Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
2. Introduction
• Security software company providing Best Overall IT
Company 2011
Privileged Access Control Solutions
RSA 2011 Hot New
• Global Fortune 1000 and Government Security Product
customer base Cool Vendor
• Privately held - Headquartered in Herndon, VA Best
Network Security
• Single Platform – XsuiteTM
Hot Company
to Watch
Top 100
Global Company
FIPS 140-2, Level-2 Common Criteria EAL 4+ UC/Approved Prod. List
2
3. Our Customers Include…
Commercial Federal
Top 5 Global Bank
Top 3 Telecommunications Company
Fortune 10 Financial Services Company
Top 5 Global Retailer
Multiple Global Stock Exchanges
Fortune 200 Food Products Company
Top 3 Online Broker
Top 3 Smart Phone Provider
Top 3 Food and Drug Retailer
3
4. Privileged Identity and Access
Management for Federal
• DOD CIO Instruction 8520.03
• Administrative accounts shall not be
accessed from an untrusted or user
managed environments
• Administrative accounts, both partner and
DoD must utilize level 4 credential
• 2011 FISMA report
• Privileged access identified by IG as the
area in most need of improvement
• Use of risky shared accounts and no
identified policy
• NIST 800-53
• Privileged users require a broad set of
security controls: AC, AU, CA, CM, IA, MA,
etc…
5. Evolving Credential Management
Challenge
• HSPD-12
• Presidential directive to establish trusted
identity for physical and logical access
• OMB-11-11 requires 2013 IT budget submission
to address logical PIV integration
• FICAM chaired by CIOs develops common
framework and maintains roadmap
• FY2012 Presidential IT Budget Priority
• NIST 800.63
• Electronic authentication mechanism guide
includes Levels 1 to 4
• FIPS 201-2
• Personal Identity Verification (PIV) of federal
employees and contractors
• X.509 based Federated PKI
• Revised draft addresses mobility
6. Setting Priority Within a
Framework
• ICAM roadmap guidance for Privileged Users
• Agencies shall use high assurance credentials for
administrative users
• Level 4 Personal Identification Verification (PIV)
card
• Smart cards with embedded PKI Certificate
• Commonly referred to in DOD as CAC (Common
Access Card)
• Minimize use of password and tokens for all
administration
• Agencies should eliminate duplicative infrastructure
to reduce or eliminate the costs associated with
expired/forgotten passwords
• Eliminate application-specific password tokens
• Enabled application to accept the PIV card for
federal employees and contractors
7. Align with Executive Priorities
• IT Reform
• OMB mandates coordinated through the CIO
Council
• 25 Point execution plan
• FDCCI (Federal Data Center Consolidation Initiative)
• CIO counsel program aligned with OMB
requirements
• Must report FY progress
• Four primary goals
• Reduce costs
• Increase security
• Increase efficiency
• Reduce energy consumption
• Cloud Computing Strategy “Cloud First”
• Efficiency, agility and innovation
• Accelerate FDCCI
• FEDRAMP
9. Problems We Solve…
• Eliminate
• Risk of privileged access through anonymous shared accounts
• Expense of redundant administrative access solutions
• Complication of ineffective homegrown solutions
• Enable
• Enterprise PIV Level 4 credential for privileged access
• Centralized policy management and compliance reporting for privileged users
• “New Enterprise” support for legacy IT, data center, private and public cloud
• Move Forward
• Rapid deployment
• OMB Mandated compliance, DoD policy, and FISMA required security controls
• Supports emerging Continuous Monitoring requirements
10. Department of Homeland Security
Problem: Consolidate & grant secure access to
geographically dispersed data centers
• centralize access control across agencies with
distinct missions
• ensure contained and auditable access
• meet federal compliance requirements (FDCC/FISMA)
Results: Control over privileged users and critical
infrastructure and assets
• tight control over who gets access to what, when and for
how long
• contain users from the 21 component agencies to
authorized systems only
• audit quality logging for compliance
“With Xceedium GateKeeper we have an all-in-one solution for these higher risk users
which gives us the peace of mind that we are meeting our objectives to safeguard our
network and the sensitive information it contains.”
