with a centralized identity management system that can track, audit, and manage user authentication, what a user can do, what the users do, and details of systems and applications they use can provide both insight and control. Identity is the common security layer across all your resources regardless of whether they’re in the cloud, on mobile, or in your datacenter. As attacks change from network borne attacks, which focus on vulnerable services to attacks that use preexisting credentials to penetrate secure networks, identity is the first line of defense. Attackers who are seeking a foothold only need to compromise a single account to get access to the more vulnerable interior of most networks. That means that identity has to be considered both a potential way in, and a crucial defense mechanism. I show you how to use it to secure your organization in Chapter 3.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
22
Securing Enterprise Identities For Dummies, Centrify Special Edition
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3
Architecting Security Using Identity In This Chapter ▶▶Using identity to provide security ▶▶Designing a security perimeter that meet’s today’s challenges ▶▶Looking at the services an identity platform should provide ▶▶Tackling compliance and auditing with identity platform services
T
he way that organizations provide IT services, where and how they are consumed, and who needs to access them are undergoing massive changes. Cloud and hosted computing, big data services and systems, broad adoption of mobile computing and devices, and diverse user populations mean new methods of providing security are critical. Identity can provide a flexible way to secure both new and traditional systems and data. In this chapter, I discuss how identity can be used to create a security perimeter that can support the changes that modern IT environments are facing. I look at the services and capabilities that an identity platform needs to provide security, and I explain how to provide compliance and auditing using the same platform.
Architecting a Modern Security Perimeter A modern security perimeter has to combine traditional perimeter defenses with additional layers that can handle These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
24
Securing Enterprise Identities For Dummies, Centrify Special Edition hybrid infrastructure, new styles of work, and new ways of connecting. At the same time, both the traditional defenses and the new layers need to be designed to handle current threats like targeted phishing attacks, insider threats, and of course, advanced persistent threats. A complete security plan will partner the traditional security layers like firewalls, IDS and IPS systems, and antivirus software with an identity platform that can provide user‐ and privileged account‐level security, as well as audit and control over user access and administration of accounts.
Identity‐based defenses Identity can be used both as a separate protective layer and as a way to enhance traditional perimeter defenses. Here are a few examples of how identity can be used to provide protection for your systems and data: ✓✓Proof of identity and rights management for mobile and remote users ✓✓Support for multifactor authentication, a key technology when you need to protect against compromised credentials ✓✓Rights management to protect against attackers or insiders leveraging one set of privileges to attack other systems from a toehold inside your infrastructure ✓✓Strong controls for privileged accounts, including monitoring, auditing, and tracking to keep your administrators and other power users from being a threat ✓✓Protection against malware and other nonhuman attacks by requiring user interaction and monitoring how, when, and even where accounts are used These and other capabilities provided by an identity solution can help protect in ways that traditional defenses can’t. Fortunately, those defenses can benefit from being paired with identity.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Architecting Security Using Identity
25
Traditional perimeter defenses Layered security is a necessity in cyber security, and traditional defenses are found in almost every organization’s plan. These defenses were often built under the assumption that all data could be surrounded by a firewall, and that most threats will come from outside the organizational network. In some cases, designs protect critical infrastructure from most users, but ignore the unanticipated risks originating from administrators and insiders with privileged access, which raises threat exposure and the likelihood of failed audits. Here are a few of the most common traditional perimeter defenses and details on how they can pair with identity to create a stronger security perimeter.
Firewalls Firewalls are normally used to separate network segments, either to keep a trusted network separate from a lower security zone, or to provide network separation for differing groups or systems. Firewalls can help prevent network attacks from outside by blocking attacks against vulnerable services, but some traffic is required to be allowed through for services to work. If you need to do more than control traffic, look at the more advanced capabilities many security appliances can provide; then integrate the firewall with your identity platform to provide centralized visibility and access control, common authentication experience, and reduced administrative burden based on a common definition of user identity and security group membership.
