SlideShare uma empresa Scribd logo

Securing DevOps through Privileged Access Management

BeyondTrust
BeyondTrust

In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance. Key use cases covered include: • Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another • Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail • Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc. You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/

Software
1 de 39
Baixar para ler offline
Securing DevOps through Privileged Access Management @paulacqure @CQUREAcademy CONSULTING Paula Januszkiewicz CQURE: CEO, Penetration Tester; Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT www.cqureacademy.com paula@cqure.us
What does CQURE Team do? Consulting services  High quality penetration tests with useful reports Applications Websites External services (edge) Internal services + configuration reviews  Incident response emergency services – immediate reaction!  Security architecture and design advisory  Forensics investigation  Security awareness For management and employees info@cqure.us Trainings  Security Awareness trainings for executives  CQURE Academy: over 40 advanced security trainings for IT Teams  Certificates and exams  Delivered all around the world only by a CQURE Team: training authors
Overly simple passwords and security questions Key learning points: ✓ Almost always there are passwords reused ✓ Almost always (ekhm… always) there is some variant of company name and some number (year, month etc.) ✓ It makes sense to check for obvious passwords and continuously deliver security awareness campaigns Typical password locations NTDS.dit, SAM Configuration files Registry Memory dumps, Hiberfil.sys Databases (DPAPI ?)
No network segmentation Key learning points: ✓ ✓ ✓ ✓ ✓ x x x No-brainer or unseen network security threat?
Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
No whitelisting on board Key learning points: ✓ ✓ ✓ ✓ x ✓ ✓
Old protocols or their default settings
Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks. ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
Misusing service accounts + privileged accounts Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
Falling for hipster tools Key learning points: ✓ Worldwide spending on information security is expected to reach $90 billion in 2017, an increase of 7.6 percent over 2016, and to top $113 billion by 2020, according to advisory firm Gartner ✓ With increasing budget the risk of possessing hipster tools increases too – do we know where these tools come from and what are their security practices? ✓ Lots of solutions where not created according to the good security practices (backup software running as Domain Admin etc.) ✓ Each app running in the user’s context has access to secrets of other apps – Data Protection API ✓ Case of CCleaner
BeyondTrust VirtualCloud & DevOps Martin Cannard – Product Manager
The Cyber Attack Chain – Where is the Risk? Vulnerable Assets & Users Unmanaged Credentials Excessive Privileges Limited Visibility of compromises used definable patterns established as early as 2014.188% of data breaches involve the use or abuse of privileged credentials on the endpoint.2 80% average days to detect a data breach.3206 1Verizon 2017 Data Breach Investigations Report 2Forrester Wave: Privileged Identity Management, Q3 2016 3Ponemon 2017 Cost of a Data Breach Study
The Cyber Attack Chain – Getting More Complex Virtual & Cloud IoT DevOps Connected Systems growth of hybrid cloud adoption in the last year, increasing from 19% to 57% of organizations surveyed.1 3X billion connected things will be in use worldwide in by 2020, according to Gartner. 2 20.4 of organizations implementing DevOps – it has reached “Escape Velocity.”350% 1Forbes 2017 State of Cloud Adoption & Security 2Gartner Press Release, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31% From 2016, Feb 7, 2017 3Forrester Q1 2017 Global DevOps Benchmark Online Survey
Our Mission: Stop Privilege Abuse. Prevent Breaches. • Reduce attack surfaces by eliminating credential sharing, enforcing least privilege, and prioritizing and patching system vulnerabilities • Monitor and audit sessions for unauthorized access, changes to files and directories, and compliance • Analyze behavior to detect suspicious user, account and asset activity
Cloud Cloud Management Platforms (AWS, Azure) SaaS Applications (Facebook, LinkedIn, Custom) Hybrid Cloud Virtualized Environments (VMWare, MSFT) Virtualized Machines (UNIX, Linux, Windows) IoT Roaming workstations BYOD Cameras Sensors Printers DevOps DevOps Tools Dynamic Virtual Environments Containers Microservices On-Premise Shared Administrator & Machine Accounts Desktops and Servers (Windows, Mac, Unix, Linux) Security & Network Infrastructures & Industrial Control Systems Apps, Databases & Servers Hypervisors & Virtual Machine Privilege Management – The New Perimeter
