Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University.

Published byLindsey Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University."— Presentation transcript:

1 MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University

2 Spokesman Review August 22, 2015 WSU administrators announced this week they are trying to thwart a sophisticated hacking attempt that was detected more than a month ago … with help from federal investigators and private cyber security firm[s]. Copyright 2016, Washington State University

3 Spokesman Review The university said it has found no evidence the hackers have accessed sensitive or research data. Copyright 2016, Washington State University

4 Spokesman Review The university said it has found no evidence the hackers have accessed sensitive or research data. … the university will employ new software and eliminate compromised communication channels … Copyright 2016, Washington State University

5 The Problem We needed a better mechanism to prevent system administrators from falling victim to privilege escalation. Copyright 2016, Washington State University

6 The PAM Model Many recent well-publicised hacking attacks have targeted system administrators, with hackers gaining access to administrative credentials, with which they have created further accounts with extensive permissions. – James Cowling Copyright 2016, Washington State University

7 The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. Copyright 2016, Washington State University

8 The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow Copyright 2016, Washington State University

9 The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow Uses AD’s SID History. Copyright 2016, Washington State University

10 The PAM Model Privileged Access Management (PAM) helps mitigate unauthorized privilege escalation attacks. PAM utilizes MIM's request and approval workflow. Uses AD’s SID History. The end result is an end-user requesting and using elevation of privilege. Copyright 2016, Washington State University

11 SID History SID History is an Active Directory (AD) user account object Copyright 2016, Washington State University

12 SID History SID History is an Active Directory (AD) user account object Helps in migration scenarios. Copyright 2016, Washington State University

13 SID History SID History is an Active Directory (AD) user account object Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. Copyright 2016, Washington State University

14 SID History SID History is an Active Directory (AD) user account object. Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. SID history attribute is included in authorization tickets. Copyright 2016, Washington State University

15 SID History SID History is an Active Directory (AD) user account object. Helps in migration scenarios. New infrastructure accounts need to access the old infrastructure. SID history attribute is included in authorization tickets. PAM drops people in/out of groups using SID history. Copyright 2016, Washington State University

16 Copyright Microsoft

17 Support from the President … the university will employ new software … Copyright 2016, Washington State University

18 Support from the President … the university will employ new software … WSU would use the new MIM/PAM. Copyright 2016, Washington State University

19 Support from the President … the university will employ new software … WSU would use the new MIM/PAM. 1,500—2,000 servers 300 system administrators Copyright 2016, Washington State University

20 Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Copyright 2016, Washington State University

21 Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. Copyright 2016, Washington State University

22 Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. Copyright 2016, Washington State University

23

24

25

26

27

28

29

30 Full page photo sample 2 Copyright 2016, Washington State University

31

32

33

34 Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. We used MIM Synch. Copyright 2016, Washington State University

35

36

37

38

39 Modified PAM Model We did not follow the suggested Microsoft model for MIM/PAM. It did not scale well for us. Using a trusted, private forest. RBAC model for roles and permissions. We used MIM Synch. Typical MIM systems. Copyright 2016, Washington State University

40

41 Timeline MIM/PAM development began September 2015. Copyright 2016, Washington State University

42 Timeline MIM/PAM development began September 2015. About 3 people over 2 months. Copyright 2016, Washington State University

43 Timeline MIM/PAM development began September 2015. About 3 people over 2 months. Not including department work. Copyright 2016, Washington State University

44 Timeline MIM/PAM development began September 2015. About 3 people over 2 months. Not including department work. First production use in December. Copyright 2016, Washington State University

45 Timeline MIM/PAM development began September 2015. About 3 people over 2 months. Not including department work. First production use in December. It takes about 1-2 months per department/college to on board. Copyright 2016, Washington State University

46 Timeline MIM/PAM development began September 2015. About 3 people over 2 months. Not including department work. First production use in December. It takes about 1-2 months per department/college to on board. About 60% done. Copyright 2016, Washington State University

47

48

49

50

51

52

53

54

55

56

57

58 MIM PAM Issues PAM role expiration does not remove current session access. Copyright 2016, Washington State University

