1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2014 Info-Tech Research Group Inc. Reduce IT Admin Risks and Costs with Privileged Access Management (PAM) Control the access of your most critical users without breaking your budget. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2014 Info-Tech Research Group

2. Info-Tech Research Group2 2 Table of Contents 1. Title 2. Introduction 3. Project Rationale 4. Execute the Project/DIY Guide -Assess PAM Requirements -Identify and Evaluate PAM Options -Communicate with Admins and Stakeholders -Select a PAM Solution -Implement PAM Solution 5. Summary/Conclusion 6. Next Steps 7. Workshop Deck

3. Info-Tech Research Group3 3 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: Our Understanding of the Problem Security/operations managers dealing with the following problems: Internal: There are no change management practices for when people leave the organization or change roles; a breach occurs due to mismanagement of privileged accounts; system or machine-to-machine account passwords are rarely changed. External: Must meet regulatory compliance requirements; need to be better prepared to protect admin accounts as they are a target in today’s threat landscape, putting security/operations managers’ jobs at risk. Identify your business need for PAM Establish which PAM solutions are best for your organization’s needs Secure support from both admins and stakeholders for a PAM implementation Effectively implement PAM with minimal impact to workflow Operations managers dealing with the following problems: Grief over mismanagement of accounts; employees misusing levels of access. Higher number of calls to help desk for password resets resulting in increased costs; privileged accounts take more time due to their sensitive nature (if the organization does have the technology in place to automate the process). Determine cost savings as a result of PAM implementation. Effectively communicate to admins to ensure a successful implementation.

4. Info-Tech Research Group4 4 Resolution Situation ! Complication ? Info-Tech Insight Executive Summary Your internal employees have always been a vulnerability against your organization’s overall security, but your privileged accounts are even more of a target because of their heightened level of access to sensitive data. It presents job security risk to both security and operational-related positions if an incident due to account mismanagement is tracked to either position. PAM is an investment. Excuses such as “it seems like too much work and a waste of money to put in place,” tend to outweigh the many benefits of having that technology. Privileged users may not appreciate the increased visibility into their actions, and take it as a slight that increased monitoring will be put in place. Understand how PAM can save your organization money by streamlining authentication and reducing the amount of help desk tickets related to password reset. Choose a solution that is minimally intrusive to users and works with them. Acknowledge this process may take time. Get the support of admins by letting them know it will make their lives easier through automated process, and let stakeholders know the organization’s overall security will improve and the business will save money in the process. Keep the implementation smooth by not overcomplicating. 1.Users are the organization’s weakest link. Admin users are at an even higher risk due to their elevated access. 2.Technology is not enough. If these accounts are being managed by individuals and not a formal system, they’re not more secure than regular internal users. PAM is only one part of the strategy; people and process are necessary too. 3.The time for ad hoc anything is over. Formal processes and solutions need to be in place. Not doing anything can be low cost, but you’re masking a great complication, i.e. high risk.

5. Info-Tech Research Group5 5 How to deliver this blueprint/workshop It’s ideal if all participants can be involved for the duration of the workshop, but it is understandable that individuals may need to pop in and out. The project is most effective if there can be at least some consistent parties participating, both in terms of a workshop and blueprint (DIY). When you see this image – this is an exercise. Gather as many applicable parties as possible to be involved. When you see this image – it indicates a downloadable Info-Tech tool or template that will help you in the completion of your Blueprint/workshop. When either image is accompanied by this arrow, it gives you a chance to call Info-Tech and set up a Guided Implementation. You can schedule a call with an analyst and work through that particular exercise with them. Guided Implementation

6. Info-Tech Research Group6 6 Case Study: Leading virtualization platform provider struggles to manage privileged accounts securely U.S. virtualization platform provider needs to improve operations and better secure its admin passwords. Company Background: With over 300,000 customers, the virtualization platform vendor stands tall as the global leader in virtualization and cloud infrastructure solutions helping customers reduce capital and operating expenses, improve agility, ensure business continuity, and strengthen security. The success of such a huge portfolio of virtualized solutions relied on finely honed and integrated Research and Development effort. Architecture: The R&D division’s IT environment is vast and includes hundreds of physical devices, virtual machines, [and] virtualized applications. Physical devices and VMs are accessed and controlled by administrative accounts that grant unlimited access privileges. VMs and other virtual applications are organized as sets of gear stacks, which are virtual centers in a cluster. Many such virtual centers are in a centralized management stack. Each stack gear has a unique 160-digit password. Implication: Naturally, such lengthy passwords are nearly impossible for the members of the R&D team to remember. Challenges: The manual approach to storing, accessing, and managing these administrative passwords was cumbersome, time consuming, [labor intensive], and also highly insecure. Opportunities: Find a solution that marries user convenience with increased security, and improves operational security. See how the organization found their ideal solution on the next case study slide. case study slide *The above is reprinted with permission from ManageEngine.

