Mais conteúdo relacionado
Semelhante a Tech Talk: Privileged Account Management Maturity Model (20)
Mais de CA Technologies (20)
Tech Talk: Privileged Account Management Maturity Model
- 6. 6 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PAM Focus Areas – Level 1
§ Examples
– root, oradba, sapadmin, cisco enable, Windows local admin,
named admin accounts, SaaS/IaaS/PaaS admin accounts
§ Why
– If you control access to the accounts as well as their passwords,
you can control privileged actions and who can make them
§ Hint
– Public discussions about monitoring and audit are a big deterrent of
unwanted behavior
Privileged Users / Shared Accounts
- 9. 9 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PAM Focus Areas – Level 2/3
§ Examples
– COTS applications, application & middleware Servers, DevOps
(CI and/or Orchestration) Systems, Scheduled Tasks, Batch Jobs, Scripts
§ Why
– Our experience tells us there are 5 to 7 times as many application
accounts as there are human, interactive accounts. The threat is larger
in this context.
§ Hint
– Start small and build over time, incorporating with SDLC
Service & Application Accounts
- 10. 10 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PAM Focus Areas – Level 3/4
§ Examples
– CA Identity Suite, CA Identity Service, Oracle IAM, SailPoint,
IBM Security Identity Manager
§ Why
– PAM solutions should not provision accounts.
– Integration with IDM tools allows for programmatic provisioning and
removal of accounts and credentials as well as certification and
accreditation when needed.
Identity Management Integration
- 11. 11 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
PAM Focus Areas Level 3/4
§ Examples
– CA PAM SC, Symantec CSP, Dell UPM, PowerBroker, ViewFinity
§ Why
– PAM focus has been primarily on the server side of the equation.
– Most privileged accounts compromises happened on client endpoint
systems (i.e., managed and unmanaged laptops, etc.)
– Moving the PAM function closer to the user environment (aka
endpoint) is a logical progression.
Fine Grained Controls
- 12. 12 © 2016 CA. ALL RIGHTS RESERVED.@CAWORLD #CAWORLD
Privileged Access Management Maturity Model
Level 0
Level 1
Ad Hoc / Manual
Level 2
Baseline
Level 3
Managed
Level 4
Advanced
Privileged
User/Shared Accounts
Not managing or
rotating credentials
Manual Controls
For Privileged Accounts
Basic Vault
Structured Controls
Account Inventory
SDLC Integration
Credential Vault w/ RBAC
Central Password Policies
Account Discovery
MFA
Password-less
(SAML/OAUTH/TGS)
Cloud/SaaS/SDN &
HSM Integration
Service &
Application Accounts
No knowledge of
Application accounts
Ad Hoc Application
Account Management
Hard Coded Passwords
Manual Application
Account Management
Centralized A2A Mgmt.
No Hardcoded Creds.
REST API Integration
Governed A2A
DevOps Integration
Monitoring &
Threat Detection
No monitoring of
account usage
Ad Hoc Audit & Controls
Activity Monitoring
Decentralized logging
SIEM Integration
Account Attribution
SNMP Alerting
Session Recording
Meta-Data
Service Desk Workflow &
Analytics Integration
Identity
Management
Integration
Manual provision, no
certification or
accreditation
Manual Process
For Privileged Access
Automated
Privileged Identity
Mgmt.
Integrated Privileged
Access Requests
Basic Governance
Fully Delegated
Administration
Governed Privileged
Access w/SoD
Fine-grained
Controls/SoD
Non existent
Open Source
Tools and Scripts
Decentralized
Tools (Silos)
Command Filtering
Restricted Shell
Leap Frog Prevention
Centrally Managed
Kernel Interceptor
with Cred Vault
Integration