59 MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Copyright 2016, Washington State University

60 MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. Copyright 2016, Washington State University

61 MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. ADMT runs as a domain admin. Copyright 2016, Washington State University

62 MIM PAM Issues PAM role expiration does not remove current session access. The patching of SQL hosts start dropping connections. Bug in custom group synch. ADMT runs as a domain admin. Role activated, but access not granted. Copyright 2016, Washington State University

63 MIM PAM Issues AD integrated tools do not always work in a different forest. Copyright 2016, Washington State University

64 MIM PAM Issues AD integrated tools do not always work in a different forest. Can’t use domain or enterprise admins groups. Copyright 2016, Washington State University

65 MIM PAM Issues AD integrated tools do not always work in a different forest. Can’t use domain or enterprise admins groups. Issues installing some applications. Copyright 2016, Washington State University

66 To Do list Finish RBAC for all campuses/colleges/departments. Copyright 2016, Washington State University

67 To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Copyright 2016, Washington State University

68 To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Copyright 2016, Washington State University

69 To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Copyright 2016, Washington State University

70 To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Automated user creation. Copyright 2016, Washington State University

71 To Do list Finish RBAC for all campuses/colleges/departments. Examine other use cases for RBAC. Eg network services, VPNs, firewalls Help Desk training. Automated workflow for role and permission creations. Automated user creation. Implement Multifactor Authentication. Copyright 2016, Washington State University

72 To Do list Automate role candidate creation for users. Copyright 2016, Washington State University

73 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Copyright 2016, Washington State University

74 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Copyright 2016, Washington State University

75 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Copyright 2016, Washington State University

76 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS 2016. Copyright 2016, Washington State University

77 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS 2016. Move some support to IAM. Copyright 2016, Washington State University

78 To Do list Automate role candidate creation for users. Separate MIM Portal from PAM Portal. Separate MIM Synch from MIM Service. Rethink the whole process through again post AD DS 2016 migration. Support additional PAM features available in AD DS 2016. Move some support to IAM. Complete the documentation. Copyright 2016, Washington State University

79 To Do list MIM/portal approval workflow for “one time” elevated permission. Copyright 2016, Washington State University

80 To Do list MIM/portal approval workflow for “one time” elevated permission. Better monitoring for Data Center Operations. Copyright 2016, Washington State University

81 Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Copyright 2016, Washington State University

82 Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Get support from the highest leadership level possible. Copyright 2016, Washington State University

83 Final Thoughts The whole process is only as good as the strength, adoption, and enforcement of your RBAC model. Get support from the highest leadership level possible. It takes a lot of effort. Copyright 2016, Washington State University

84 Cast of Characters Tom Ambrosi, CISO tambrosi@wsu.edu Matt Kunkel, DCISO, PM mattku@wsu.edu Dan Hamilton, CDS hamiltond@wsu.edu Nathan Mertz, OCG Nathan.Mertz@oxfordcomputergroup.com Dean Guenther, IAM guenther@wsu.edu Copyright 2016, Washington State University

Download ppt "MIM/PAM Case Study Dean Guenther IAM Manager Washington State University May 2016 Copyright 2016, Washington State University."

Similar presentations

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.

User Authentication for Enterprise Applications November 16, 2005 Tom Board, NUIT.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.

Auditing Active Directory Presented to the National State Auditors Association 2014 Information Technology Conference.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Spark Web 2.0 Tools for Communication and Collaboration David Grogan Manager, Curricular Technology Group UIT Academic Technology Tufts University What.

Spark Web 2.0 Tools for Communication and Collaboration David Grogan Manager, Curricular Technology Group UIT Academic Technology Tufts University What.
ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised 24-48 Hours Domain Admin Compromised Data Exfiltration (Attacker.

ASSUME BREACH PREVENT BREACH + Research & Preparation First Host Compromised Hours Domain Admin Compromised Data Exfiltration (Attacker.
Understanding Active Directory

Understanding Active Directory
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Identity and Access Management

Identity and Access Management
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Understanding Active Directory

Understanding Active Directory
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google