Security Expert at DHS
10
11. Use Case- DHS
-IT Admins
-Elevated Risk
-Applications
• Single point for management and cloud entry • Continuous Monitoring
• PIV-to-Shared identity resolution (OMB-11-11) • LDAP/AD component support
• Security Controls (NIST 800-53) • Virtual private cloud management network
12. Xceedium Unveils Xsuite Cloud
For Amazon Web Services
AWS Security Solution Provider Delivers Comprehensive
Privileged Identity and Access Management Solution for the
New Enterprise
12
13. Privileged Identity & Access
Management for the New
Enterprise
Traditional Data Center Private Cloud Public Cloud
Virtual Management Console AWS Management Console
• Single Scalable Platform
• Comprehensive Zero Trust Controls
• Unified Policy Management
13
14. Two Form Factors
Public Cloud
Traditional Data Center Private Cloud Traditional Data Center Private Cloud
Virtual Management Console AWS Management Console Virtual Management Console
Public Cloud
Physical Appliance Amazon Machine Image (AMI)
14
15. Security Across AWS Regions
& AWS Management Console
AWS Regions
GOV Cloud
Admin Accounts
AWS Classic Cloud
AWS Management
Console
Master AWS Admin Account
16. Tight Integration, Public Sector Ready
Integration:
• Via AWS SDKs/AWS APIs
• Integration with AWS Management Console (via API)
• AWS Identity and Access Management (via API)
• Support for AWS VPC
• AMI based solution option
• AWS S3-based storage option for Xsuite log-files and session recordings
Public Sector Ready:
• FIPS compliant
• PIV/CAC smart card authentication across enterprise systems,
AWS Management Console, EC2 Instances,
• AWS GovCloud Support
18. Contact Us
2214 Rock Hill Road, Suite 100
Herndon, VA 20170
Phone: 866-636-5803
Email: info@xceedium.com
Twitter: @Xceedium
Facebook:
www.facebook.com/xceedium
18
Notas do Editor
Ken Ammon Chief Strategy Officer for XceediumBLACKHAT Joke
Security software company providing Privilege Access Control Solution. Later in the presentation I’ll provide additional color Privileged Identity and access and zero trust.Our product is named Xsuite…now offering Xsuite cloud.We support both Commercial and Government customers We have Headquarters in Herndon VAand development in New Jersey and Ottawa Canada.We maintain FIPS 140-2, Common criteria EAL4+, and Status on the DISA UC-APL
Our customers include some of the most notable commercial brands in the world and important US and International Government agencies.
Start off with an explanation of Privileged Identity and Access Management's application within the federal market. Privileged users are classified into three groups,IT Administrators, Users with elevated risk access such as Foreign NationalsApplications which operate with elevated privilege and require embedded credentialsControls, policy and risk management guidance is addressed in documents such as DoD Policy, the 2011 FISMA report where use of shared accounts is listed as critical area of most need of improvementNIST 800-53 requires a broad set of controls to manage the risk of privileged users and
In order to gain access these privileged users require credentials such as passwords, tokens, certificates.Proper management of these credentials is essential and pressure continues to mount to fully deploy HSPD-12compliant credentials. NIST defines four levels of credential and provides guidelines for applying them based upon risk The recent revised draft of FIPS 201-2 provides details for compliant PIV credentials. These credentials are necessary for contractors and government employees.
Given the elevated risk posed by privileged users and the credentials which enable them we have excellent alignment with ICAM guidance and framework to enable level 4 PIV access for privileged users while eliminating flawed password management implementations. In addition, we support the securing of credentials at rest within privileged applications.
IT executive priorities demand the adoption of new computing models IT reform aligns with austerity and Federal Data Center consolidation, virtualization, and Cloud first strategy have become the poster child for reducing spend.Implementation requires not sacrificing on security or introducing additional cost and complexity. Flexibility, simplicity, cost and scale.
