SlideShare a Scribd company logo

Privileged Access Management - Unsticking Your PAM Program - CIS 2015

Download as PPTX, PDF
Lance Peterman
Lance Peterman

This document discusses privileged access management (PAM) and provides guidance on implementing a successful PAM program. It begins by defining privileged access and explaining why PAM is necessary due to recent data breaches involving compromised privileged accounts. The document then outlines key aspects of a PAM program including using PAM as a collaborative, process-driven service. It provides examples of PAM use cases and an adoption approach involving inventory, prioritization, and integration. Finally, it discusses challenges of PAM implementation and the importance of leadership support, policy-driven processes, and considering cloud implications.

1 of 22
Downloaded 102 times
Privileged Access Management (PAM) Unsticking Your PAM Program Lance Peterman
A little about me… • In & around IAM for 22 years • Currently IAM (insert hat here) at Merck & Co. • Volunteer High School Speech & Debate Coach • Opinions are my own • Twitter: @lpeterman
Copyright © 2015 Cloud Identity Summit . All rights reserved. 3
Agenda  What is PAM?  Why PAM is necessary?  In the News Recent Data Loss / Breaches  PAM as a Program/Service  The Practice  Collaboration is Key  Use Cases  Adoption Approach/Keys to Success  Challenges & Final Thoughts
What is PAM?
Copyright © 2015 Cloud Identity Summit . All rights reserved. 6 Privileged access: is defined as any feature or facility of a multi-user information system that enables the user to override system or application controls (e.g. Administrator, Root, or similar high-level privileges) Privileged accounts or identities hold special or extra permissions within a system, application or database and can significantly affect the organization’s business. These accounts can grant broad access to underlying business information in databases, grant “super user” privileges, or can be used by authorized individuals when elevated privileges are required to fix urgent problems. The use of privileged accounts should be managed and the password monitored when stored digitally. Privileged account activity should be logged and traceable to a unique user. This is the essence of Privileged Access Management (PAM) What is Privileged Access Management?
Identity is not the New Perimeter (hint:the perimeter is gone) Identity is still a top security control today that can determine what you are authorized to do, regardless of your location Old Model New Reality
Breaches, old and new…
South Carolina Department of Revenue • Compromise of privileged accounts resulted in 3.4m individual taxpayers and businesses losing sensitive data 1 • Root account compromised? Nope… • Good taxpayers were compensated for this with…1 year of credit monitoring
Saudi Aramco • 30,000 PCs had hard drives erased through compromise of a privileged account 2 • Insider attack suspected, abusing privileged accounts • Most common privileged account? • Local admin on the user’s workstation • Does your organization vary that password? http://www.infosecurity-magazine.com/view/28973/insiders-exploiting- privileged-accounts-likely-behind-saudi-aramco-attack-/
EBay • Spear Phishing targeted key IT resources • Does your primary network account have privileged access? • Two factor authentication…anyone?
Default Passwords? http://www.theguardian.com/technology/2014/jun/10/canadian-teengers-hack-cash-machine-atm-montreal
What does that tell us? • The threat landscape is changing…DAILY • “The compromise of privileged access is a key stage in 100% of all advanced attacks.” – CyberSheath Report 4/13 3 • This is the critical attack vector for internal and external threats • Verizon DBIR – “97% of all breaches are preventable through basic and intermediate controls.” • 43% of respondents in a 2012 survey did not have a PAM practice or wasn’t sure if they did
The Practice of Privileged Access Management (PAM) • Designed to answer: • Who has access • When it was used • Where it was used from • What was done • Technology is only One part of the equation – People & Process are essential • Has to be part of your governance process, not just a one off enrollment*
PAM is a Collaborative Effort Key takeaways…. Make PAM part of your security DNA Ask questions about privileged access when reviewing applications & risk Educate business owners when possible Cleanup of current privileged access in all environments Define & run a new/modified process to manage access (Grant, revoke, manage exceptions. All aligned with policy) Integrate the new model with Enterprise IT Processes (ITIL, SDLC, DevOps, ITSM)
Copyright © 2015 Cloud Identity Summit . All rights reserved. 16 Sample of Some PAM Use Cases
Other PAM Use Cases • Script/batch management • Local workstation admin management • Cloud infrastructure, SaaS accounts • Virtualization platforms • Look at ALL hardware platforms, including industrial systems
Adoption Approach •Pre-Engagement - business area • Inventory of privileged accounts & their use • Documentation of access processes (if available) • List of candidate systems • Prioritization of critical systems based on key criteria • Regulatory constraints • Data Type (PII / IPSI) • Create/Revise access processes
Adoption Approach Engagement/Onboarding - PAM team and business area • Review inventory & target systems • Setup schedule for deployment • Test – Verify results • Update business processes • Deploy into production
Keys to Success • Fault tolerance (MUST be redundant) • Architect for performance & geography • Adoption MUST have senior leadership support & driven by policy • Process First Approach, then focus on tooling • Consider integration with your CMDB* • Be creative, one size does not fit all • When selecting a vendor, consider cloud implications • Eat your own dog food first • Don’t think you’re too small for this…
Challenges & Final Thoughts • Clash with teams on tools & process (classic security vs. convenience) • Out of band accounts (auto-discovery key here) • Priorities (this is where Sr. leadership is key) • Make it a KPI (if not measured against it, not going to focus on it) • Cloud messes all of this up…except where it doesn't • API’s? When is it privileged access? • Role of analytics… 21
Questions?
Ad

