Deep Dive: CA Privileged Access Manager
CAinc
4,265 views
43 slides
Nov 18, 2016
Slide 1 of 43
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
About This Presentation
Deep Dive: CA Privileged Access Manager
Slide Content
World
®
’16
CA PAM for Hybrid Enterprises
Deep Dive
Shawn W. Hank, Sr. Principal Consultant, Cybersecurity
CA Technologies, Inc.
SCX29E
SECURITY
®
’16
CA PAM for Hybrid Enterprises
Deep Dive
Shawn W. Hank, Sr. Principal Consultant, Cybersecurity
CA Technologies, Inc.
SCX29E
SECURITY
2 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in thisCA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty.Theinformation provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
@CAWORLD #CAWORLD
© 2016 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in thisCA World 2016 presentation is intended for informational purposes only and does not form any type of
warranty.Theinformation provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of this Presentation
3 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Abstract
The earlier PAM for Hybrid Enterprises (SXC04E) session covered a broad set of CA PAM
capabilities as it related to managing and controlling access to critical infrastructure and
privileged accounts across the hybrid enterprise.
This deep dive session will expand on the earlier session and dig into the configuration and setup
of some of these functions and features. Attendees will be able to learn about topics such as
interacting with the PAM REST API, AWS support for target server discovery and import, the AWS
API Proxy, VMware ESX/ESXi and NSX functionality, PAM Server Control and Single Sign On
integration, as well as auto discovery of target servers and accounts, and Threat Analytics for
PAM.
Shawn W.
Hank
CA Technologies, Inc.
Sr. Principal Consultant
Cybersecurity
@CAWORLD #CAWORLD
Abstract
The earlier PAM for Hybrid Enterprises (SXC04E) session covered a broad set of CA PAM
capabilities as it related to managing and controlling access to critical infrastructure and
privileged accounts across the hybrid enterprise.
This deep dive session will expand on the earlier session and dig into the configuration and setup
of some of these functions and features. Attendees will be able to learn about topics such as
interacting with the PAM REST API, AWS support for target server discovery and import, the AWS
API Proxy, VMware ESX/ESXi and NSX functionality, PAM Server Control and Single Sign On
integration, as well as auto discovery of target servers and accounts, and Threat Analytics for
PAM.
Shawn W.
Hank
CA Technologies, Inc.
Sr. Principal Consultant
Cybersecurity
4 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Agenda
PAM REST APIs–A PRIMER
PAM & AWS
THREAT ANALYTICS forPAM
PAM & VMWARE ESX/ESXI/NSX
PAM as anIDP/RP orSP
PAM &PAM SC INTEGRATION
1
2
3
4
5
6
@CAWORLD #CAWORLD
Agenda
PAM REST APIs–A PRIMER
PAM & AWS
THREAT ANALYTICS forPAM
PAM & VMWARE ESX/ESXI/NSX
PAM as anIDP/RP orSP
PAM &PAM SC INTEGRATION
1
2
3
4
5
6
5 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API
A Primer
§Reduce configuration,
maintenance, and
administration by
taking advantage of
APIs to configure
Privileged Access.
–Yes, you can Point & Click
via the UI, but why would
you want to do that?
@CAWORLD #CAWORLD
CA PAM’s REST API
A Primer
§Reduce configuration,
maintenance, and
administration by
taking advantage of
APIs to configure
Privileged Access.
–Yes, you can Point & Click
via the UI, but why would
you want to do that?
6 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API
Modes of Operation
§Gets, Posts, Puts,
Deletes
–Get existing object
data from PAM
–Add/Create new
objects
–Modify/Update
existing objects
–Delete objects that
are no longer
needed
@CAWORLD #CAWORLD
CA PAM’s REST API
Modes of Operation
§Gets, Posts, Puts,
Deletes
–Get existing object
data from PAM
–Add/Create new
objects
–Modify/Update
existing objects
–Delete objects that
are no longer
needed
7 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API
A Few Ideas
§Import a list of users and
groups from a recent
acquisition
§Update the target servers that
were recently refreshed in the
data center
§Find all policies for a specific
user
§Determine what group(s) a
particular device belongs to.