Cloud Hybrid Cloud IoT DevOps On-Premise Privilege Management – The New Perimeter Reduce Insider Threats • Discover, manage & monitor all privileged accounts & keys • Enforce least privilege across all Windows, Mac, Unix, Linux and network endpoints • Gain control and visibility over privileged activities Stop External Hacking • Discover network, web, mobile, cloud and virtual infrastructure • Remediate vulnerabilities through prescriptive reporting • Protect endpoints against client-side attacks Reveal Hidden Threats • Aggregate users & asset data to baseline and track behavior • Correlate diverse asset, user & threat activity to reveal critical risks • Dynamically adjust access policies based on user and asset risk
Into the Cloud Connector Framework: Industry unique connector technology to enumerate instances in the cloud and virtually instantiated for management. • Amazon AWS • Microsoft Azure • Vmware • Hyper-V • IBM SmartCloud • Go Grid • Rackspace • Google Cloud
In the Cloud • Cloud Ready Agents: UnixLinuxWindowsMac Agents • Cloud Ready Communications: Agents to Console • Cloud Ready API: Public Password Safe API • Dynamic Licensing: High watermark based licensing • MSP & Multi-tenant Platform: Managed Service Provider Ready
From the Cloud • Market Place Apps: Amazon AWS AMI, Microsoft Azure, & Google and Oracle (Later this year) • Cloud Offerings (SaaS) • BeyondSaaS – Vulnerability Assessment, Web Application Scanning, Privilege Cloud Management • PowerBroker Cloud Privilege Manager (Coming soon)
DevOps & PAM: Challenges 1. Inventory of DevOps Assets & Activity 2. Asset vulnerabilities across dev, test, production 3. Hard Coded Passwords in scripts & orchestration 4. Shared Accounts with limited accountability 5. Excessive Privileges on test and production systems 6. Attackers targeting developer workstations 7. Lack of boundary controls between dev, test & production 8. Scale and dynamic nature of the environment
DevOps & PAM: Challenges Privilege Risk DevOps Adoption Physical Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management Virtualized Hypervisor & CMP Administrators Hypervisor & CMP Access Policies Hypervisor & CMP Session Mgmt. Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management Containers & Microservices Container & MS Session Admins Container & MS Policy Mgmt. Container & MS Session Mgmt. Hypervisor & CMP Administrators Hypervisor & CMP Access Policies Hypervisor & CMP Session Mgmt. Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management (CMP) Cloud Management Platform (MS) Microservice
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS
DevOps & PAM: Best Practices GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS DISCOVER & INVENTORY Continuous discovery of assets across physical, virtual and cloud environments.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS SCAN FOR VULNERABILITIES Continuous vulnerability assessment and remediation guidance of the infrastructure and code/builds across physical, virtual and cloud environments.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS ENSURE CONFIGURATION COMPLIANCE Continuous configuration and hardening baseline scanning across servers and code/builds across physical, virtual and cloud deployed assets. Ensure configurations are consistent and properly hardened across the entire devops lifecycle.
DevOps & PAM: Best Practices DISCOVER & INVENTORY ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS GAIN ACCOUNTABILITY OVER SHARED ACCOUTS Control and audit access to shared accounts and ensure that all audited activity is associated with a unique identity. Include developer access to source control, devops tools, test servers, production builds Ensure that all passwords are properly managed and rotated across the devops environment.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS ELIMINATE HARD-CODED PASSWORDS Control scripts, files, code, embedded application credentials and hard-coded passwords. Remove hardcoded passwords in devops tool configurations, build scripts, code files, test builds, production builds, and more.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE SEGMENT NETWORKS ENFORCE APPROPRIATE CREDENTIAL USAGE Eliminate administrator privileges on end- user machines Securely store privileged credentials Require a simple workflow process for check-out, and monitor privileged sessions.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS Group assets into logical units Reduce “line of sight” access Utilize a secured jump server with MFA, adaptive access and session monitoring Segment access based on context of the user, role, app and data being requested.
DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS RESTRICT PRIVILEGES Target environments Development workstations Containers
BeyondTrust Secures DevOps DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS POWERBROKER Single Platform that Unites DevOps Security Retina Vulnerability Management PowerBroker Password Safe PowerBroker Desktop & Server Privilege Management Retina Vulnerability Management Retina Vulnerability Management PowerBroker Password Safe PowerBroker Password Safe PowerBroker Password Safe POWERBROKER Single Platform that Unites DevOps Security
Why BeyondTrust? The PAM Industry Leader Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017
DEMO
Poll + Q&A Thank you for attending!