Recommended

Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
Lance Peterman
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
Privileged Access Management
Privileged Access ManagementPrivileged Access Management
Privileged Access Management
Hitachi ID Systems, Inc.
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
Lance Peterman
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
Ryan Gallavin
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training ppt
Akhil Kumar
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
The 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access ManagementThe 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access Management
banerjeea
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Ad

More Related Content

What's hot (20)

Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
Lance Peterman
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
Ryan Gallavin
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training ppt
Akhil Kumar
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access Management
Lance Peterman
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
Sounil Yu
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
The Essentials | Privileged Access Management
The Essentials | Privileged Access ManagementThe Essentials | Privileged Access Management
The Essentials | Privileged Access Management
Ryan Gallavin
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyberark training ppt
Cyberark training pptCyberark training ppt
Cyberark training ppt
Akhil Kumar
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
Marco Morana
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
Alert Logic
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 

Viewers also liked (19)

The 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access ManagementThe 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access Management
banerjeea
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Pre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
Pre-Con Ed: Governance of Privileged Identities—Key to Breach PreventionPre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
Pre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
CA Technologies
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
CA Technologies
 
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Canadian Organization for Rare Disorders
 
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Association for Project Management
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Digital Bond
 
AgilePgM® - Agile Programme Management - Foundation
AgilePgM® - Agile Programme Management - FoundationAgilePgM® - Agile Programme Management - Foundation
AgilePgM® - Agile Programme Management - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Program Management Playbook
Program Management PlaybookProgram Management Playbook
Program Management Playbook
Lenovo
 
Ten rules for common sense program management
Ten rules for common sense program managementTen rules for common sense program management
Ten rules for common sense program management
Glen Alleman
 
Program management skills
Program management skillsProgram management skills
Program management skills
Dr. Tathagat Varma
 
What is Program Management - An Overview
What is Program Management - An OverviewWhat is Program Management - An Overview
What is Program Management - An Overview
Yolanda Williams
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
Sarah Moore
 
Program Management and Leadership
Program Management and LeadershipProgram Management and Leadership
Program Management and Leadership
tltiede
 
Program Management
Program ManagementProgram Management
Program Management
Anand Subramaniam
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy Intro
CyberArk
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Program management - Fundamentals
Program management - FundamentalsProgram management - Fundamentals
Program management - Fundamentals
Julen Mohanty
 
Agile Program Management Best Practices
Agile Program Management Best PracticesAgile Program Management Best Practices
Agile Program Management Best Practices
Pete Behrens
 
The 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access ManagementThe 7 Layers of Privileged Access Management
The 7 Layers of Privileged Access Management
banerjeea
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Pre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
Pre-Con Ed: Governance of Privileged Identities—Key to Breach PreventionPre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
Pre-Con Ed: Governance of Privileged Identities—Key to Breach Prevention
CA Technologies
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
CA Technologies
 
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Managed Access Programs: Timely, Appropriate, Sustainable Access for Rare Dis...
Canadian Organization for Rare Disorders
 
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Heathrow Terminal 3 Integrated Baggage, APM Programme Management SIG Conferen...
Association for Project Management
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Digital Bond
 
AgilePgM® - Agile Programme Management - Foundation
AgilePgM® - Agile Programme Management - FoundationAgilePgM® - Agile Programme Management - Foundation
AgilePgM® - Agile Programme Management - Foundation
Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Program Management Playbook
Program Management PlaybookProgram Management Playbook
Program Management Playbook
Lenovo
 
Ten rules for common sense program management
Ten rules for common sense program managementTen rules for common sense program management
Ten rules for common sense program management
Glen Alleman
 
Program management skills
Program management skillsProgram management skills
Program management skills
Dr. Tathagat Varma
 
What is Program Management - An Overview
What is Program Management - An OverviewWhat is Program Management - An Overview
What is Program Management - An Overview
Yolanda Williams
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
Sarah Moore
 
Program Management and Leadership
Program Management and LeadershipProgram Management and Leadership
Program Management and Leadership
tltiede
 
Program Management
Program ManagementProgram Management
Program Management
Anand Subramaniam
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy Intro
CyberArk
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
Jerod Brennen
 
Program management - Fundamentals
Program management - FundamentalsProgram management - Fundamentals
Program management - Fundamentals
Julen Mohanty
 
Agile Program Management Best Practices
Agile Program Management Best PracticesAgile Program Management Best Practices
Agile Program Management Best Practices
Pete Behrens
 
Ad

Similar to Privileged Access Management - Unsticking Your PAM Program - CIS 2015 (20)

Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat Landscape
Lance Peterman
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
Hitachi ID Systems, Inc.
 