@CAWORLD #CAWORLD
CA PAM’s REST API
A Few Ideas
§Import a list of users and
groups from a recent
acquisition
§Update the target servers that
were recently refreshed in the
data center
§Find all policies for a specific
user
§Determine what group(s) a
particular device belongs to.
8 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using Postman
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using Postman
9 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using PAW
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using PAW
10 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using a browser
@CAWORLD #CAWORLD
CA PAM’s REST API –Example API Calls using a browser
11 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA Privileged Access Manager
& AWS
@CAWORLD #CAWORLD
CA Privileged Access Manager
& AWS
12 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM and AWS
§Federation via
STS and SAML
§SSO and Web
Session
Recording
§Auto discovery
& auto import
of devices
§S3 Recording
IaaS support for the market leading IaaS provider
AWS
Target
Device
s
AD/LDAP
Radius Server
AWS
Target
Device
s
AWS
Target
Device
s
PIV/CAC
Revocation
Server
ADFS Server
AWS
Manageme
nt Console
Account 1Region 1 Zone A
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 2Region 1 Zone C
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 3Region 3 Zone B
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 4Region 4 Zone D
Account 5Region 1 Zone A
CA PAM AMI
AWS IAM
Credential API
@CAWORLD #CAWORLD
CA PAM and AWS
§Federation via
STS and SAML
§SSO and Web
Session
Recording
§Auto discovery
& auto import
of devices
§S3 Recording
IaaS support for the market leading IaaS provider
AWS
Target
Device
s
AD/LDAP
Radius Server
AWS
Target
Device
s
AWS
Target
Device
s
PIV/CAC
Revocation
Server
ADFS Server
AWS
Manageme
nt Console
Account 1Region 1 Zone A
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 2Region 1 Zone C
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 3Region 3 Zone B
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Target
Device
s
AWS
Manageme
nt Console
Account 4Region 4 Zone D
Account 5Region 1 Zone A
CA PAM AMI
AWS IAM
Credential API
13 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
AWS API Proxy
Roles Based Privileged Federated Access
Control & Single Sign-On for Programmatic
and Manual AWS API Access:
•Full Federated Credential
Provisioning for access to the AWS
Public, Government, and VPC Clouds
Separation of Duties for the AWS API Console
Interface:
•Roles are enforced by a Central xAPI
Policy Manager for all API Access
Full Audit Trail and Session Recording Across:
•All API access is recorded and logged
by the xAPI Proxy Server
US East 1
US East 1a
US East 1b
Public 2
Disposable
Instances
(Future)
Private 1
Private 2
AAP 1
MySQL DB
Instance
AAP 2
MySQL DB
Instance
Public 1
Amazon S3
Internet
Apps
Splunk
Audit API calls & responses
@CAWORLD #CAWORLD
AWS API Proxy
Roles Based Privileged Federated Access
Control & Single Sign-On for Programmatic
and Manual AWS API Access:
•Full Federated Credential
Provisioning for access to the AWS
Public, Government, and VPC Clouds
Separation of Duties for the AWS API Console
Interface:
•Roles are enforced by a Central xAPI
Policy Manager for all API Access
Full Audit Trail and Session Recording Across:
•All API access is recorded and logged
by the xAPI Proxy Server
US East 1
US East 1a
US East 1b
Public 2
Disposable
Instances
(Future)
Private 1
Private 2
AAP 1
MySQL DB
Instance
AAP 2
MySQL DB
Instance
Public 1
Amazon S3
Internet
Apps
Splunk
Audit API calls & responses
14 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA Privileged Access Manager
& VMware ESX/ESXi/NSX
@CAWORLD #CAWORLD
CA Privileged Access Manager
& VMware ESX/ESXi/NSX
15 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
§Auto-Discovery &
provisioning Guest VMs &
Groups via API
§Roles Based Privileged Access
Control & Single
§Separation of Duties for
vCenter Console
§Full Audit Trail & Session
Recording
§Password & Access Key
Management
§Strong Authorization &
Attributed Use
PAM & VMware ESX/ESXi
ESX/ESXi Hypervisor
vCenter Console
CA PAM OVA
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Enterprise
Directory
CA PAM -Physical
Privileged Users
@CAWORLD #CAWORLD
§Auto-Discovery &
provisioning Guest VMs &
Groups via API
§Roles Based Privileged Access
Control & Single
§Separation of Duties for
vCenter Console
§Full Audit Trail & Session
Recording
§Password & Access Key
Management
§Strong Authorization &
Attributed Use
PAM & VMware ESX/ESXi
ESX/ESXi Hypervisor
vCenter Console
CA PAM OVA
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Guest VM