Recomendados

Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
Piyush Jain
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 

Recomendados

Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
John Bauer
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
Piyush Jain
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
Government Technology Exhibition and Conference
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B
Sjoukje Zaal
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
Ajit Dadresa
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
Aidy Tificate
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
IBM Security
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
Jerod Brennen
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
Nicolas Corrarello
 
How to deploy Exchange Online Protection
How to deploy Exchange Online ProtectionHow to deploy Exchange Online Protection
How to deploy Exchange Online Protection
Peter Schmidt
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Ivanti
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
Salesforce Developers
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
Jason Sohn
 

Mais conteúdo relacionado

Mais procurados

Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Ivanti
 

Mais procurados (20)

Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
External collaboration with Azure B2B
External collaboration with Azure B2B External collaboration with Azure B2B
External collaboration with Azure B2B
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
SSO introduction
SSO introductionSSO introduction
SSO introduction
 
Identity Governance: Not Just For Compliance
Identity Governance: Not Just For ComplianceIdentity Governance: Not Just For Compliance
Identity Governance: Not Just For Compliance
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
How to deploy Exchange Online Protection
How to deploy Exchange Online ProtectionHow to deploy Exchange Online Protection
How to deploy Exchange Online Protection
 
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
Cybersecurity Insiders Webinar - Zero Trust: Best Practices for Securing the...
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 

Semelhante a Securing DevOps through Privileged Access Management

Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
Henry Stamerjohann
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
Amazon Web Services
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
MSAdvAnalytics
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 

Semelhante a Securing DevOps through Privileged Access Management (20)

Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
 
Build Security into the Software with Sparrow
Build Security into the Software with SparrowBuild Security into the Software with Sparrow
Build Security into the Software with Sparrow
 
Fundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and ComplianceFundamentals of Microsoft 365 Security , Identity and Compliance
Fundamentals of Microsoft 365 Security , Identity and Compliance
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
CSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model OverviewCSS17: Houston - Azure Shared Security Model Overview
CSS17: Houston - Azure Shared Security Model Overview
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018Building your macOS Baseline Requirements MacadUK 2018
Building your macOS Baseline Requirements MacadUK 2018
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
GDPR Part 3: Practical Quest
GDPR Part 3: Practical QuestGDPR Part 3: Practical Quest
GDPR Part 3: Practical Quest
 
Azure Security Center
Azure Security CenterAzure Security Center
Azure Security Center
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
 
Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0Protecting microservices using secure design patterns 1.0
Protecting microservices using secure design patterns 1.0
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & ComplianceCortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
Cortana Analytics Workshop: Cortana Analytics -- Security, Privacy & Compliance
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 

Mais de BeyondTrust

Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
BeyondTrust
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
BeyondTrust
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
BeyondTrust
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
BeyondTrust
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
BeyondTrust
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
BeyondTrust
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)
BeyondTrust
 

Mais de BeyondTrust (20)

The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 
5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)5 Steps to Privilege Readiness (infographic)
5 Steps to Privilege Readiness (infographic)
 
Unearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your EnterpriseUnearth Active Directory Threats Before They Bury Your Enterprise
Unearth Active Directory Threats Before They Bury Your Enterprise
 
8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges8-step Guide to Administering Windows without Domain Admin Privileges
8-step Guide to Administering Windows without Domain Admin Privileges
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
 
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares AboutUnix / Linux Privilege Management: What a Financial Services CISO Cares About
Unix / Linux Privilege Management: What a Financial Services CISO Cares About
 
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
Why Federal Systems are Immune from Ransomware...& other Grim Fairy Tales)
 
Mitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT SystemsMitigating Risk in Aging Federal IT Systems
Mitigating Risk in Aging Federal IT Systems
 
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce RiskThe Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
The Hacker Playbook: How to Think like a Cybercriminal to Reduce Risk
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged AccountsHow Federal Agencies Can Build a Layered Defense for Privileged Accounts
How Federal Agencies Can Build a Layered Defense for Privileged Accounts
 
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation AttacksUsing Advanced Threat Analytics to Prevent Privilege Escalation Attacks
Using Advanced Threat Analytics to Prevent Privilege Escalation Attacks
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
 
Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)Prevent Data Leakage Using Windows Information Protection (WIP)
Prevent Data Leakage Using Windows Information Protection (WIP)
 
Enemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling AccessEnemy from Within: Managing and Controlling Access
Enemy from Within: Managing and Controlling Access
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
 

Último

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
anilsa9823
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 

Último (20)

Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

Securing DevOps through Privileged Access Management

  • 1. Securing DevOps through Privileged Access Management @paulacqure @CQUREAcademy CONSULTING Paula Januszkiewicz CQURE: CEO, Penetration Tester; Security Expert CQURE Academy: Trainer MVP: Enterprise Security, MCT www.cqureacademy.com paula@cqure.us
  • 2.
  • 3.
  • 4. What does CQURE Team do? Consulting services  High quality penetration tests with useful reports Applications Websites External services (edge) Internal services + configuration reviews  Incident response emergency services – immediate reaction!  Security architecture and design advisory  Forensics investigation  Security awareness For management and employees info@cqure.us Trainings  Security Awareness trainings for executives  CQURE Academy: over 40 advanced security trainings for IT Teams  Certificates and exams  Delivered all around the world only by a CQURE Team: training authors
  • 5. Overly simple passwords and security questions Key learning points: ✓ Almost always there are passwords reused ✓ Almost always (ekhm… always) there is some variant of company name and some number (year, month etc.) ✓ It makes sense to check for obvious passwords and continuously deliver security awareness campaigns Typical password locations NTDS.dit, SAM Configuration files Registry Memory dumps, Hiberfil.sys Databases (DPAPI ?)
  • 6. No network segmentation Key learning points: ✓ ✓ ✓ ✓ ✓ x x x No-brainer or unseen network security threat?
  • 7. Lack of SMB Signing (or alternative) Key learning points: ✓ Set SPNs for services to avoid NTLM: SetSPN –L <your service account for AGPM/SQL/Exch/Custom> SetSPN –A Servicename/FQDN of hostname/FQDN of domain domainserviceaccount ✓ Reconsider using Kerberos authentication all over https://technet.microsoft.com/en-us/library/jj865668.aspx ✓ Require SPN target name validation Microsoft network server: Server SPN target name validation level ✓ Reconsider turning on SMB Signing ✓ Reconsider port filtering ✓ Reconsider code execution prevention but do not forget that this attack leverages administrative accounts
  • 8. Allowing unusual code execution Key learning points: Common file formats containing malware are: ✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc) ✓ .dll (Dynamic Link Libraries) ✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT, COM, CMD etc) ✓ .docm, .xlsm etc. (Office Macro files) ✓ .other (LNK, PDF, PIF, etc.) If SafeDllSearchMode is enabled, the search order is as follows: 1. The directory from which the application loaded 2. The system directory 3. The 16-bit system directory 4. The Windows directory 5. The current directory 6. The directories that are listed in the PATH environment variable
  • 9. No whitelisting on board Key learning points: ✓ ✓ ✓ ✓ x ✓ ✓
  • 10. Old protocols or their default settings
  • 11. Trusting solutions without knowing how to break them Key learning points: ✓ The best operators won't use a component until they know how it breaks. ✓ Almost each solution has some ‘backdoor weakness’ ✓ Some antivirus solutions can be stopped by SDDL modification for their services ✓ Configuration can be monitored by Desired State Configuration (DSC) ✓ DSC if not configured properly will not be able to spot internal service configuration changes Example: how to I get to the password management portal?