Co p
Co pCo p
Co p
Allyn McGillicuddy
 
Co p
Co pCo p
Co p
Allyn McGillicuddy
 
Actionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Actionable Guidance to Succeed in Enterprise-Class Privileged Access ManagementActionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Actionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Enterprise Management Associates
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
ForgeRock
 
How to build and operate an effective IT tooling strategy in a SIAM operating...
How to build and operate an effective IT tooling strategy in a SIAM operating...How to build and operate an effective IT tooling strategy in a SIAM operating...
How to build and operate an effective IT tooling strategy in a SIAM operating...
Steve Morgan
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
Ahmadi Madi
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
Eryk Budi Pratama
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
HelpSystems
 
Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud
Andy Milsark
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 publishedBest practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdf
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdfVolume_54.2_-_FCCS_Implementation_Best_Practices.pdf
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdf
SreekumarSasikumar
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
DianaGray10
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat Landscape
Lance Peterman
 
Building an Identity Management Business Case
Building an Identity Management Business CaseBuilding an Identity Management Business Case
Building an Identity Management Business Case
Hitachi ID Systems, Inc.
 
Co p
Co pCo p
Co p
Allyn McGillicuddy
 
Co p
Co pCo p
Co p
Allyn McGillicuddy
 
Actionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Actionable Guidance to Succeed in Enterprise-Class Privileged Access ManagementActionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Actionable Guidance to Succeed in Enterprise-Class Privileged Access Management
Enterprise Management Associates
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over Perimeter
ForgeRock
 
How to build and operate an effective IT tooling strategy in a SIAM operating...
How to build and operate an effective IT tooling strategy in a SIAM operating...How to build and operate an effective IT tooling strategy in a SIAM operating...
How to build and operate an effective IT tooling strategy in a SIAM operating...
Steve Morgan
 
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the HashCrowdCasts Monthly: Mitigating Pass the Hash
CrowdCasts Monthly: Mitigating Pass the Hash
CrowdStrike
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
Hitachi ID Identity Manager
Hitachi ID Identity ManagerHitachi ID Identity Manager
Hitachi ID Identity Manager
Hitachi ID Systems, Inc.
 
Aplication data security compliances
Aplication data security compliancesAplication data security compliances
Aplication data security compliances
Ahmadi Madi
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOps
Eryk Budi Pratama
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
HelpSystems
 
Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud Overcoming Barriers to the Cloud
Overcoming Barriers to the Cloud
Andy Milsark
 
Best practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 publishedBest practices for security and governance in share point 2013 published
Best practices for security and governance in share point 2013 published
AntonioMaio2
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdf
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdfVolume_54.2_-_FCCS_Implementation_Best_Practices.pdf
Volume_54.2_-_FCCS_Implementation_Best_Practices.pdf
SreekumarSasikumar
 
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
Efficiencies in RPA with UiPath and CyberArk Technologies - Session 2
DianaGray10
 
Segregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a ServiceSegregation of Duties and Sensitive Access as a Service
Segregation of Duties and Sensitive Access as a Service
Smart ERP Solutions, Inc.
 
Ad

Recently uploaded (20)

Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsTechnology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data Analytics
InData Labs
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Build Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For DevsBuild Your Own Copilot & Agents For Devs
Build Your Own Copilot & Agents For Devs
Brian McKeiver
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 