or Group
Enterprise
Directory
CA PAM -Physical
Privileged Users
16 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM –VMware Configuration
§Config –3
rd
Party
§VMware vCenter
(vSphere)
§Support multiple
vCenter instances
§Local/RADIUS/TACACS/
LDAP/AD integration
for authentication to
vSphere Web or
vCenter Client
@CAWORLD #CAWORLD
CA PAM –VMware Configuration
§Config –3
rd
Party
§VMware vCenter
(vSphere)
§Support multiple
vCenter instances
§Local/RADIUS/TACACS/
LDAP/AD integration
for authentication to
vSphere Web or
vCenter Client
17 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSX
Capability Summary
§Vaulting and full lifecycle management of passwords and SSH access keys
§NSX-based resources, NSX Manager and API, other enterprise resources
Credentials
Management
§TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC
§VMware vSphere®, NSX APIs, VMware® NSX Manager™, other physical/virtual
resources across enterprise
Federated
SSO
§Integrated with NSX Manager; Service Composer service insertion
§Dynamic application of access control policies based on NSX security policies
§Enforced via NSX micro-segmentation
Access Policy
Enforcement
§Complete logs and full session recording
§All access to NSX resources including NSX Manager and API
Access Policy
Enforcement
@CAWORLD #CAWORLD
CA Privileged Access Manager for VMware NSX
Capability Summary
§Vaulting and full lifecycle management of passwords and SSH access keys
§NSX-based resources, NSX Manager and API, other enterprise resources
Credentials
Management
§TACACS+, AD/LDAP, RADIUS, RSA, SMS Mobile Token, SAML, PIV/CAC
§VMware vSphere®, NSX APIs, VMware® NSX Manager™, other physical/virtual
resources across enterprise
Federated
SSO
§Integrated with NSX Manager; Service Composer service insertion
§Dynamic application of access control policies based on NSX security policies
§Enforced via NSX micro-segmentation
Access Policy
Enforcement
§Complete logs and full session recording
§All access to NSX resources including NSX Manager and API
Access Policy
Enforcement
18 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM for VMware NSX –NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility
§Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
§CA PAM vaults –and rotates –the NSX Manager credentials
§Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs
A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged
Access Manager
@CAWORLD #CAWORLD
CA PAM for VMware NSX –NSX Manager REST API Proxy
The last mile for full NSX Manager administration visibility
§Users and scripts talk to the Proxy, not to NSX Manager, with different credentials, which
may rotate on a policy or schedule
§CA PAM vaults –and rotates –the NSX Manager credentials
§Integrates with Application to Application (A2A)
Closing the “API Loop” to the NSX management plane
Consumer NSX Manager
NAP
NSX Manager API Proxy
Logs
A2A Requests Change Password
Z-side Request/ResponseA-side Request/Response
CA Privileged
Access Manager
19 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Access Restrictor
DFW Rules added and removed on-demand
§Rules added when connections are opened and removed when closed
§Removes the human element and potential for error
§Enables a highly-secure “deny all” environment where exceptions are forced through CA
PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
User
Target VM
NSX Manager
DFW
CA Privileged
Access Manager
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Access Restrictor
DFW Rules added and removed on-demand
§Rules added when connections are opened and removed when closed
§Removes the human element and potential for error
§Enables a highly-secure “deny all” environment where exceptions are forced through CA
PAM and only CA PAM may access protected resources
Automatic, runtime, ephemeral Distributed Firewall Rules maintained by CA PAM
Client
User
Target VM
NSX Manager
DFW
CA Privileged
Access Manager
20 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups
§NSX Security Tags and Groups synced with CA PAM and tied to Policies
§As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenter
VM Network
NSX Manager
Sync
CA Privileged
Access Manager
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Dynamic Tagging and Grouping
CA PAM Policy in lockstep with NSX Security Tags and Groups
§NSX Security Tags and Groups synced with CA PAM and tied to Policies
§As VMs enter/leave NSX Security Groups, CA PAM Access is provisioned/removed
Synchronize CA PAM policies with changes in the NSX security posture
VMware vCenter
VM Network
NSX Manager
Sync
CA Privileged
Access Manager