Intrusion detection and intrusion prevention systems Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are used to detect or stop attacks. Integrating an IPS or an IDS with an identity platform can allow you to specifically permit traffic for administrative users, or to monitor for specific types of traffic for some groups and not others.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
26
Securing Enterprise Identities For Dummies, Centrify Special Edition
Network devices Network devices come in many flavors — switches, routers, wireless access points and controllers, and many others. Most of these devices have some security capabilities, and an increasing number are designed to provide enhanced security out of the box. Integration with an identity platform can help make sure that privileged accounts are secure, and that the actions taken by administrators are logged and audited. Of course, the ability to make sure you don’t have forgotten or abandoned accounts lurking on key network devices can be a big security bonus, too! You’ll also probably want to integrate identity into your security monitoring and management system. Centrify’s Privilege Service makes this easier by associating all a ctivity from an individual, making it easier to provide complete accountability. That also keeps your security staff from having to invest effort into correlating their activity manually across many systems or silos of identity.
Exploring the Identity Platform A capable identity platform can provide additional security controls while also enhancing the capabilities and security of your existing traditional security layers. There are a number of key features found in identity platforms, including single sign‐on, multifactor authentication, mobile management, privileged access security, and session monitoring.
Single sign‐on When users are faced with a multitude of accounts and passwords to remember, they often solve the problem by reusing passwords or by using weak passwords. Not only does single sign‐on help solve that problem, but it also provides a single place to enforce strong authentication requirements. Using single sign‐on also helps reduce the likelihood that forgotten or abandoned accounts will haunt your organization, since you can manage accounts centrally rather than on individual servers or services.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Architecting Security Using Identity
27
Multifactor authentication Multifactor authentication is incredibly important when you’re trying to prevent attackers from using compromised credentials. Passwords are often easy to acquire — through phishing scams, by brute‐force attacks, or because systems are compromised and user passwords are captured by malware packages and sent back to their creators. Multifactor authentication can prevent stolen passwords from resulting in compromise of your data and systems. Accounts that are protected with multifactor authentication cannot be accessed with a compromised password. Users must provide one or more additional factors, like a code from a key‐fob‐style token or an approval via a smartphone app, which means attackers who gain access to usernames and passwords don’t have all they need to break in.
Provisioning and lifecycle management Provisioning is the creation of user accounts and the roles, groups, rules, and related settings that allow users to perform their work. Provisioning also enables users to be productive on day one with the appropriate access, authorization, and client configuration across their devices. The role of provisioning in the identity‐based security model is important because provisioning determines who has what rights, on what systems and applications. The identity platform needs to provide workflows that support the right users getting the correct settings in a monitored and auditable way. IT staff know that accounts are difficult to manage. Employees are often given more access than they need, and that access frequently follows them through their careers as they amass more and more rights over time and as their positions change. Unused accounts and accounts for employees and other users who no longer need them also tend to stay around longer than they should. That’s why centralized account lifecycle management is a key identity platform service. The ability to quickly and easily review rights against what an employee’s actual
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
28
Securing Enterprise Identities For Dummies, Centrify Special Edition role is, and to ensure that those rights change appropriately as the employee’s job and needs change, is crucial to the use of identity as a defense mechanism. Management of unused accounts should be as simple as terminating unneeded accounts or changing role membership, but it can be difficult to tell the difference between an unused account and a rarely used, but critical account, or one that belongs to a staff member on vacation, especially if your human resources department isn’t keeping close tabs on the status of employees. When you add in third‐party contractors, vendors, or customers, you’ll find you have even more accounts that are a challenge to track. Managing lifecycle centrally and in a highly visible and accessible way using a central identity platform can help close those gaps. No matter how good your identity platform is, bad data and staff who aren’t making sure that employee (or other user) status changes get handled can leave gaps in your security. Implement automation wherever possible, remember the people side of security, and make sure you test your processes in parallel with your technology!
Mobility and device management If you polled the mobile device users that you know, how many would honestly answer that they have a passcode, PIN, or swipe to unlock setup on their mobile device? Each mobile device is a potential attack vector for attackers, and that means that an identity management platform needs to extend to not only applications, but also to mobile devices. In this way, IT can secure applications, as well as the devices that access those apps, and the data that resides on those devices as well.