Privileged Access Management - Unsticking Your PAM Program - CIS 2015

  • 1. Privileged Access Management (PAM) Unsticking Your PAM Program Lance Peterman
  • 2. A little about me… • In & around IAM for 22 years • Currently IAM (insert hat here) at Merck & Co. • Volunteer High School Speech & Debate Coach • Opinions are my own • Twitter: @lpeterman
  • 3. Copyright © 2015 Cloud Identity Summit . All rights reserved. 3
  • 4. Agenda  What is PAM?  Why PAM is necessary?  In the News Recent Data Loss / Breaches  PAM as a Program/Service  The Practice  Collaboration is Key  Use Cases  Adoption Approach/Keys to Success  Challenges & Final Thoughts
  • 6. Copyright © 2015 Cloud Identity Summit . All rights reserved. 6 Privileged access: is defined as any feature or facility of a multi-user information system that enables the user to override system or application controls (e.g. Administrator, Root, or similar high-level privileges) Privileged accounts or identities hold special or extra permissions within a system, application or database and can significantly affect the organization’s business. These accounts can grant broad access to underlying business information in databases, grant “super user” privileges, or can be used by authorized individuals when elevated privileges are required to fix urgent problems. The use of privileged accounts should be managed and the password monitored when stored digitally. Privileged account activity should be logged and traceable to a unique user. This is the essence of Privileged Access Management (PAM) What is Privileged Access Management?
  • 7. Identity is not the New Perimeter (hint:the perimeter is gone) Identity is still a top security control today that can determine what you are authorized to do, regardless of your location Old Model New Reality
  • 9. South Carolina Department of Revenue • Compromise of privileged accounts resulted in 3.4m individual taxpayers and businesses losing sensitive data 1 • Root account compromised? Nope… • Good taxpayers were compensated for this with…1 year of credit monitoring
  • 10. Saudi Aramco • 30,000 PCs had hard drives erased through compromise of a privileged account 2 • Insider attack suspected, abusing privileged accounts • Most common privileged account? • Local admin on the user’s workstation • Does your organization vary that password? http://www.infosecurity-magazine.com/view/28973/insiders-exploiting- privileged-accounts-likely-behind-saudi-aramco-attack-/
  • 11. EBay • Spear Phishing targeted key IT resources • Does your primary network account have privileged access? • Two factor authentication…anyone?
  • 13. What does that tell us? • The threat landscape is changing…DAILY • “The compromise of privileged access is a key stage in 100% of all advanced attacks.” – CyberSheath Report 4/13 3 • This is the critical attack vector for internal and external threats • Verizon DBIR – “97% of all breaches are preventable through basic and intermediate controls.” • 43% of respondents in a 2012 survey did not have a PAM practice or wasn’t sure if they did
  • 14. The Practice of Privileged Access Management (PAM) • Designed to answer: • Who has access • When it was used • Where it was used from • What was done • Technology is only One part of the equation – People & Process are essential • Has to be part of your governance process, not just a one off enrollment*
  • 15. PAM is a Collaborative Effort Key takeaways…. Make PAM part of your security DNA Ask questions about privileged access when reviewing applications & risk Educate business owners when possible Cleanup of current privileged access in all environments Define & run a new/modified process to manage access (Grant, revoke, manage exceptions. All aligned with policy) Integrate the new model with Enterprise IT Processes (ITIL, SDLC, DevOps, ITSM)
  • 16. Copyright © 2015 Cloud Identity Summit . All rights reserved. 16 Sample of Some PAM Use Cases
  • 17. Other PAM Use Cases • Script/batch management • Local workstation admin management • Cloud infrastructure, SaaS accounts • Virtualization platforms • Look at ALL hardware platforms, including industrial systems
  • 18. Adoption Approach •Pre-Engagement - business area • Inventory of privileged accounts & their use • Documentation of access processes (if available) • List of candidate systems • Prioritization of critical systems based on key criteria • Regulatory constraints • Data Type (PII / IPSI) • Create/Revise access processes
  • 19. Adoption Approach Engagement/Onboarding - PAM team and business area • Review inventory & target systems • Setup schedule for deployment • Test – Verify results • Update business processes • Deploy into production
  • 20. Keys to Success • Fault tolerance (MUST be redundant) • Architect for performance & geography • Adoption MUST have senior leadership support & driven by policy • Process First Approach, then focus on tooling • Consider integration with your CMDB* • Be creative, one size does not fit all • When selecting a vendor, consider cloud implications • Eat your own dog food first • Don’t think you’re too small for this…
  • 21. Challenges & Final Thoughts • Clash with teams on tools & process (classic security vs. convenience) • Out of band accounts (auto-discovery key here) • Priorities (this is where Sr. leadership is key) • Make it a KPI (if not measured against it, not going to focus on it) • Cloud messes all of this up…except where it doesn't • API’s? When is it privileged access? • Role of analytics… 21

Editor's Notes

  • #7: All three terms are interchangable, but Privileged ACCESS Management address the full spectrum and lifecycle for privileged identities and the systems they access
  • #8: Information security has had to make the transition from a fortress mentality to the new reality. Everyone wants access from everywhere on any device to nearly everything. Identity is the center of this new security universe.
  • #10: Something as innocuous as a backup service account allowed the hacker to exfiltrate the entire DoR taxpayer database.
  • #16: This isn’t simply an IT initiative, PAM has to become part of your company’s information security awareness strategy and embedded in its respective SDLC/ITIL or analogous processes