21 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Service Composer Integration
Deep integration with Service Composer
§As VMs enter or leave NSX Security Groups, CA PAM will:
-Enable or disable session recording
-Terminate sessions
-Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner
Ecosystem
Product
NSX Manager
VMware
vCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged
Access Manager
@CAWORLD #CAWORLD
CA PAM for VMware NSX –Service Composer Integration
Deep integration with Service Composer
§As VMs enter or leave NSX Security Groups, CA PAM will:
-Enable or disable session recording
-Terminate sessions
-Force CA PAM session re-authentication
Trigger events in CA PAM via NSX Service Composer workflows
User
Session
NSX Partner
Ecosystem
Product
NSX Manager
VMware
vCenter
Admin
Apply Tag
Apply Tag
Enable/Disable Session Recording
Terminate Sessions
Xsuite Re-Authentication
CA Privileged
Access Manager
22 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA Privileged Access Manager
& Single Sign On
@CAWORLD #CAWORLD
CA Privileged Access Manager
& Single Sign On
23 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
PAM & SSO with CA Single Sign-On
RP/SP to an Upstream IDP using an on-premIDP
§Integration with CA Single Sign-On
by enable CA SSO as the identity
provider
§Existing CA SSO policies
dynamically evaluated to
determine who gets access
§Optional Just-in-Time provisioning
features
@CAWORLD #CAWORLD
PAM & SSO with CA Single Sign-On
RP/SP to an Upstream IDP using an on-premIDP
§Integration with CA Single Sign-On
by enable CA SSO as the identity
provider
§Existing CA SSO policies
dynamically evaluated to
determine who gets access
§Optional Just-in-Time provisioning
features
24 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Identity Suite -Provisioning Connector for CA PAM
Extensive connector:
–PAM Accounts
(local and remote)
–Roles
–Groups
–Policies
–Devices & Device
Groups
@CAWORLD #CAWORLD
Identity Suite -Provisioning Connector for CA PAM
Extensive connector:
–PAM Accounts
(local and remote)
–Roles
–Groups
–Policies
–Devices & Device
Groups
25 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Access Request for PAM
@CAWORLD #CAWORLD
Access Request for PAM
26 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
PAM & SSO with CA Identity Service
RP/SP to an Upstream IDP using a SaaS-based IDP
@CAWORLD #CAWORLD
PAM & SSO with CA Identity Service
RP/SP to an Upstream IDP using a SaaS-based IDP
27 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Control & Manage Cloud Identity Sprawl
§Rule-based provisioning, de-
provisioning and entitlement
assignment
§Automated identity lifecycle
management as people join, move
or leave
§Extensible and API driven identity
lifecycle management
Enable rule-based provisioning and identity lifecycle automation
@CAWORLD #CAWORLD
Control & Manage Cloud Identity Sprawl
§Rule-based provisioning, de-
provisioning and entitlement
assignment
§Automated identity lifecycle
management as people join, move
or leave
§Extensible and API driven identity
lifecycle management
Enable rule-based provisioning and identity lifecycle automation
28 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM as an RP/SP
With CA Identity Service as the Upstream IDP
@CAWORLD #CAWORLD
CA PAM as an RP/SP
With CA Identity Service as the Upstream IDP
29 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
@CAWORLD #CAWORLD
30 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Single Sign-on
Authentication
(SaaS-first model)
CA Identity
Service
User provisioning &
de-provisioning
Single Sign-on
Rogue and orphan account
detection and remediation
CA Single Sign-On
On-premises apps
SaaS Apps
People source
(optional)
Authentication
(Hybrid model)
Single
Sign-on
SaaS-First & Hybrid Deployment Models
Leverage existing on-premises IAM investments
@CAWORLD #CAWORLD
Single Sign-on
Authentication
(SaaS-first model)
CA Identity
Service
User provisioning &
de-provisioning
Single Sign-on
Rogue and orphan account
detection and remediation
CA Single Sign-On
On-premises apps
SaaS Apps
People source
(optional)
Authentication
(Hybrid model)
Single
Sign-on
SaaS-First & Hybrid Deployment Models
Leverage existing on-premises IAM investments
31 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM as an IDP
Threat Analytics Integration, but will work for any Service Provider
@CAWORLD #CAWORLD
CA PAM as an IDP
Threat Analytics Integration, but will work for any Service Provider
32 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM as an IDP
Threat Analytics Integration, but will work for any Service Provider
@CAWORLD #CAWORLD
CA PAM as an IDP
Threat Analytics Integration, but will work for any Service Provider
