Скачать презентацию How to Engineer an Effective Access Review Program Скачать презентацию How to Engineer an Effective Access Review Program

829fbf7593cb3721d62fe3448f79116d.ppt

  • Количество слайдов: 28

How to Engineer an Effective Access Review Program Ramadoss, Staff Information Security Engineer, Ramadoss@qwest. How to Engineer an Effective Access Review Program Ramadoss, Staff Information Security Engineer, [email protected] com September 25, 2008 1

Agenda Definitions n Challenges n Common Mistakes Made by Organizations n Access Review – Agenda Definitions n Challenges n Common Mistakes Made by Organizations n Access Review – Applications, Systems and Databases n Summary n Q & A n 2

Definitions Identification Authentication , Authorization and Accounting (AAA) Access Control, ACLs (Access Control Lists) Definitions Identification Authentication , Authorization and Accounting (AAA) Access Control, ACLs (Access Control Lists) Role Based Access Control & Rule Based Access Control Least Privilege (Need to Know) & Segregation of Duties (So. D) Access Review 3

Definitions (contd…) n n PCI (Payment Card Industry) SOX (Sarbanes-Oxley) Act of 2002 SOX Definitions (contd…) n n PCI (Payment Card Industry) SOX (Sarbanes-Oxley) Act of 2002 SOX Section 404: Assessment of internal control 4

Applications/Databases and Servers – Access Overview 5 Applications/Databases and Servers – Access Overview 5

Challenges Small Organizations: n Many users may have full access to the system n Challenges Small Organizations: n Many users may have full access to the system n Users may perform multiple functions - Development, Test and Production n Group/Shared Ids - individual accountability issues Large Organizations: n Large number of users and systems n Mainframe and Legacy Systems n User Provisioning managed by multiple groups n Lack of custom tools for access review n Contractors, Partners and IT Outsourcing n Validation of non-personal ids, shared ids and ownership 6

Common Mistakes Made by Organizations “Compliance Says So” Confusion between compliance and n security Common Mistakes Made by Organizations “Compliance Says So” Confusion between compliance and n security n Not taking a risk based approach n Not defining the scope of review n Tool centric rather than process centric n Unable to sustain repetitive access reviews 7

Access Review – High Level Overview Policies and standards Scope of review, frequency, all Access Review – High Level Overview Policies and standards Scope of review, frequency, all types of ids (employee / contractor, group ids, system ids…), authorization levels, systems, provisioning and de-provisioning processes Discovery – Extract ids from sample systems, analyze ids, reverse engineer and identify access and authorization rules based on the current access Business SMEs, Production / System Admins and DBAs support crucial Validate ids against access and authorization rules; Obtain management approvals; Identify 8

Access Review – High Level Overview Set-up scripts to extract ids and authorization levels Access Review – High Level Overview Set-up scripts to extract ids and authorization levels Repeat access review process at least every 90 days Review provisioning process - include management approvals and access/authorization rules De-Provisioning must address terminations, users leaving business and moving to other job functions 9

Access Review – High Level Flow 10 Access Review – High Level Flow 10

Access Review – Applications Overview J 2 EE, Dot. Net, Mainframe, Legacy, COTS and Access Review – Applications Overview J 2 EE, Dot. Net, Mainframe, Legacy, COTS and ERP Business Unit users – large population Large number of applications Challenges Lack of process, documentation and access / authorization rules No consistent user id or naming standards – difficulty in mapping individual users Provisioning managed by multiple groups 11

Access Review – Applications Challenges Applications may not use central/core authentication systems Group/Shared Ids, Access Review – Applications Challenges Applications may not use central/core authentication systems Group/Shared Ids, System Ids – Ownership and Accountability Transfer of users within the company No third party tool to address access review for complex application environment Approach Rule based access and periodic access review Conduct reverse engineering – Map ids to users, Job Titles, Business Units, Department Work with business unit contacts to extract access /authorization rules 12 Identify owners for non-personal ids and obtain access and