Secure remote access Remote access is a necessity with a mobile workforce, but providing secure remote access can be difficult. Two of the most common solutions are VPNs and application gateways (ALGs). VPNs rely on identity to authenticate users and to place them in appropriate networks based on who they are. ALGs protect applications by proxying data without providing broader access to the network and can use identity to
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Architecting Security Using Identity
29
stablish which applications can be accessed by particular e users. An identity platform with strong workflow capabilities and business logic designed to put users in the right groups with appropriate logging and monitoring can enable secure remote access management regardless of how many different ways your organization phones home.
Privileged access management and security In many organizations, privileged users log into servers, applications, network devices, and databases using shared administrative accounts such as root or local administrator accounts. These accounts are the proverbial “keys to the kingdom” that account for the majority of malicious exploitation (or unintended misuse) of access to sensitive data, providing the ability to delete or damage critical systems. Privileged access security is critical to the defense of cyber threats in order to verify and protect access to these privileged accounts. You can help solve this problem if you invest in an identity management solution that has the capability to associate privileged activity with an individual versus a shared account. You should also focus on solutions that only allow the user to elevate their privileges specifically for what they need to do, when they need to do it. Privileged account management helps to ensure that users use their own accounts most of the time, and that they only have the rights that they need. In special cases, like emergency support, or for service functionality, it ensures that access to nonhuman accounts like service accounts, root, and admin credentials are logged and passwords automatically changed after use. Productivity improves when access, privilege, and audit policies are managed from a centralized point of control. This can be a lot easier if you use your existing Active Directory infrastructure, then invest in bridging technologies to manage a much broader set of systems (Windows, Linux, UNIX), end points (Windows, Mac, mobile devices) and applications (on‐ premises, SaaS, mobile) without introducing redundant and costly new infrastructure.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
30
Securing Enterprise Identities For Dummies, Centrify Special Edition
Privileged session monitoring The need to monitor what privileged users like system administrators and other power users do is pretty obvious, but how to do it can be a challenge. Power users frequently have sweeping rights to change systems, including the logs that might capture their accounts being misused. Centralizing that capability, capturing all details including a full s ession recording, and using secure, auditable monitoring and reporting can make it a lot easier to ensure that privileged accounts are secure. The other side of privileged account monitoring is tracking the rights that make an account privileged. If attackers can add rights to a normal user’s account that result in it being able to perform the same actions that an administrator can without that change being noticed, they can cause major damage! A strong identity platform should allow you to monitor both how and where privileged accounts are being used, and how, when, and by whom the rights that make up those special privileges are being granted.
Consolidating Identity Silos Many organizations have multiple stores of identity scattered throughout their infrastructure. Sometimes that means that individual systems or services have their own identity stores, but often the differences occur at organizational boundaries or due to differences in systems. These identity silos represent both complexity and risk. Consolidating identity silos through a centralized identity management platform allows a single view of identity throughout the organization, and thus a single place to control new users, their access and account lifecycle, and their eventual removal. Instead of having to account for each identity individually throughout a diverse infrastructure, centralization allows time to be spent enabling access and ensuring that it is secure.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 3: Architecting Security Using Identity
31
Using Identity Platform Services for Compliance and Auditing An identity platform may not be the first thing you think of when you consider compliance and auditing, but access to systems and data is often the first thing that you should look at. Reporting details of who had access to what, and what they have done with that access, as well as the ability to certify the technical process and procedures is important when reporting your organization’s status.
Access auditing and reporting Auditing won’t prevent compromises, but it can help detect both attacks and attempts to exploit access. Identity‐based security relies on auditing and reporting, including the following key functions: ✓✓Identifying privileged accounts and capturing privileged access and activity ✓✓Providing detailed reporting on rights, groups, and correlation of roles and access ✓✓Automated reporting for violations and potential issues ✓✓Detecting unused or remnant accounts that should be addressed These aren’t all the audit and reporting features that an identity platform can provide, but using these features can be a big part of providing greater security insight by using the platform.