33 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA PAM as an IDP –Configure SP
Apply all necessary SAML SSO Attributes as required by the target
@CAWORLD #CAWORLD
CA PAM as an IDP –Configure SP
Apply all necessary SAML SSO Attributes as required by the target
34 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
CA Privileged Access Manager
& PAM Server Control
@CAWORLD #CAWORLD
CA Privileged Access Manager
& PAM Server Control
35 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
The CA Solution Portfolio
Identity Suite, Identity Service, PAM & PAM SC
§
Access requests
§
Certification
§
Risk analytics
§Strong authentication, including MFA
§Credential management
§Policy-based, least privilege access control
§Command filtering
§Session recording, auditing, attribution
§Application password management
§Comprehensive, hybrid enterprise protection
§Self-contained, hardened appliance
§
§In-depth protection for critical servers
§Highly-granular access controls
§Segregated duties of super-users
§Controlled access to system resources such as
files, folders, processes and registries
§Secured Task Delegation (sudo)
§Enforce Trusted Computing Base
IDENTITY-BASED SECURITY HOST-BASED SECURITY
DEFENSE IN DEPTH
CA Privileged Access Manager CA Privileged Access Manager Server Control
CA IDENTITY SUITE
@CAWORLD #CAWORLD
The CA Solution Portfolio
Identity Suite, Identity Service, PAM & PAM SC
§
Access requests
§
Certification
§
Risk analytics
§Strong authentication, including MFA
§Credential management
§Policy-based, least privilege access control
§Command filtering
§Session recording, auditing, attribution
§Application password management
§Comprehensive, hybrid enterprise protection
§Self-contained, hardened appliance
§
§In-depth protection for critical servers
§Highly-granular access controls
§Segregated duties of super-users
§Controlled access to system resources such as
files, folders, processes and registries
§Secured Task Delegation (sudo)
§Enforce Trusted Computing Base
IDENTITY-BASED SECURITY HOST-BASED SECURITY
DEFENSE IN DEPTH
CA Privileged Access Manager CA Privileged Access Manager Server Control
CA IDENTITY SUITE
36 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Threat Analytics for PAM: Super-Charging PAM!
Domain-specific analytics to defend against real world attacks
Compromised
identity
High-risk insider
activity & threat
Insight and incident
response support
Automatically trigger mitigations
§Alerting
§Reporting and insight into system use and risk
Authorized user actions that pose
serious risks:
§Contractors
§Partners
§Policy violators
§Disgruntled and departing employees
Identities compromised by attacks that
include:
§Phishing
§Weak passwords
§Malware
§Compromised devices
§Man-in-the-middle
Blind spots in how systems are used.
Need quick responses to incidents and
SOC inquiries:
§Identify users and risky activity
associated with IP, devices, data
assets
Detect
Mitigate
Breach prevention Operational insights Improved compliance
§Automated session recording
§Re-authentication
Results
@CAWORLD #CAWORLD
Threat Analytics for PAM: Super-Charging PAM!
Domain-specific analytics to defend against real world attacks
Compromised
identity
High-risk insider
activity & threat
Insight and incident
response support
Automatically trigger mitigations
§Alerting
§Reporting and insight into system use and risk
Authorized user actions that pose
serious risks:
§Contractors
§Partners
§Policy violators
§Disgruntled and departing employees
Identities compromised by attacks that
include:
§Phishing
§Weak passwords
§Malware
§Compromised devices
§Man-in-the-middle
Blind spots in how systems are used.
Need quick responses to incidents and
SOC inquiries:
§Identify users and risky activity
associated with IP, devices, data
assets
Detect
Mitigate
Breach prevention Operational insights Improved compliance
§Automated session recording
§Re-authentication
Results
37 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Overseas Contractor Use Case
Insider Threat Detection and Mitigation
Continuous monitoring and analysis of access enables:
§Monitoring access for all users, including Bangalore-
based contractors authorized to use shared data
base and server accounts
§Identifying highly unusual session activities of
individual overseas developer that include:
-Unusual session activities and lengths based on
individual and other enterprise users
-Access to large number of sensitive systems, many
for the first time
-Remote Desktop Protocol access to a high-risk PCI
server
This behavior poses high risk and is not consistent with past
actions of the user or the enterprise.
