Identity and Access Management community: Discover and share best practices to control IAM for your real world.
Last week we did a web seminar with Randy Franklin Smith about understanding Pass-the-Hash (PtH) attacks and how to prevent them. We recently released a white paper on the subject as well. So weather you are the type that likes to curl up at night with a spot of tea and read a nice book or prefer to have a Mountain Dew and stay up late watching you tube videos we have the perfect media format for you to start learning more about PtH and solutions from Dell that can help you mitigate the risk of an attack.
Watch the webinar
Read the white paper
Back when I didn’t have much of a life, I would rush home from junior high school so that I could get the TV on in time to watch Family Feud (the classic Richard Dawson version not the watered down Steve Harvey or Louie Anderson versions). I always loved it when the top answer would flip over, the bell would ding, and something like 80% of respondents all gave the same answer, and the contestants would struggle to find out what the other 20% said and inevitably get their three strikes and be out.
Well, here at the home of Dell One Identity, we’ve got our own version of Family Feud going. Only I’m not going to kiss each female, I don’t have wide lapels or a gaudy fat tie, and three strikes doesn’t get you a home version of our game and a year’s supply of Rice a Roni.
Recently we concluded a pretty through survey of companies with more than 1,000 employees asking all about their current approach, future plans, and challenges with identity and access management (IAM). The companies surveyed represented a good cross-section in terms of geography, industry, size, and approach to IAM. I’ll be blogging about the results over the next several weeks.
We asked the question:
“Do any of the following describe your organization’s opinion of IAM?” and offered several typical responses to choose from (and unlike the real Family Feud, respondents could select more than one answer).
So what did the survey say?
38% said IAM is expensive – I hear that all the time.
28% said IAM is hard – that one too.
13% felt that they have a mature approach to IAM with very little room for improvement (I’d like to meet these people, either they define IAM very narrowly or they are lying to themselves).
But perhaps the most telling answers were a tie for the most popular response:
51% agreed with the statement “IAM is complex” while 51% also agreed with the statement “we feel good about our approach to IAM but with a little work we can make it better”. So what gives? Is IAM complex or do you think IAM is OK, but like everything else has some room for improvement? To me this says that the majority of people agree that IAM is complex – after all, it’s an attempt to get your arms around the complexity of diverse systems and user populations. But the same percentage also feels good about their approach to IAM. I interpret this to mean that most people feel that IAM is necessary, it is complex, and that’s just the way it is…you better just accept the fact and do the best you can. That’s kind of sad … at least to the extent that something like IAM can elicit an emotion.
If you look at “traditional” approaches to IAM (the ones referred to by the 19% of respondents that agreed with the statement “You can only get IAM from a handful of platform vendors”), then yes IAM is complex and yes that’s just the way it is (by the way it’s also expensive and hard through these legacy solutions). But the new approach to IAM – the approach that we like to refer to as IAM for the real world – busts this myth pretty thoroughly.
With IAM for the real world, identity governance, access management, and privileged management can all be addressed with simple, modular and integrated solutions that deliver rapid time to value and actually reduce the time and money required to achieve demanding IAM objectives. IAM for the real world places the visibility and control in the hand of the right people (those that know why things need to happen a certain way not those that simply know how to perform administrative tasks on a particular system).
The Dell One Identity family of solutions has real-world answers to the concerns expressed in our survey.
Stay tuned for more results from the survey. But in the meantime, if you want to understand the right way to do IAM and decide where it’s right for you, I invite you to read the ebook series Identity and Access Management for the Real World.
If I told you today I would cover all your expenses and you could choose between a Novell CNE or a Microsoft MCSE certification, which would you choose? I’m guessing a snap decision through today’s lens would be easy. Back when I had this choice, the answer wasn't so obvious. In fact, I ponied up for my CNE.
Before I start defending that call, let’s just say it’s all moot now. The CNE helped open a door but I never really put the training into practice. One day I was muttering about IPX/SPX and the next day I was on the command-line learning Sun Solaris. The why is a story for another day but Solaris and I bonded over the better part of the next decade.