  • 12. Misusing service accounts + privileged accounts Key learning points: ✓ gMSA can also be used for the attack ✓ Service accounts’ passwords are in the registry, available online and offline ✓ A privileged user is someone who has administrative access to critical systems ✓ Privileged users have sometimes more access than we think (see: SeBackupRead privilege or SeDebugPrivilege) ✓ Privileged users have possibility to read SYSTEM and SECURITY hives from the registry Warning! Enabling Credential Guard blocks: x Kerberos DES encryption support x Kerberos unconstrained delegation x Extracting the Kerberos TGT x NTLMv1
  • 13. Falling for hipster tools Key learning points: ✓ Worldwide spending on information security is expected to reach $90 billion in 2017, an increase of 7.6 percent over 2016, and to top $113 billion by 2020, according to advisory firm Gartner ✓ With increasing budget the risk of possessing hipster tools increases too – do we know where these tools come from and what are their security practices? ✓ Lots of solutions where not created according to the good security practices (backup software running as Domain Admin etc.) ✓ Each app running in the user’s context has access to secrets of other apps – Data Protection API ✓ Case of CCleaner
  • 14.
  • 15.
  • 16. BeyondTrust VirtualCloud & DevOps Martin Cannard – Product Manager
  • 17. The Cyber Attack Chain – Where is the Risk? Vulnerable Assets & Users Unmanaged Credentials Excessive Privileges Limited Visibility of compromises used definable patterns established as early as 2014.188% of data breaches involve the use or abuse of privileged credentials on the endpoint.2 80% average days to detect a data breach.3206 1Verizon 2017 Data Breach Investigations Report 2Forrester Wave: Privileged Identity Management, Q3 2016 3Ponemon 2017 Cost of a Data Breach Study
  • 18. The Cyber Attack Chain – Getting More Complex Virtual & Cloud IoT DevOps Connected Systems growth of hybrid cloud adoption in the last year, increasing from 19% to 57% of organizations surveyed.1 3X billion connected things will be in use worldwide in by 2020, according to Gartner. 2 20.4 of organizations implementing DevOps – it has reached “Escape Velocity.”350% 1Forbes 2017 State of Cloud Adoption & Security 2Gartner Press Release, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31% From 2016, Feb 7, 2017 3Forrester Q1 2017 Global DevOps Benchmark Online Survey
  • 19. Our Mission: Stop Privilege Abuse. Prevent Breaches. • Reduce attack surfaces by eliminating credential sharing, enforcing least privilege, and prioritizing and patching system vulnerabilities • Monitor and audit sessions for unauthorized access, changes to files and directories, and compliance • Analyze behavior to detect suspicious user, account and asset activity
  • 20. Cloud Cloud Management Platforms (AWS, Azure) SaaS Applications (Facebook, LinkedIn, Custom) Hybrid Cloud Virtualized Environments (VMWare, MSFT) Virtualized Machines (UNIX, Linux, Windows) IoT Roaming workstations BYOD Cameras Sensors Printers DevOps DevOps Tools Dynamic Virtual Environments Containers Microservices On-Premise Shared Administrator & Machine Accounts Desktops and Servers (Windows, Mac, Unix, Linux) Security & Network Infrastructures & Industrial Control Systems Apps, Databases & Servers Hypervisors & Virtual Machine Privilege Management – The New Perimeter
  • 21. Cloud Hybrid Cloud IoT DevOps On-Premise Privilege Management – The New Perimeter Reduce Insider Threats • Discover, manage & monitor all privileged accounts & keys • Enforce least privilege across all Windows, Mac, Unix, Linux and network endpoints • Gain control and visibility over privileged activities Stop External Hacking • Discover network, web, mobile, cloud and virtual infrastructure • Remediate vulnerabilities through prescriptive reporting • Protect endpoints against client-side attacks Reveal Hidden Threats • Aggregate users & asset data to baseline and track behavior • Correlate diverse asset, user & threat activity to reveal critical risks • Dynamically adjust access policies based on user and asset risk
  • 22. Into the Cloud Connector Framework: Industry unique connector technology to enumerate instances in the cloud and virtually instantiated for management. • Amazon AWS • Microsoft Azure • Vmware • Hyper-V • IBM SmartCloud • Go Grid • Rackspace • Google Cloud
  • 23. In the Cloud • Cloud Ready Agents: UnixLinuxWindowsMac Agents • Cloud Ready Communications: Agents to Console • Cloud Ready API: Public Password Safe API • Dynamic Licensing: High watermark based licensing • MSP & Multi-tenant Platform: Managed Service Provider Ready