Continuous compliance Almost every industry faces some form of compliance requirements, whether they’re local, state, national, or international laws, or they’re part of contractual obligations. The increasing need for compliance means that being able to prove compliance quickly and easily can be a big win for your organization.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
32
Securing Enterprise Identities For Dummies, Centrify Special Edition Compliance at a single point in time is necessary to pass an audit, but implementing security best practices with an identity management platform will keep you in a continuous state of compliance and allow you to better protect your organization against cyberthreats. The idea of continuous compliance is gaining ground over point‐in‐time certifications, and a strong identity platform that provides best practice security services can make the difference between an issue that is quickly detected and handled and an audit finding or major compliance issue. Many organizations have discovered that although they were regularly tested for compliance, that didn’t mean they were secure! Most compliance checks focus on a point‐in‐time assessment, and being compliant with a standard like PCI‐DSS doesn’t mean that you can’t be hacked (or haven’t been already!). It just means you meet the requirements in the standard.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4
Deploying an Identity Platform for Security In This Chapter ▶▶Using Identity as a Service ▶▶Securing privileged access ▶▶Delivering anytime, anywhere access ▶▶Avoiding conversion pitfalls
A
modern identity platform provides software and services to centralize the management of identity and access across today’s hybrid IT environment of the datacenter, cloud, and mobile. An identity platform typically includes a directory infrastructure for users and resources; management and enforcement of policy on systems, apps and devices; and auditing and reporting of access and activity. In this chapter, I walk you through deploying Identity as a Service, implementation of privileged access security, delivering anywhere and anytime access to corporate resources, and avoiding common pitfalls by partnering with the right vendor.
Introducing Identity as a Service Identity as a Service (IDaaS) is a cloud service that provides identity and access management services for users, apps, systems, and devices. Cloud identity services typically include capabilities including the following: ✓✓User access services: User directory, authentication, single sign‐on, multifactor authentication, authorization management, and enforcement. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
34
Securing Enterprise Identities For Dummies, Centrify Special Edition ✓✓Support for federation: This allows identification data to be used between enterprises. Federation can make outsourcing easier by removing the challenges of maintaining identity information for third‐party users. ✓✓Enterprise Mobility Management: Mac and mobile device configuration and security, mobile app management, mobile identity, and mobile device self‐service. ✓✓Administration and governance services: Provisioning, business process and policy enforcement systems, as well as workflow, self‐service, and related services. ✓✓Reporting and intelligence capabilities: Logging, report and alert generation, and compliance functionality. IDaaS allows you to outsource the work of maintaining an identity platform for users, apps, and devices, and to focus those resources on implementation, integration, and support of identity services. As a cloud service, it can provide scalability, strong business continuity and disaster recovery capabilities, and the ability to more directly control your costs associated with growth and service lifecycles. Employees, contractors, partners, suppliers, and even customers all need secure access to corporate resources, whether they’re accessed from on‐premises or remotely and regardless of where the resources are located. Delivering secure anywhere and anytime access to corporate resources is the key objective for a modern identity platform.
Using a Cloud Identity Platform A cloud identity platform has a number of key components as part of the complete identity platform. These include provisioning, single sign‐on, and multifactor authentication services layered on top of a central directory, a policy engine, an authentication engine, and of course, a full‐featured reporting system. In Figure 4‐1, you can see Centrify’s cloud identity service architecture. Note the portal‐based design for access, as well as the connector for on‐premise solutions that links them to the cloud service. That connector allows existing on‐premise systems to integrate with the cloud platform, leveraging data and identities that may have years of effort already invested in them. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Deploying an Identity Platform for Security
35
Figure 4-1: Centrify’s cloud platform architecture.
Cloud directories If you don’t already have an on‐premise directory, or want to centralize existing directory information from multiple sources like Active Directory and LDAP, a cloud directory is a key component of a cloud identity platform. If you already have existing directories, you can still use the cloud directory for users that aren’t currently managed such as partners or customers.
Directory bridging If you want to use your existing directories with a cloud identity platform, you need a way to bridge between them. A connector that is aware of Active Directory can enable single sign‐on and policy management between both the on‐premise and cloud environment while making on‐premise apps and systems available to remote users using the cloud platform without a VPN. Some vendors require that you synchronize passwords or even your entire directory to their service to make it work. Avoiding that can help you be sure your passwords and other data are only where you expect them to be — properly secured in your identity platform. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
36
Securing Enterprise Identities For Dummies, Centrify Special Edition
Cloud identities Many organizations have faced an explosion of cloud and mobile applications adopted by their users without any approval or review from IT. Cloud services and many mobile applications that rely on a cloud service back‐end have their own identities associated with them. If your users are storing your organization’s data in services that aren’t connected to your identity platform, not only will you lose access to it if they leave the organization, but they can retain access to the data even if you remove their access to central systems!