§Threat Analytics for Privileged Access Manager
automatically triggers session recording for review
§Admin generates incident report for compliance
officer/SOC
Result: Successful detection and
mitigation of insider threat
Threat Analytics
for PAM
Activity
continuously
monitored in
background
Session recording
automatically
initiated
Incident report
for compliance
officer or SOC
Overseas
contractors
High-risk session
behavior is
detected
PCI
Privileged
Access
Manager
@CAWORLD #CAWORLD
Overseas Contractor Use Case
Insider Threat Detection and Mitigation
Continuous monitoring and analysis of access enables:
§Monitoring access for all users, including Bangalore-
based contractors authorized to use shared data
base and server accounts
§Identifying highly unusual session activities of
individual overseas developer that include:
-Unusual session activities and lengths based on
individual and other enterprise users
-Access to large number of sensitive systems, many
for the first time
-Remote Desktop Protocol access to a high-risk PCI
server
This behavior poses high risk and is not consistent with past
actions of the user or the enterprise.
§Threat Analytics for Privileged Access Manager
automatically triggers session recording for review
§Admin generates incident report for compliance
officer/SOC
Result: Successful detection and
mitigation of insider threat
Threat Analytics
for PAM
Activity
continuously
monitored in
background
Session recording
automatically
initiated
Incident report
for compliance
officer or SOC
Overseas
contractors
High-risk session
behavior is
detected
PCI
Privileged
Access
Manager
38 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Incident Response Use Case
PAM Admin closes the door on attackers
Enterprise SOC investigation of a high priority incident & wants to know:
“What information can the PAM Admin provide to assist? ”
Using the IP address provided by the SOC –the PAM admin can search BA
for PAM and quickly:
-Identify all users associated with IP address
-Inspect access and activities of the most suspicious user
-Provide IR team with identity of the suspicious user
-Navigate to Insight page to get all dormant accounts to provide to IR team also
Threat Analytics’ ability to correlate access activity, IP addresses, sessions,
and risk provide immediatevalue to investigations.
§To mitigate future attacks --PAM admin adds suspicious IP address
threat intelligence to BA for PAM. Future activity is then automatically
detected and analyzed.
§PAM admin configures BA for PAM to send automated alerts to SIEM
when any activity related to a suspicious IP is detected
Result: BA for PAM provides immediate value to incident response efforts and closes the door on future attacks.
PAM
Threat
Analytics
for PAM
Activity
continuously
monitored
Threat intelligence used
by BA to proactively
address future threats
IR
Team
Immediate insight regarding
users, activity, risk, etc.
Automated
Alerts to
SIEM/SOC
!
Threat Intel
used by
Analytics
Can you help
….attack from
193.105.219.210 ?!
@CAWORLD #CAWORLD
Incident Response Use Case
PAM Admin closes the door on attackers
Enterprise SOC investigation of a high priority incident & wants to know:
“What information can the PAM Admin provide to assist? ”
Using the IP address provided by the SOC –the PAM admin can search BA
for PAM and quickly:
-Identify all users associated with IP address
-Inspect access and activities of the most suspicious user
-Provide IR team with identity of the suspicious user
-Navigate to Insight page to get all dormant accounts to provide to IR team also
Threat Analytics’ ability to correlate access activity, IP addresses, sessions,
and risk provide immediatevalue to investigations.
§To mitigate future attacks --PAM admin adds suspicious IP address
threat intelligence to BA for PAM. Future activity is then automatically
detected and analyzed.
§PAM admin configures BA for PAM to send automated alerts to SIEM
when any activity related to a suspicious IP is detected
Result: BA for PAM provides immediate value to incident response efforts and closes the door on future attacks.
PAM
Threat
Analytics
for PAM
Activity
continuously
monitored
Threat intelligence used
by BA to proactively
address future threats
IR
Team
Immediate insight regarding
users, activity, risk, etc.
Automated
Alerts to
SIEM/SOC
!
