How to secure and govern access and privileged identities in AWS?

Transcript

1. intelligent identity. smarter security. How to secure and govern access

   and privileged identities in AWS? Vibhuti Sinha, Chief Cloud Officer

2. intelligent identity. smarter security. 2 Who’s having access to what

   ? Access escalations/creep in J/M/L movements Privileged Usage Monitoring difficult due to high volume and velocity Fortune 5 Customer’s AWS Landscape and Challenges What are the different types of privileged Identities on Cloud? Terminated users having access to AWS objects Custom AWS resource groupings using tags 150+ AWS Accounts Federating Identities via on- premises AD

3. intelligent identity. smarter security. 3 IaaS Access Security and Governance

   – Security Themes Securing IaaS Privileged Access Management (Mgmt. Console, APIs, CLIs, End workloads, Serverless) 2 Identity Lifecycle Management (AWS Role Governance, Role Design, Mining, Provisioning in Federation and Non-Fed Environments) 3 Visibility. Compliance. Prevention (Visibility on Access, Usage and Infra) 1

4. intelligent identity. smarter security. 4 Visibility Themes Visibility on IaaS

   Access (Who is having access to what?) 2 Usage (What is happening with access?) 3 Infrastructure (Security misconfigurations viz. Unencrypted DBs, Open Ports etc.) 1

5. intelligent identity. smarter security. 5 Challenge 1: Determining point in

   time consolidated access view across AWS accounts Permissions Local AWS IAM Users Role Policy AWS Services and Resources Group User AWS Services and Resources Assume Role Cross Account Design Strategies/Patterns • Scanning IAM Policies, Resource Policies • Mapping permissions to Identities • Opportunities to consolidate policies

6. intelligent identity. smarter security. Access Visibility for Local IAM Users

   6 Access Visibility Access Details Ingest IAM Groups, Roles, Policies Saviynt AWS Account Ingest HR Data

7. intelligent identity. smarter security. 7 Challenge 2: Access Visibility for

   Federated Identities Federated Role Policy Identity Provider Federated Group Enterprise AWS Account Permissions AWS Services and Resources Organizations access visibility Missed Access Visibility

8. intelligent identity. smarter security. Access Visibility for Federated Identities 8

   Saviynt AWS Account AWS Account 1 Federation AWS Roles AWS Account 2 Federation AWS Roles AWS Account 3 Federation AWS Roles Identity Providers Access Details Access Visibility

9. intelligent identity. smarter security. 9 IT General Controls SOX FedRAMP

   HIPAA / HITECH PCI ITAR NERC / CIP & more… CIS S3 VPN Policie s ALB Elastics earch RedShi ft Dynamo DB Kinesis EBS S3 Object s EC2 RDS ELB Cloud formatio n AWS IAM VPC Terraform Violations Remediate RISK IaaS & DevOps Resources Challenge 3 – Point in time compliance readiness

10. intelligent identity. smarter security. 10 Continuously monitors policy violations, suspicious

    activity User creates an unencrypted database User creates a S3 bucket with open internet acccess Security Plug-in (webhooks) intercepts event and alerts IaaS Admin Performs initial analysis for type of security violation Execute preventive actions viz. terminating instances, Databases etc. Send event details to SIEM, Support platforms Challenge 4 - Achieving Compliance is hard, staying compliant is harder

11. intelligent identity. smarter security. Staying compliant requires deep integration with

    AWS Services Amazon CloudWatch Events/Config Amazon SQS Real time framework AWS API Events Leaky S3 Buckets Unencrypted databases User MFA Disabled Insecure workloads, ports opened etc. SNS Notifications Lambda based actions Support tickets Real time alerting 1 User Create leaky S3 Bucket/Disable MFA/Open Port to Internet 2 Saviynt Real time Security intercept the event 3 Saviynt perform analysis of event against Enterprise Security baseline Policy 4 Saviynt takes Preventive Action: terminate Database/Execute Lambda/Send Alerts

12. intelligent identity. smarter security. 12 IaaS Access Security and Governance

    – Security Themes Securing IaaS Privileged Access Management (Mgmt. Console, APIs, CLIs, End workloads, Serverless) 2 Identity Lifecycle Management (AWS Role Governance, Role Design, Mining, Provisioning in Federation and Non-Fed Environments) 3 Visibility. Compliance. Prevention (Visibility on Access, Usage and Infra) 1

13. Traditional PAM challenges are 10xin Cloud Scalability, over reliance on

    gateway- based access model Longer time to bootstrap / rollout Multiple products, complex pricing Additional integration with IGA & SIEM / Security Analytics to realize full value Rudimentary audit, no preventive risk- awareness

14. intelligent identity. smarter security. Challenge 5 - Privileged Access Management

    for IaaS 14 Mgmt. Console Instances/ Workloads Command Line Serverless Cloud databases APIs Multiple conduits to consume IaaS Services devOps tools

15. intelligent identity. smarter security. SEPARATE IGA THICK SSH CLIENT •

    Temporal access elevation + privileged ID assignment • Workload discovery and auto-registration • SSH key distribution and credential vaulting • Privileged session manager with inline command management • Integrated service account lifecycle management • Intelligent audit with support for keylogging and cloud native logs JUMPBOX SEAMLESS SSO SOD RISK AWARE BETTER AUDITABILITY CLOUD NATIVE Design Strategies/Patterns 1 5

16. intelligent identity. smarter security. 16 IaaS Access Security and Governance

    – Security Themes Securing IaaS Privileged Access Management (Mgmt. Console, APIs, CLIs, End workloads, Serverless) 2 Identity Lifecycle Management (AWS Role Governance, Role Design, Mining, Provisioning in Federation and Non-Fed Environments) 3 Visibility. Compliance. Prevention (Visibility on Access, Usage and Infra) 1

17. intelligent identity. smarter security. Users AWS Services and Resources Privileges

    Enterprise AWS Account Joiner Mover Leaver 17 Challenge 6 : Disconnected HR systems, Lack of centralized IGA Lack of integration with Enterprise HR systems can lead to: Privilege creep, Stale accounts/Residual Access, Orphan accounts, Inability to do access attestations x

18. intelligent identity. smarter security. 18 Automate access lifecycle management of

    users, groups/roles, federated access – no residual access HR Joiner Mover Leaver 4 Intelligent Self-Service / Delegated Access Request 4 Preventive policy evaluation including license violation 4 Risk-based Access Certification (event-based, periodic) 4 Birthright Provisioning 4 Role / Group Transport & Management 4 Link Federated Access 4 Segregation of Duty Management Maintain Appropriate Access RISK EVALUATION Outlier | SOD | Business Policy | License

19. intelligent identity. smarter security. Questions learn more about Saviynt Email

    - [email protected] Website – www.saviynt.com