Access Review – Applications Approach (contd…) Ids with no access/authorization rules – Management approval Access Review – Applications Approach (contd…) Ids with no access/authorization rules – Management approval is required Important Things Access/Authorization rules must be used as part of provisioning Applications with local authentication – Daily process review must be in place to disable/remove employees and users leaving the business 90 day access review – Validation of user ids against access and authorization rules Management approval for remaining ids; Conduct ongoing clean-up Auto Process to suspend Ids with no activity for more 13 than X number of days

Access Review – Applications Id Privileges Name Job Title Department Personal ID 1 READ Access Review – Applications Id Privileges Name Job Title Department Personal ID 1 READ / UPDATE John Sales Consultant Business Unit A Personal ID 3 READ / UPDATE Linda Sales Consultant Business Unit A Personal ID 4 READ / UPDATE Joe Sales Consultant Business Unit A Personal ID 6 READ Ruby Sales Consultant Business Unit A Personal ID 2 READ Mary Repair Consultant Business Unit B Personal ID 7 READ Terry Repair Consultant Business Unit B Personal ID 8 READ / UPDATE Mike Repair Consultant Business Unit B Personal ID 9 READ Wendy Repair Consultant Business Unit B Personal ID 5 READ /UPDATE / DELETE Ron Development Engineer Department IT System. Id 1 READ / UPDATE / DELETE System. Id 2 READ / UPDATE / DELETE Group. Id 1 READ / UPDATE Group. Id 2 READ / UPDATE Administrator Id READ / UPDATE / DELETE / Add Users 14 Business Unit A

Access Review – Applications Sample Access and Authorization Rules: 1. Sales Consultant from Business Access Review – Applications Sample Access and Authorization Rules: 1. Sales Consultant from Business Unit A shall have READ / UPDATE access to “Sales” application 2. Repair Consultant from Business Unit B shall have READ access to “Sales” application 3. Administrator Id must be approved by XXX (Segregation of Duties) Further Research Required: 1. Owner must be identified for System Id 1, Systems Id 2, Group. Id 1 and Group. Id 2; Access and authorization levels must be validated; Rules can be created based on the validation 2. Personal Id 5 must be challenged – Why does an IT 15 user require update access?

Access Review – Operating System Overview Many users may have privileged access Some ids Access Review – Operating System Overview Many users may have privileged access Some ids have standard access and authorization levels Windows / UNIX and Mainframe Challenges Provisioning managed by multiple groups Difficult to derive access and authorization rules Difficult to re-validate access permissions UNIX systems – may not use central authentication 16

Access Review – Operating System Approach n Sys Admins, Production Support Users and DBAs Access Review – Operating System Approach n Sys Admins, Production Support Users and DBAs play a crucial role n Extract ids and privileges. Access Review must cover all ids at the server n Identify system accounts, global groups and privileges for each platform (Windows / UNIX) n Access/Authorization Rules for system Ids and Ids/groups supporting multiple servers and Ids for application/database access -Administrators, Back-up Operators, Help Desk or Support teams n Remaining ids require management approval 17

Access Review – Windows Server Id Persoanl ID 1 Persoanl ID 3 Persoanl ID Access Review – Windows Server Id Persoanl ID 1 Persoanl ID 3 Persoanl ID 4 Persoanl ID 6 Persoanl ID 2 Privilege Group Administrator Administrator Group DomainAdministrator DomainDomain Administrator Name Job Title Department John System Administrator Department IT Linda System Administrator Department IT Joe System Administrator Department IT Ruby System Engineer - Production Application Support Department IT Mary System Engineer - Production Application Support Department IT Persoanl ID 7 Administrator DomainAdministrator Terry Development Engineer Persoanl ID 8 Backup Operator DomainBack-up Operator Mike Analyst Department IT Project Manager Business Unit 1 Persoanl ID 9 Administrator DomainAdministrator Wendy Persoanl ID 5 Power User DomainGlobal_Group_1 Ron Business Analyst Business Unit 2 System. Id 1 Power User Application X System. Id 2 Power User Application Y 18

