preventing good people from doing bad things best practices for cloud security brian anderson chief...
TRANSCRIPT
Preventing Good People From Doing Bad Things
Best Practices for Cloud Security
Brian AndersonChief Marketing Officer
& Author of “Preventing Good People From Doing Bad Things”
2
Public, Private and Hybrid Cloud Computing Security
• For infrastructure, end points, data and applications
• Across physical, virtual, public, private and hybrid cloud environments
• Empower IT governance to strengthen security, improve productivity, drive compliance and reduce expense
Vision
Securing the Perimeter WithinConsistent policy-driven, role-based access control, fine grained privilege delegation, logging, monitoring and reporting Server & Desktop Physical &
Virtualization Windows, Linux, Unix
NetworkDevice Security
Data Security& Leak Prevention
Governance, Risk& Compliance
3
The Problem is Broad and Deep
• The threat from attacks is a statistical certainty and businesses of every type and size are vulnerable.
• Organizations are experiencing multiple breaches: 59 percent had two or more breaches in the past 12 months.
• Only 11 percent of companies know the source of all network security breaches.
4
Privileges are Misused in Different Ways
Insider attacks cost an average $2.7 Million per attack1
Desktop configuration errors cost companies $120/yr/pc2
Virtual sprawl and malware are ever-present realities
Source: 1 Computer Security Institute and FBI Survey.Source: 2 IDC Report: The Relationship between IT Labor Costs and Best Practices for Identity and Access Management with Active
5
• 48% of all data breaches were caused by insiders (+26%)1
• 48% involved privilege misuse (+26%) 1
• 98% of all data breaches came from servers1
Insider vs Outsider Threats“Organizations continue to struggle with excessive user privilege as it remains
the primary attack point for data breaches and unauthorized transactions.” ~ Mark Diodati, Burton/Gartner Group
External ThreatAnti-Virus
Firewalls
E-mail Security
Web Security
Internal Threat
Data Security &Leak Prevention
PrivilegedIdentityManagement
Intrusion Detection& Prevention
Source: 1 “2010 Data Breach Investigations Report“ by Verizon with US Secret Service
BeyondTrust
6
Social Engineering
Malware
Password Attacks
File Infections
MaliciousUsers
End Point Vulnerabilities in a SAAS World
7
Requirements:
Anti-Virus Patch Management Privilege Elevation End Point DLP
Best Practice For Cloud Security
Employ a Full Suite of EndPoint Security Tools
8
Cloud Computing Reality – Public, Hybrid or Private• Increasing scale – from thousands to tens of thousands servers
• Increasing complexity makes configuration and change management challenging – Complex directory structures are a major pain point
• Reliability is critical to realizing operational improvement
Impact of Virtualization and Cloud Computing
9
Requirements: Account for All Privileged Users
Manage Provisioning/De-Provisioning Privileged Credentials
Implement a “Least Privilege” based Control System
Monitor and Reconcile Privileged Activity
Maintain a High Quality Audit Repository
Automate Compliance Reporting
Best Practice For Cloud Security
Full Life-Cycle Control of Privileged Users
10
Impact of Virtualization and Cloud Computing
Customer Requirements For Enterprise Grade Cloud Security• Scalable, enterprise grade fabric• Seamless integrations with on-premise and
cloud directories• Allow admins to manage policies not
infrastructure • Dynamically react to changes in virtual
environment• Quantifiable performance metrics of how its
performing
11
Policy Files
11
How Least Privilege Works
Submit Host (pbrun)
Master Host (pbmasterd)
Request a Privileged Task Rejected
Log Host(pblogd)
Event LogsI/O logs
Accepted
Privileged Task
Privileged User
Run Host(pblocald)
1
2
2
34
Task Delegation / Privilege Escalation
12
Policy Files
12
Fully Cloud Based Least Privilege
Submit Host (pbrun)
Master Host (pbmasterd)
Request a Privileged Task Rejected
Log Host(pblogd)
Event LogsI/O logs
Accepted
Privileged TaskPrivileged User
Run Host(pblocald)
1
2
2
3
4
On- Premise
Hosted
13
Policy Files
13
Cloud Hosted Least Privilege
Submit Host (pbrun)
Master Host (pbmasterd)
Request a Privileged Task Rejected
Log Host(pblogd)
Event LogsI/O logs
Accepted
Privileged TaskPrivileged User
Run Host(pblocald)
1
2
2
3
4
On- Premise
Hosted