In those times it wasn't uncommon to use telnet, especially for dev systems. Not just telnet, we had dev systems still running the r* protocols. Of course, at one point in history it used to be optional to wear a seat belt. Nowadays we buckle up when we drive, and we don’t use telnet. That brings us to Secure Shell (SSH). Let’s put our seat-belt on and look at a recently published NIST draft titled “Security of Automated Access Management using Secure Shell (SSH)”. The 41 pages cover topics including SSH basics, vulnerabilities, recommended practices and guidance on planning and implementation.
Let’s focus on user authentication. The NIST draft gives a nice overview of the various supported authentication options with SSH. For the Kerberos option...we've seen the popularity of this option grow over the last decade. Dell provides a solution that allows Unix systems to integrate with Active Directory.
The integration of Unix with Active Directory opens several new avenues like using Group Policy to managing Unix (and Mac) machine/user settings and eliminating the need to provision local users for Unix/Mac access. In the context of SSH, joining Unix to Active Directory enables a scenario where an administrator can authenticate to their Windows desktop, open a popular SSH client like PuTTY, and get direct single sign-on access to a remote Unix system. No more typing a username/password for access as the SSH client and server take advantage of the underlying Kerberos infrastructure.
The NIST draft rightly points out the potential for unwanted implicit trust relationships when using Kerberos. However. Most all current AD Bridging technologies provide a solution in the form of granular host-based access control. The solution enables an administrator to dictate precisely which AD user is permitted to authenticate to which system. SSH is not directly enforcing the solution but the concern over unfettered implicit trusts is mitigated thru the host-based access control mechanism.
Another common question that comes up when using SSH with Active Directory integration: If I choose to use SSH key pairs for authenticating an Active Directory user, what happens if I need to disable the AD user’s access?
In this scenario, SSH is configured for Public Key Authentication via keys. However, instead of the user being local to the /etc/passwd file, the user account is actually located in Active Directory. This is possible as the AD integration solutions typically provide both PAM and NSS modules. When properly configured, if you disable the Active Directory user account, and the user account was authenticating via key pair, the user authentication will be denied. This happens by design when PAM properly supports the session check – regardless of how the user authenticates, the PAM session check will catch that the AD account is disabled and therefore deny access despite having a valid key pair.
The NIST draft is worth an overview if it’s been a while since you reviewed your SSH implementation. And if you have a good tip for automating SSH access where passphrases are enabled on public/private keys, please share.
There's a lot of talk about "pass-the-hash" (PtH) attacks going on. Just type "pass the hash attack" into Google and start exploring - you'll get your fill quickly. Let's start with a quick synopsis of PtH from Wikipedia's definition which you can find here:
Any system using LM or NTLM authentication in combination with any protocol (SMB, FTP, RPC, HTTP etc.) is at risk from this attack. The exploit is very difficult to defend against, because there are countless exploits in Windows and applications running on Windows that can be used by an attacker to elevate their privileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one machine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find a way in. A wide range of penetration testing tools are furthermore available to automate the process of discovering a weakness on a machine.
There is no single defense against the technique, so standard defense in depth practices apply - for example use of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, full disk encryption, reducing the number of people with elevated privileges, pro-active security patching etc. Preventing Windows from storing cached credentials may limit attackers to obtaining hashes from memory, which usually means that the target account must be logged into the machine when the attack is executed. Allowing domain administrators to log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes become the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore limit the opportunities for an attacker.The principle of least privilege suggests that a least user access (LUA) approach should be taken, in that users should not use accounts with more privileges than necessary to complete the task at hand.Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits are able to forward Kerberos tickets in a similar way. Limiting the scope of debug privileges on system may frustrate some attacks that inject code or steal hashes from the memory of sensitive processes.