There are a few ways to address this, such as banning unapproved applications, or requiring mobile application management, but in today’s consumerized technology world, saying “no” typically just makes users go around approvals. Instead, you can choose to integrate with cloud services via standards like SAML and by supporting OAuth. Making your organization’s credentials work in cloud services, and then making it easy to do so, can be a big win and help slow down the flood of your data heading to cloud services you can’t control.
Authentication engine An authentication engine validates that a user is who they claim to be by validating a user with a username and password, asking for additional factors of authentication, and applying logic to determine if their access request is valid. Once validated, addition tokens or credentials may need to be created to facilitate access to the requested resource such as a SaaS application or Linux system. An authentication engine should be able to enforce access based on who a user is, as well as her attributes. Those can include things like the time, location, application, or device she’s using and the network she is on.
Policy engine The business rules that are applied to identity are a major part of the security provided by identities. A policy engine with an easy‐to‐use interface that helps you build easily understandable policies to control and manage identity is a key part of a cloud identity platform. A policy engine These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Deploying an Identity Platform for Security
37
should be able to enforce requirements based on a user; his attributes; the time, location, or device he’s using; as well as what network or what application he’s using. A policy engine is what powers the provisioning engine, and ensures that only the proper users and rights are provisioned. It’s also what powers the ongoing monitoring for deviation from the intended policies.
Reporting and dashboarding engine A robust reporting and dashboarding engine should not only provide dozens of pre‐canned reports and out of the box dashboards but also allow customization of existing reports, creation of new reports, and the ability to export data so that you can integrate it with existing monitoring systems you may already have.
Privileged Access Security for On‐Premises and Cloud‐Based Infrastructure One of the major reasons to consider an identity platform is to provide strong account, privilege, and role management for on‐site and off‐site infrastructure. That can include ways to integrate your existing directories, removing issues with siloed identity and accounts, and ensuring that the right requirements are enforced throughout a complex set of systems and applications. Fortunately, an identity platform can help!
Directory integration Using a single directory platform like Active Directory to manage non‐Windows systems (like network devices, Linux, and Unix systems) can also be a powerful advantage. If you use Active Directory, you can save time by using your existing security groups and policies with a platform that integrates with what you already have. These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
38
Securing Enterprise Identities For Dummies, Centrify Special Edition If you have an Active Directory infrastructure deployed, you can make your life simpler by making the most of the effort you already have invested in it. Because directories are the core of any identity management system, using your existing directories can make a big difference in how fast you can get up to speed with an identity platform. To make things even simpler, you can select a platform like the Centrify Identity Platform, which allows you to leverage Active Directory for your cloud, on‐premise, and hybrid environments based on your needs and organizational requirements. Active Directory integration can be a big benefit if Microsoft technologies play a role in your IT infrastructure. Imagine adding Linux, Unix, and Mac machines to Active Directory, and using the same credentials between environments. Expanding existing Active Directory group policies across diverse platforms can be a challenge, but using your existing investment to manage non‐Windows systems can help simplify the effort.
Identity consolidation Strong security practices require users to log in as themselves, rather than via shared or anonymous accounts. Unfortunately, organizations with hundreds or thousands of Unix and Linux systems are often plagued with managing identity on individual systems. With so many independent and often overlapping identity silos, consolidating identity to a single directory can be challenging and time consuming. A modern identity platform can quickly consolidate user accounts and groups into a single directory and enforce separation of administrative duties.
Least‐privilege access In addition to making sure that users log in as themselves, it’s important to implement least‐privilege access (access that provides the minimum set of rights that a user needs to accomplish his job). Using least‐privilege access limits the potential damage from security breaches and prevents users from improper or accidental activities.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Deploying an Identity Platform for Security
39
To get the most benefit out of least‐privilege access, make sure you control exactly who can access what and when. That means you’ll need to configure privileges so that users can only elevate privileges appropriate for their job function, at specific times, for a length of time, and on appropriate servers. A modern identity platform should be able to centrally manage least-privilege policies in a cross‐platform manner across Windows, Linux, and UNIX as well as network devices. Securing systems and applications can result in a complex web of rights and roles, and ensuring least privilege can be a challenge. It helps to have built‐in tools designed to work with the applications and operating systems you use. Centrify’s Application Rights builder, shown in Figure 4‐2, is an example of how prebuilt rights models can speed up your deployment and keep complex rights management from being a nightmare.