Xceedium provides Xsuite and Xsuite cloud to meet the New enterprise challenge
We eliminate anonymous shared accounts, expensive, redundant, and non-compliant token based systems and Complicated and ineffective homegrown solutions such as jump-box solutionsWe enable Level 4 PIV credentials for privileged access through our centrally managed and highly scalable system all the while enabling ease of management in the new enterprise.Move forward byEmpoweringour customers to move forward with rapid deployment of private and public cloud solutions while meetingkey mandates, policies, and NIST controls.
We have been fortunate to develop our core product alongside the evolution of customer such as the Department of Security. Within DHS our privileged user level 4 PIV integration was largely driven by FDCCI requirements which led to the development of an enterprise wide private cloud. Our system to provide a single point of policy management platform within the privatecloud and component systems. Our DVR like monitoring and audit enable rapid response to violations of policy and reporting for continuous monitoring compliance
Xceedium's experience working with DHS was instrumental in preparing us to extend our offering into the public cloudand we have been fortunate enough to work with Amazon Web Services Cloud solution architect along the way. Xceedium now extends flexibility to our customers with choices of on prem or off-prem credential management and privileged access level 4 PIV card access. Xceedium in combination with FEDRAMP controls enable a zero-trust modelwhere all privileged access is monitored and recorded.
AWS team over 9months and we took advantage of the great API’s toenabled our solution.
New enterprise and zero trustXsuite Cloud provides a single, unified policy management capability across protected nodes regardless of where these nodes live.Zero Trust Controls Include:Vault Passwords – The first step is to change and vault critical passwords (so they don’t show up in spreadsheets) and so privileged users no longer have direct and uncontrolled access to devices through the network or by walking up to the system. This also keeps passwords and credentials off end devices and away from malware & APT that is looking to steal them.Positively ID and Authenticate User – The user logs onto the system forcing a positive user identification. The system supports integration with directories, single-sign-on and two factor ID/Authentication systems.Control Access (White List) – the user is presented a list of ONLY the servers and network devices they are explicitly authorized to access and the methods they can use to access the devices. They don’t see others.Monitor/Record – all activities are logged and the policy can be set to record the session.Filter Commands – the commands the user is enabled to perform can be constrained as required via a white list (allowed) or blacklist (disallowed)Prevent Leapfrogging – “Contain the user” -- prevent the user from jumping from an authorized device to unauthorized devices – for example using “RDP Hopping” or SSH.Attributed Identity When using Shared Accounts – even thought the user may be logged into a shared account – for example as “root” -- Xsuite knows exactly which user is logged in and using the account and what they are doing (no anonymous activity permitted).Log Everything - all of this activity is logged in a tamper proof log files. Session recordings can be reviewed through DVR or Tivo replay capability with skip ahead to tags indication where a policy violation occurred.Alert on Policy Violations – ensure the Security Operations Center and other key people are alerted to policy violations or attempted policy violations – e.g., via email, SIEM/log file integration, SNMP trap.
Xsuite Cloud is a superset of Xceedium’s Xsuite product and will be delivered in two form factors: 1) A Physical Appliance -- with all hardware/software installed and supported2) An Amazon Machine Interface – the entire software stack (Operating System, Xsuite Cloud Platform) on an AMI that can be run on and Amazon EC2 InstanceExisting Xsuite customers can upgrade current Xsuite appliance to Xsuite Cloud.
Xsuite Cloud protects nodes in all key AWS Regions – AWS Public Cloud, AWS GovCloud and AWS Virtual Private CloudXsuite also provides security and separation of Duties for the AWS Management Console. The AWS Management Console is “superuser” account for AWS that enables customers to make changes that can have a financial or operational impact across the full compliment of AWS services (e.g., EC2, S3 Storage, VPC, etc.):Adding/Deleting EC2 InstancesPerform actions on running EC2 InstancesAdding S3 Storage CapacityConfigure Elastic Beanstalk to auto deploy/load balance resourcesEtc.
Xceedium has worked over 9 months with the AWS team. Our experience working with AWS APIs was an exceptional and all of the necessary functionality was intuitive and well documented. All of which enabled us to release a public sector ready GovCloudsolution.The following movie provides an overview of our product and features available to support public sector adoption of the Amazon Web Services Public cloud.