Threat Intel
used by
Analytics
Can you help
….attack from
193.105.219.210 ?!
39 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Analytics and Intelligent Controls
Threat Analytics for PAM
§Offers an add-on that supercharges existing Privileged
Access Manager capabilities
§Enables automated detection, mitigation and alerting for
critical threats
§Easy deployment:Deploys as single, virtual machine—no
special skills or significant effort required
§Quick to provide value:Immediatelydelivers compelling user
experience with human-understandable risk and insights
Solution summary
§Automatically establishes normal operating profiles for users
and enterprise based on observed behavior
§Uses historic and real-time activity to assess context and
analyze risk
§Provides meaningful insight regarding user and system
activities
§Trigger risk mitigations and controls including triggering
session recording
Advanced Analytics &
Automated Mitigation
@CAWORLD #CAWORLD
Analytics and Intelligent Controls
Threat Analytics for PAM
§Offers an add-on that supercharges existing Privileged
Access Manager capabilities
§Enables automated detection, mitigation and alerting for
critical threats
§Easy deployment:Deploys as single, virtual machine—no
special skills or significant effort required
§Quick to provide value:Immediatelydelivers compelling user
experience with human-understandable risk and insights
Solution summary
§Automatically establishes normal operating profiles for users
and enterprise based on observed behavior
§Uses historic and real-time activity to assess context and
analyze risk
§Provides meaningful insight regarding user and system
activities
§Trigger risk mitigations and controls including triggering
session recording
Advanced Analytics &
Automated Mitigation
40 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
PAM for Hybrid Enterprises Deep Dive
As you can see, there is a lot more to PAM that meets the eye!
From functioning as it’s own Privileged User IDP, to proxying API calls in order to audit applications, to
detecting and mitigating activities via Threat Analytics, CA PAM provides a host of capabilities that extend
the standard Privileged User and Privileged Identity functions.
If you’d like to have further discussions, simply contact your CA Account team and we can setup a session to
dig into any of these topics at greater depths.
Summary
@CAWORLD #CAWORLD
PAM for Hybrid Enterprises Deep Dive
As you can see, there is a lot more to PAM that meets the eye!
From functioning as it’s own Privileged User IDP, to proxying API calls in order to audit applications, to
detecting and mitigating activities via Threat Analytics, CA PAM provides a host of capabilities that extend
the standard Privileged User and Privileged Identity functions.
If you’d like to have further discussions, simply contact your CA Account team and we can setup a session to
dig into any of these topics at greater depths.
Summary
41 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCX15E Meet the PAM Team Q&A 11/14/2016 at 11:00 am
SCT41T PAM Maturity Model 11/16/2016 at 1:45 pm
SCT05T Threat Analytics for PAM 11/17/2016 at 4:30 pm
@CAWORLD #CAWORLD
Recommended Sessions
SESSION # TITLE DATE/TIME
SCX15E Meet the PAM Team Q&A 11/14/2016 at 11:00 am
SCT41T PAM Maturity Model 11/16/2016 at 1:45 pm
SCT05T Threat Analytics for PAM 11/17/2016 at 4:30 pm
42 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
Don’t Miss Our INTERACTIVE
Security Demo Experience!
SNEAK
PEEK!
42 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
@CAWORLD #CAWORLD
Don’t Miss Our INTERACTIVE
Security Demo Experience!
SNEAK
PEEK!
42 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
43 © 2016 CA. ALL RIGHTS RESERVED.
@CAWORLD #CAWORLD
We want to hear from you!
§IT Central is a leading technology review site. CA has them to
help generate product reviews for our Security products.
§ITCS staff will be at most sessions. If you would like to offer a
product review, please ask them after the class, or go by their
booth.
Note:
§Only takes 5-7 mins
§You have total control over the review
§It can be anonymous, if required
@CAWORLD #CAWORLD
We want to hear from you!
§IT Central is a leading technology review site. CA has them to
help generate product reviews for our Security products.
§ITCS staff will be at most sessions. If you would like to offer a
product review, please ask them after the class, or go by their
booth.
Note:
§Only takes 5-7 mins
§You have total control over the review
§It can be anonymous, if required
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 4,265
- Slides 43
- Favorites 3
- Age 3306 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
35 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
36 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
35 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
30 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
32 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
35 views