As stated in the Wikipedia definition there is no single defense against this technique. Furthermore, if you are familiar with defense in depth practices there are a number of things that you, Mr./Ms. IAM Guru, may not have control over like firewalls, intrusion prevention systems, etc. If we assume you have some control over identity and management what can you do to help prevent PtH attacks?
One thing I would like to emphasize is that it is not possible to protect yourself 100% from this or any other type of attack so don't get wrapped around the axle too much about this. If you really need 100% protection the best thing to do is disconnect from the Internet, don't allow employees to take their laptops home or while traveling - right, fat chance. There are, however, a number of basic things that you can do to better protect yourself. Additionally, there are software solutions that can also help. Microsoft has published a number of documents about pass the hash that are worthwhile reading including: Pass-the-Hash and Other Credential Theft and New Strategies and Features to Help Organizations Better Protect Against Pass-the-Hash Attacks. A few of the most basic things you can do to protect yourself include:
We developed our Privilege Safe solution to help our customers protect sensitive administrative credentials including for Windows. Privileged Password Manager automates, controls and secures the entire process of granting administrators the credentials necessary to perform their duties. Privileged Password Manager is deployed on a secure, hardened appliance that can only be accessed via a secure, role-based Web interface that provides protection from host admin attacks, as well as OS, database or other system-level modifications. The appliance also has an internal firewall that protects against external network-based attacks and provides additional auditing capabilities. One of the additional features we have just added to this product is the ability to disable privileged accounts when they are not in use by an authorized individual. Not only do we randomize the password as it is checked-in but we also disable the account to further prevent unauthorized access while the privileged credentials are not in use.
Like most things related to security you have to trade off some convenience for better piece of mind. There's lots of great information at Microsoft's web site on protecting yourself from pass-the-hash attacks that you should familiarize yourself with. In addition, Dell's Privileged Password Manager can add an extra layer of protection to your environment.
Interested in learning more about pass-the-hash and the steps to mitigate it? Join Randy Franklin Smith for a one hour webcast where he will decrypt some of the "hash" in the pass-the-hash topic. Register today.
Summer is coming to a close. Children are going back to school, the leaves will be changing sooner than later, and college football is just around the corner. As another great summer comes to a close I want to share what I learned during my summer vacation and how that can help you protect your iDRAC and other out-of-band management systems.
Every year we take our ATV’s to a section of wilderness and explore the different trails in that region. This year we decided to explore the trails in Southern Utah. During one of our trips the coolant hose on my ATV came loose and started leaking without my knowledge. I went the whole day with antifreeze slowly leaking out of my machine. That night my father spotted the leak. We fixed the hose, topped off the coolant, and rode the rest of the week without incident. Lucky for me I had someone to help spot the problem and resolve it before I ended up getting stuck in the mountains of Utah with a broken down machine.
Just as my father helped identify the leak on my ATV let me help you identify the security leak that can come from unmanaged Privileged Accounts from your iDRAC. On most modern day servers from Dell there exists an iDrac. Other server vendors ship similar remote management adapters. This feature allows servers to be monitored for critical hardware problems, enable remote power control, and access a virtual console so you can work remotely on your servers without being near your server.
Each iDRAC or remote management adapter comes from the factory pre-configure with a username and password. Most can be found by a basic web search and others can be found conveniently attached to the server. If attackers gain access to this management interface your entire data center can be powered down in minutes causing a massive Denial of Service Attack or worse, the attacker can pull data off the system by enabling verbose logs and monitoring what your administrators are doing on the console. If you experience any of these attacks you will wish that you were stuck in the middle of the wilderness rather than face your management or the SOX, PCI, HIPAA, or NERC auditors that would be visiting your company.
With Dell One Privileged Password Manager you can fix the security leak from Privileged Accounts that your remote management adapters are experiencing. You can start rotating passwords so the root iDRAC user will never know who “calvin” is anymore. Administrator, admin, userid, and others from remote management adapters will be secured and you can rest knowing that your servers are protected from another potential security threat. Along with this protection you will have the ability to audit users that request the root account on iDrac and you will be able to produce reports to show you are satisfying the requirements of any regulatory body.