7. Info-Tech Research Group7 7 Angry privileged insiders can be an organization’s worst nightmare if they haven’t been managing privileged accounts properly. Vulnerabilities surrounding privileged access can be exploited accidentally, or worse, maliciously October 2008 – Fannie Mae was attacked by one of its own UNIX engineers. After notifying him that he would be let go by the end of the day, the company neglected to properly deprovision his account, and he was allowed to work the day. In that time, he developed scripts with the plan of causing substantial damage to the company if they were executed. The scripts would have disabled monitoring and then all access to the company’s 4,000 servers, eventually wiping their data. This attack was caught before any damage was done, but if proper monitoring and PAM had been put in place, it wouldn’t have begun in the first place. A Canadian insurance company achieved better compliance with PCI-DSS and PIPEDA requirements and enhanced productivity of its system admins. Before implementing a PAM solution: 12 system administrators had privileged accounts on 400 Unix/Linux servers, including virtual servers. No one knew exactly how many privileged accounts existed, who had access to what resources, and more importantly, what administrators had done to the systems. A large portion of security incidents happened due to malicious or unintentional changes by privileged accounts. After implementation of a PAM solution: The company achieved better compliance and increased security through access control and separation of duties for privileged access through comprehensive audit capabilities that include policy, rights, and activities performed down to the keystroke level on many critical systems. Fannie Mae Insurance Co. In the recent May 2014 Ponemon Institute study, “Privileged User Abuse & The Insider Threat” – 56% of organizations think general business information is vulnerable to attacks. 49% say customer information is vulnerable because of the lack of controls over privileged users.Privileged User Abuse & The Insider Threat

8. Info-Tech Research Group8 8 Privileged Access Management (PAM) is not only necessary to achieving increased security, it also saves you money Are your admin accounts really that protected? Absolutely not. You need to be doing more. Verizon’s 2013 Data Breach Investigation Report – 76% of network intrusions exploited weak or stolen credentials.Verizon’s 2013 Data Breach Investigation Report 47% of respondents in Ponemon’s May 2014 study believe that malicious insider attacks are the result of attackers using privileged users’ information.Ponemon’s May 2014 In a 2014 study conducted by CyberSheath on APTs and privileged accounts involving 170,000 employees from around the world, each interview confirmed that privileged accounts being taken advantage of were a primary factor in 100% of advanced attacks.CyberSheath “Privileged account protection strategies got lost in ‘boil the ocean’ identity management discussions.” (4) 49% of respondents (out of 693) do not have policies to assign privileged access (Ponemon – Privileged User Abuse & The Insider Threat).Ponemon – Privileged User Abuse & The Insider Threat PAM means more user security A large bank with 12,000 employees with around 800 computer servers achieved an ROI of about 25% by implementing a PAM solution. The total cost savings was $69,564.77 which came from two factors: Security Incident Reduction ($62,009.22) Help Desk Ticket Reduction ($7,555.56) The investment on PAM was $55,750.00, which came from two aspects as well: Technology ($31,600.00) Maintenance ($24,150.00). PAM means fewer wasted funds

9. Info-Tech Research Group9 9 The value of PAM can be found beyond just increasing security Increased security against risks Increased operational efficiency Fewer password-related help desk tickets Minimized number of potential breaches through user credentials This blueprint applies to you whether your needs are regarding your overall operations or your security posture. Impact Value of implementing PAM: Short term: Being under more scrutiny may change the culture of admins, but by helping them understand the value not only to the overall security of the organization, but to their workflow (e.g. increased efficiency, fewer accounts to manage), it will be easier for them to come around and accept the new processes. Long term: Efficiency will be more apparent with fewer help desk tickets, which subsequently means less end-user time wasted waiting for password resets, etc. This also results in cost savings. You’ll likewise experience increased security overall in the long term thanks to increased visibility and better account management. Impact Value of Info-Tech’s PAM blueprint: Comprehensive project plan Selection process to simplify choosing the best PAM option for your organization Strategy around effective communication with stakeholders and end users Timeline to successfully roll out the project

10. Info-Tech Research Group10Info-Tech Research Group10 Your requirements for PAM may differ, but the general drive is more security. PAM implementations can apply to every-sized organization PAM is particularly applicable for the following industries: ◦ Finance ◦ Insurance ◦ Health care ◦ Public administration ◦ Education services ◦ Professional services ◦ Scientific and technical services Insight 1: Admin users (no matter what your organization size) are the weakest link. Small businesses are also candidates for PAM, regardless of their size and potential lack of compliance requirements. They often do not have robust security resources, and therefore have more vulnerable access points. Small businesses also partner with larger organizations in some capacity, and offer an easy channel for attackers. Info-Tech Insight If your organization has any compliance requirements, PAM can be mandatory for the following standards: Sarbanes-Oxley Section PCI-DSS HIPAA NIST SP 800-53 NERC CIP-005-01 Visit Centrify’s white paper, Privileged User Activity Auditing: The Missing Link for Enterprise Compliance and Security (2011) for specific sections.Centrify’s white paper, Privileged User Activity Auditing: The Missing Link for Enterprise Compliance and Security (2011)

11. Info-Tech Research Group11Info-Tech Research Group11 Privileged Access Management Protect your admins Your internal employees have always been a vulnerability against your organization’s overall security, but your privileged accounts are even more of a target because of their heightened level of access to sensitive data. Protect your systems PAM is an investment. Excuses such as “it seems like too much work and a waste of money to put in place,” tend to outweigh the many benefits of having that technology. Protect the castle Understand how PAM can save your organization money by streamlining authentication and reducing the amount of help desk tickets related to password reset. Get the support of admins by letting them know it will make their lives easier through automated process. Also, let stakeholders know the organization’s overall security will improve and the business will save money in the process.

12. Info-Tech Research Group12Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889