Windows Built-in Users and Built-in Groups Built-in Users Account Operators Administrators Anonymous Authenticated Users Windows Built-in Users and Built-in Groups Built-in Users Account Operators Administrators Anonymous Authenticated Users Guest Backup Operators Local System Domain Admins Domain Computers Domain Controllers Domain Users Enterprise Admins Everyone Group Policy Creators Owners Guests Network Power Users Print Operators RAS and IAS Servers Remote Desktop Users Server Operators 19

Access Review – Mid-Range Databases Overview Oracle, SQL Server, Informix, Sybase Potential data exposure Access Review – Mid-Range Databases Overview Oracle, SQL Server, Informix, Sybase Potential data exposure areas Critical data - Company financial data, Customer financial data Challenges Databases may not follow consistent user id or naming standards – difficulty in mapping individual users Provisioning may be managed by multiple groups User ids may be used for database processes Developers / Business user access to databases 20

Access Review – Mid-Range Databases Challenges (contd…) Oracle databases may not be using central Access Review – Mid-Range Databases Challenges (contd…) Oracle databases may not be using central authentication Application Ids with DBA privileges Approach Identify users with DBA and Non-DBA privileges for each database Provisioning -strict management approvals for DBA access So. D – Restrict Developers and Testers access Identify owners for Non-Personal Ids – access and passwords restrictions 21

Access Review – Mid-Range Databases Approach n Risk based approach – identify critical tables Access Review – Mid-Range Databases Approach n Risk based approach – identify critical tables that contain sensitive data n Identify users with DBA and Non-DBA privileges for each database n Provisioning process - strict management approvals for DBA access n So. D – Restrict Developers and Testers access to production 22

Access Review – Mid-Range Databases Approach (contd…) n Explore AAA central authentication n Authorization Access Review – Mid-Range Databases Approach (contd…) n Explore AAA central authentication n Authorization - Tables that contain sensitive data n Logging and Auditing - monitor privileged user access n Access and Authorization rules for users with DBA Job Tiles and System Ids, n Quarterly review of all user ids • Ids with access and authorization rules • Remaining ids require management approval 23

Access Review – Mainframe Databases Overview DB 2, IMS and Legacy Databases RACF Authentication Access Review – Mainframe Databases Overview DB 2, IMS and Legacy Databases RACF Authentication Challenges Access can be granted independently databases, tables, views and datasets Some databases may have 1000 s of tables Development/Test users - access to production environment Difficult to encrypt data in mainframe databases 24

Stakeholders - Engagement n n Engage Business unit contacts, Application contacts, System Administrators, Application Stakeholders - Engagement n n Engage Business unit contacts, Application contacts, System Administrators, Application Administrators, DBAs • Access and Authorization Rules • Provisioning and De-provisioning • Management approvals Engage Security Compliance, Internal Audit and External Auditor to review for compliance 25

Summary – Access Review n n n Access Review Standards and Processes Access Review Summary – Access Review n n n Access Review Standards and Processes Access Review should include validation of access/authorization rules and management approvals Provisioning processes - access/authorization rules and management approvals De-Provisioning process - terminations and users leaving the business. Automated processes to de-activate invalid user ids Central authentication - AAA (Authentication, Authorization and Accounting) 26

Summary – Access Review (contd…) n n Contractors, Service Providers and Partners access review Summary – Access Review (contd…) n n Contractors, Service Providers and Partners access review - contractual requirements and oversight Group/Shared Ids - ownership and access restrictions. (password expiration at periodic intervals and when users leave the business or transfer within the company) Development/Business users - restricted access to production databases and operating systems and least privileged access Logging and Auditing - monitor privileged user access 27 n Remote Network Access, Network Element Access

Q&A 28 Q&A 28