Wednesday, October 29, 2014

Security Corner: Centrify and SANS Critical Security Controls - A Near Perfect Fit (1/5)


One of our prospects looking at the Centrify privileged elevation tool for Windows, just highlighted to me that Server Suite is very well-aligned with the SANS Critical Security Controls Section 12: "Controlled use of Administrative Privileges" so I decided to take a deeper look.  We will cover 2 each post until we have the 14 topics explored.

Controlled use of Administrative Privileges

CSC 12-1Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.

Why should you do this?
Because the more somebody uses a privileged account the highest risk of malware being executed with elevation, more exposure to attacks like pass-the-hash attack, etc. 

What is the typical approach?
On Unix:  sudo, password vaults or RBAC
On Windows:  dash-a accounts, password vaults or RBAC

What is the real challenge for organizations?
Well, sudo is simple, proven but a pain, PVs just give out the keys to the kingdom in a controlled way - great for appliances BTW, and RBAC is hard to implement given that it typically requires multiple solutions.

Centrify to the Rescue:  Centrify Server Suite offers a serverless, cross-platform Unix, Linux and Windows based solution that provides access governance with RBAC leveraging AD.

End Result: The ability to limit access, control privileges (no giving out the keys to the kingdom) and reusing processes, cross platform, using existing technology and infrastructure.  This was explored in the 10-minutes PCI 7 challenge:.

CSC 12-2Use automated tools to inventory all administrative accounts and validate that each person with administrative privileges on desktops, laptops, and servers is authorized by a senior executive.

Why should you do this?
This is all about keeping track and being able to attest who approved the type of access that users have.  It's also an administrative preventative control.  This is not limited to domain accounts but local accounts as well

What is the typical approach?
The solution to this is basically workflow.  Unfortunately, simple workflow engines are hard to come by, or they are tied to a monster solution.  Scripts are popular as well.

What is the real challenge for organizations?
This should be relatively simple, but vendors don't make this easy.  Surprisingly PV vendors do a good job due to the appliance/proxy based nature of their solutions. Go to the vault, request access, approver gets notified, approves/denies, then the access is granted/denied.  Great for break/fix.

How Centrify helps?  Although Centrify does not provide workflow capabilities today (wink);  it makes it very easy for any IdM or workflow engine to perform the functions upstream.  Since the process boils down to AD groups and any decent workflow engine can do this, then the solution looks like this:

Utilities:  Automatic provisioning and role assignment is often achieved with ZPA.  This post and video cover a basic design:

In the next post we'll continue with the list.

No comments:

Post a Comment