So as another summer season winds down let Dell Software help you by protecting you iDRAC and other Privileged Accounts from leaking out of your organization.
Unless you have been living in a cave or under a rock (and you haven’t because you are reading this), you’ve probably heard of the ALS Ice Bucket Challenge. This week, I’d like to compare and contrast IAM to the Ice Bucket Challenge (IBC) with the following five observations.
1) They are both TLAs. What’s a TLA you ask? It’s a three-letter acronym. Bazinga.
2) In one activity, you spend a great deal of time in preparation and planning. You work out the processes involved from the beginning to the end including training and proofs of concept. Following that is the actual event where all the stars line up and everything goes according to plan…only it doesn’t. And then the best thing you can hope for is an avalanche of frigidity from dozens of now “would be” friends. In the other, someone dumps ice water over your head.
3) In the IBC, the most difficult part of the process lasts for perhaps 10 – 15 seconds. During this time, you find it hard to breathe and your body seizes up making it hard to think or move. In the world of IAM, the most difficult part can last 10 – 15 months. Or in some cases, it never ends. During this time, you find it hard to breathe and your body seizes up making it hard to think or move.
4) Both can be overly-elaborate, complex and difficult to execute if not done correctly. Take for instance Bill Gates’ IBC, comedy intended no doubt.
5) On the other hand, it need not be that way. Both can also be done simply, elegantly and with dramatic results. Take for instance our customer, Williams Energy, and their implementation of IAM using Dell’s solutions.
Seriously though. The Ice Bucket Challenge has been fantastic. It’s raised literally millions of dollars in incremental donations for the Amyotrophic lateral sclerosis (ALS) Association, a worthwhile cause to be sure. If you’ve not been challenged, consider yourself challenged. If you have done it (and donated) congratulations and thank you. And note that all members of the IAM product marketing team have already successfully completed the Ice Bucket Challenge.
Did you know that ten months ago, Dell Software released a new web authentication, single sign-on (SSO) and identity federation solution? It’s true! The product is called Dell One Identity Cloud Access Manager, and the current release is version 7.1.
Cloud Access Manager is a solution that enables end users to authenticate one time, then subsequently get secure, instant access to all of your organization’s web based applications.
Cloud Access Manager is a versatile tool, providing SSO to modern and legacy web applications through an easy to use web interface. While the benefits to end users (SSO) and IT administrators (reduced helpdesk calls) might be obvious, security professionals also benefit from Cloud Access Manager’s extensive auditing and reporting capabilities, which records all end user and administrative actions.
Cloud Access Manager is advancing rapidly – recent releases includes new features like:
In the coming months, I’ll be blogging about some of the ways Cloud Access Manager can help organizations like yours improve end user and IT efficiency while strengthening security. If there are any specific topics you’d like to hear about, post them here and I'll check periodically to see the feedback.
In the meantime, feel free to try it yourself! A 30-day unlimited-use trial version of Cloud Access Manager can be downloaded here. For a quick setup, I suggest trying the “Proof of Concept” install option, which puts all the components on a single Windows Server instance.
Thanks for reading!
Last week, some of the Identity and Access Management (IAM) team from Dell Software converged on the city of San Diego for Gartner’s annual Catalyst conference.
It was a long week filled with lots of good information, conversations and fun. Here are some of the highlights of the week.
If you didn't get a chance to attend the event, be sure to check us out at Dell World November 4th – 7th or the Gartner Identity and Access Management summit December 2nd – 4th.
Missed the Dell Security webcast series? Not to worry. We recorded the sessions for you. We all have to protect our environments and ensure internal and external compliance requirements are met. But, how well-equipped are you to transform your security role to one of not just protection and assurance, but of business enablement? Move the conversation in your organization away from fear, uncertainty, and doubt to one of business enablement.
Check out this informative series now! Learn more about Dell’s security solutions and how they can help your organization.