Figure 4-2: Centrify’s Application Rights builder.
Shared account password management In an ideal world, we would eliminate all privileged shared accounts and throw a major wrench into the process for These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
40
Securing Enterprise Identities For Dummies, Centrify Special Edition attackers. However, there are occasions where you cannot delete or disable a privileged account such as local administrator, root, legacy application administrative accounts, or network device accounts. In those cases, limiting risk by using shared account password management (SAPM) features of the Identity Platform can make a big difference. Using a cloud identity platform can make SAPM a lot more powerful, because it can allow you to use SAPM across hybrid cloud infrastructures, as well as use cases that on‐site SAPM can’t. Make sure your solution can support anytime, anywhere remote access to on‐premises and cloud‐based resources, secure VPN‐less resource access, outsourced IT and contractor login, and multiple Identity Provider (IDP) support. Modern SAPM capabilities should be delivered as a service in the cloud to extend beyond basic password management to future-proof your identity and security strategy. In the classic break‐glass scenario explained next, the legacy on‐premises SAPM solution is inaccessible if the network is down. A SAPM in the cloud is resilient to your network outages and accessible to every valid user, anytime, from any device.
Break-glass scenarios In the last‐ditch case where a system is down, no network access is available and an administrator needs to access a root password or local administrator account, an identity platform can allow authorized IT users to check out passwords for system accounts for a limited duration and then automatically change the password after the checkout expires. This also ensures that you’ll have an audit trail available to review after the issue is resolved.
Privileged session monitoring You can simplify compliance and speed up forensic discovery by capturing all privileged activity across all your servers. Privileged session monitoring can record fully indexed sessions, including video of the actions taken, which allows you to track exactly who did what, when, and on which server regardless of whether the user is logged in as herself or as a shared account. Once the sessions have been recorded,
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Deploying an Identity Platform for Security
41
rivileged session monitoring allows you to view session sump maries or pinpoint specific activity by searching event data and video capture of sessions on Windows, Linux, Unix systems, and network devices. A modern identity platform should be fully integrated with least‐privilege management to ensure that all privileged activity is captured and to leverage the session activity to ease the burden of defining privileged access rules. Unified IAM, which occurs when an identity service provides a complete service across both internal and external datacenters, as well as mobile applications and cloud services, can be a powerful tool. It can provide better security and data protection, easier compliance, central monitoring, and easier integration with partners and applications. It can also help customers and users have a better experience wherever they use their credentials.
Delivering Anywhere, Anytime Access Users — including remote workers, contractors, vendors, and partners — all need to access corporate resources outside the traditional network perimeter. Do you really want to give them all a VPN connection? An identity platform can facilitate the access to corporate resources without requiring a VPN and ensure security through multifactor authentication and access policies.
Remote access to applications without a VPN Increasingly enterprise applications such as SharePoint or other applications are not only used by employees on the corporate network but also shared with remote workers, contractors, and partners. An identity platform like Centrify’s, which provides an App Gateway in through the Centrify portal, can facilitate access to web apps on‐premises by proxying the web app without requiring direct network access via a VPN.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
42
Securing Enterprise Identities For Dummies, Centrify Special Edition
Secure remote session management for IT IT administration of servers and network devices is no longer performed only by in‐house resources. An identity platform can proxy server sessions through remote desktop protocol (RDP) and remote secure shell (SSH), without requiring direct network access over the web, and without any client software required. Remotely managing critical resources comes with security challenges, which means that multifactor authentication that can understand the context that users are operating in is important. An identity platform can match authentication requirements to systems and rights, and can allow you to watch, and even terminate suspicious sessions. Of course, using an identity platform also ensures that every session is recorded for auditing and compliance purposes.
Avoiding Identity Platform Conversion Pitfalls Deploying an identity platform can be daunting, so it pays to consider implementation challenges upfront. Be sure to think through integration with existing directories, rights and role management, and how the platform and vendor enables your migration.