  • 24. From the Cloud • Market Place Apps: Amazon AWS AMI, Microsoft Azure, & Google and Oracle (Later this year) • Cloud Offerings (SaaS) • BeyondSaaS – Vulnerability Assessment, Web Application Scanning, Privilege Cloud Management • PowerBroker Cloud Privilege Manager (Coming soon)
  • 25. DevOps & PAM: Challenges 1. Inventory of DevOps Assets & Activity 2. Asset vulnerabilities across dev, test, production 3. Hard Coded Passwords in scripts & orchestration 4. Shared Accounts with limited accountability 5. Excessive Privileges on test and production systems 6. Attackers targeting developer workstations 7. Lack of boundary controls between dev, test & production 8. Scale and dynamic nature of the environment
  • 26. DevOps & PAM: Challenges Privilege Risk DevOps Adoption Physical Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management Virtualized Hypervisor & CMP Administrators Hypervisor & CMP Access Policies Hypervisor & CMP Session Mgmt. Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management Containers & Microservices Container & MS Session Admins Container & MS Policy Mgmt. Container & MS Session Mgmt. Hypervisor & CMP Administrators Hypervisor & CMP Access Policies Hypervisor & CMP Session Mgmt. Application Admins Privileged End Users Developers Machine Password & Keys Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure SaaS Applications & Administrators Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) System & App Session Management (CMP) Cloud Management Platform (MS) Microservice
  • 27. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS
  • 28. DevOps & PAM: Best Practices GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS DISCOVER & INVENTORY Continuous discovery of assets across physical, virtual and cloud environments.
  • 29. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS SCAN FOR VULNERABILITIES Continuous vulnerability assessment and remediation guidance of the infrastructure and code/builds across physical, virtual and cloud environments.
  • 30. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS ENSURE CONFIGURATION COMPLIANCE Continuous configuration and hardening baseline scanning across servers and code/builds across physical, virtual and cloud deployed assets. Ensure configurations are consistent and properly hardened across the entire devops lifecycle.
  • 31. DevOps & PAM: Best Practices DISCOVER & INVENTORY ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS GAIN ACCOUNTABILITY OVER SHARED ACCOUTS Control and audit access to shared accounts and ensure that all audited activity is associated with a unique identity. Include developer access to source control, devops tools, test servers, production builds Ensure that all passwords are properly managed and rotated across the devops environment.
  • 32. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS ELIMINATE HARD-CODED PASSWORDS Control scripts, files, code, embedded application credentials and hard-coded passwords. Remove hardcoded passwords in devops tool configurations, build scripts, code files, test builds, production builds, and more.
  • 33. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE SEGMENT NETWORKS ENFORCE APPROPRIATE CREDENTIAL USAGE Eliminate administrator privileges on end- user machines Securely store privileged credentials Require a simple workflow process for check-out, and monitor privileged sessions.
  • 34. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS Group assets into logical units Reduce “line of sight” access Utilize a secured jump server with MFA, adaptive access and session monitoring Segment access based on context of the user, role, app and data being requested.
  • 35. DevOps & PAM: Best Practices DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS RESTRICT PRIVILEGES Target environments Development workstations Containers
  • 36. BeyondTrust Secures DevOps DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIG- URATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS POWERBROKER Single Platform that Unites DevOps Security Retina Vulnerability Management PowerBroker Password Safe PowerBroker Desktop & Server Privilege Management Retina Vulnerability Management Retina Vulnerability Management PowerBroker Password Safe PowerBroker Password Safe PowerBroker Password Safe POWERBROKER Single Platform that Unites DevOps Security
  • 37. Why BeyondTrust? The PAM Industry Leader Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017
  • 38. DEMO
  • 39. Poll + Q&A Thank you for attending!