Migration support Migrating to an identity platform can impact many systems, and may take a lot of time to execute. If you set out without strong migration support, you can spend a massive amount of time building out capabilities you already have. That means that a platform that provides wizards and migration tools can be a big part of your success.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 4: Deploying an Identity Platform for Security
43
Make sure your chosen platform works with the infrastructure you use, whether that is Windows, Linux, Unix, network devices, Mac, iOS, Android, SaaS apps, on‐premise apps, or something else. If you leave behind chunks of your user base, you’ll quickly find that your users are working around your unified identity platform.
Automation When you’ve moved to your new identity platform, you’ll be ready to conduct your day‐to‐day operations. This is where automation comes in. To make your platform work well for you, you should: ✓✓Identify your most common tasks and processes. ✓✓Analyze how those tasks and processes result in workflows. ✓✓Use the platform’s automation tools to deal with as much of the work as possible, freeing you up to spend time handling special cases, monitoring for and fixing problems.
Vendor partnership Identity platforms offer a lot of benefits, but they can take a lot of time if you don’t use their capabilities well. Make sure you select a vendor who has helped other organizations like your own make the move. While it may seem obvious, it’s still a good idea to make sure to involve your vendor in your migration even if you have a lot of in‐house talent — their expertise can save you a lot of time and effort! Make sure to pick a vendor that has a proven track record with strong customer references, and make sure those references report high levels of success and satisfaction.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
44
Securing Enterprise Identities For Dummies, Centrify Special Edition
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
Chapter 5
Ten Things to Look for in an Identity Platform In This Chapter ▶▶Recognizing ten key features of identity platforms ▶▶Understanding what to look for when selecting an identity platform
T
here’s a lot to contemplate when you’re considering an identity platform. You need a platform that can support your evolving IT environment while acting as an additional layer of security for your organization. Identity platforms typically have a long lifecycle, which means that choosing the right platform from the right vendor is really important. Here are ten items that should be at the top of your list of considerations: ✓✓Comprehensive management across servers, devices, apps, and users: The ability to manage identity both in the cloud and on‐premises, and across all the types of devices, systems, and software you use, is a big part of your identity platform’s success. ✓✓Ease of integration: Look for an identity platform that makes integrating with your existing and future IT environment easy. Your chosen platform should have out‐of‐the‐box support for your datacenter systems, applications, cloud services, devices, and other integration points that matter to you. ✓✓Single sign‐on: Supporting single sign‐on makes a big difference in user acceptance and gives you a central place for access control. Choose a platform that makes
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
46
Securing Enterprise Identities For Dummies, Centrify Special Edition single sign‐on as transparent to your users as possible, and you’ll save time and money on support. ✓✓Multifactor authentication: Multifactor authentication is critical to keeping your organization secure. Look for a MFA model that will work well for how your staff works, and is integrated into a single solution across servers, apps, and devices. ✓✓Federation support: If your prime directive is to connect to your partners to third‐party services (like SaaS), the ability to use federated sign‐ons is critical. Look for a platform that can work with federation tools like SAML. ✓✓Application access control management: A platform that makes granular, group‐based, highly usable application access management a priority is a huge win when you’re facing a multitude of applications that each need access control managed. Having it built in and easy to use will help you stay secure and retain usability at the same time. ✓✓Mobile security management: As your workforce becomes increasingly mobile, and as phones and tablets continue to grow in use for productivity, you’ll need a solution that can manage these devices. Pick a solution that leverages the security posture of mobile devices in the access policies for applications and resources. ✓✓Remote access for apps and servers: When your users need to get work done remotely, integration with remote access is key. Look for secure remote access capabilities that limit the need for a full VPN connection and provide the ability to monitor and record remote sessions. ✓✓Privileged access and shared account management tools: Your organization’s cyber security can rest on its ability to manage privileged access and shared accounts. Find a platform that makes visibility and central control easy and accessible. ✓✓Strong vendor partnership and support: A vendor that wants to see you succeed can make the difference between a successful rollout and a failed and neglected implementation. Find a vendor that has great references and a reputation for carrying through after the sale.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
These materials are © 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.
WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.