Accept Terms
© 2016 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA Customer use
only. No unauthorized use, copying or distribution. All names of individuals or of companies referenced herein are
fictitious names used for instructional purposes only. Any similarity to any real persons or businesses is purely
coincidental. All trademarks, trade names, service marks and logos referenced herein belong to their respective
companies. These Materials are for your informational purposes only, and do not form any type of warranty. The
use of any software or product referenced in the Materials is governed by the end user’s applicable license
agreement. CA is the manufacturer of these Materials. Provided with “Restricted Rights.” Use, duplication or
disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227‐
19(c )(1)‐(2) and DFARS Section 252.227‐7014(b)(3), as applicable, or their successors.
Yes
Select Yes to accept terms and begin the course, otherwise select Exit.
1
© 2016 CA. ALL RIGHTS RESERVED.
CA Privileged Access Management
Partner Momentum Training
Vikas Kumar
Principal Consultant, Cybersecurity Presales
Ghanshyam Jamnadas
Senior Instructor, CA Education
July 2017
2
© 2016 CA. ALL RIGHTS RESERVED.
1
Agenda – Day 1
Self Introduction and General House Keeping
What is PAM?
PAM Requirement Identification
How CA can Help?
CA PAM – Architecture & Feature Overview
Key Differentiators ‐ Why CA PAM?
CA PAM Version History – Till Date
Demo – Look N Feel
Training Lab Setup Architecture and Lab Introduction
Configuration Foundation 200 – Lab Hands On
3
© 2016 CA. ALL RIGHTS RESERVED.
Self Introduction – Knowing each other is Important
 Name
 Organization – Partner Organization Name You are representing
 Job Profile – Your current Role (PreSales/Services/Operations, etc)
 Prior Experience in PAM – Your understanding on PAM (Novice / Intermediate /
Advance) and prior experience on any other PAM solution(solution name)
 Expectation – Your Expectation from this Training (Basic Level / PreSales Level
Demo Level / POC Level / Deep Dive)
4
© 2016 CA. ALL RIGHTS RESERVED.
2
House Keeping Exercise
 Restrooms
 Cell phone policy (silent mode)
 Emergency exit
 Breaks
 First Tea Break ~ 11.00 AM – 11.15 AM
 Lunch ~ 1.00 PM – 2.00 PM
 Second Tea Break ~ 3.15 PM – 3.30 PM
 End of Session ~ Expected by 5.30 PM
5
© 2016 CA. ALL RIGHTS RESERVED.
What is Privilege Access Management?
 Who are Privileged Users?
 How they are different from Business Users?
 Why we need a focused solution for managing these Privileged User Access?
 How it is different from Identity and Access Management?
 What controls and audit a Privileged Access Management solution can offer?
 What consequences may occur if this solution is not in place?
 Who is mainly going to be benefitted from this solution?
**(Identify your target Audience for discussing this solution)
6
© 2016 CA. ALL RIGHTS RESERVED.
3
Privileged Access Management – Qualifying Questions
 Do you control access to shared privileged accounts today?
 Can you limit what a user can do once they’re logged into a privileged account?
Do you segregate duties?
 Can you track all actions of your administrators, both when they ARE and when
they are NOT using shared accounts?
 Can you get the accountability of all administrative actions performed using
shared account?
 Do you have a way of controlling administrative action on the virtualization host?
7
© 2016 CA. ALL RIGHTS RESERVED.
What can you do to address the threat?
Prevent breaches by protecting administrative credentials,
controlling privileged user access, and monitoring and recording
privileged user activity across the hybrid enterprise.
Break the Attack Kill Chain with Privileged Access Management (PAM)
Prevent
Unauthorized Access
• Strong authentication
• Login restriction
• Automated behavior analytics and
threat detection
8
Limit Privileged
Escalation
• Command & socket filtering
• Zero trust – deny all, permit by
exception
• Proactive policy enforcement
Monitor, record &
audit activity
• Session recording & monitoring
• Activity logging & auditing
• SIEM integration
© 2016 CA. ALL RIGHTS RESERVED.
4
Addressing security and compliance risks
With Privileged Access Management
STOP TARGETED
ATTACKS
MITIGATE INSIDER
THREATS
9
ACHIEVE & SUSTAIN
COMPLIANCE
IMPROVE
EFFICIENCIES
SECURE THE HYBRID
ENTERPRISE
© 2016 CA. ALL RIGHTS RESERVED.
How CA Technologies can help
CA Privileged Access Manager
 Access requests
 Certification
 Risk analytics
CA IDENTITY GOVERNANCE
Delivering comprehensive Privileged Access Management solutions








Strong authentication, including MFA
Credential management
Policy‐based, least privilege access control
Command filtering
Session recording, auditing, attribution
Application password management
Comprehensive, hybrid enterprise protection
Self‐contained, hardened appliance
CA Privileged Access Manager Server Control




In‐depth protection for critical servers
Highly‐granular access controls
Segregated duties of super‐users
Controlled access to system resources such as
files, folders, processes and registries
 Unix Authentication Bridge
 Secured Task Delegation (sudo)
 Enforce Trusted Computing Base
NETWORK‐BASED SECURITY

HOST‐BASED SECURITY
CA Threat Analytics for PAM
10
© 2016 CA. ALL RIGHTS RESERVED.
5
CA Privileged Access Manager
Privileged Account Management for the Hybrid Enterprise
HYBRID ENTERPRISE
Traditional Data Center
Software Defined Data Center
Public Cloud ‐ IaaS
SaaS Applications
Cloud Console and APIs
SaaS Consoles and APIs
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
SDDC Console and APIs
A New Security Layer ‐ Control and Audit All Privileged Access




Vault Credentials for Users and Apps
Centralized Authentication
Federated Identity
Privileged Single Sign‐on




Role‐Based Access Control
Monitor and Enforce Policy
Record Sessions and Metadata
Full Attribution
Unified Policy Management
CA Privileged Access Manager
Identity Integration
Enterprise‐Class Core
AWS AMI
OVA Virtual Appliance
Hardware Appliance
11
© 2016 CA. ALL RIGHTS RESERVED.
CA Privileged Access Manager in action
HYBRID CLOUD ENVIRONMENT
Integrated Controls and Unified Policy Management
12
Attribute Identity
for Shared Accounts
Record Sessions
and Metadata
Monitor and
Enforce Policy
Federate Identity
and Attributes (SSO)
Restrict Access to
Authorized Systems
Positively
Authenticate Users
Vault & Manage
Credentials
Public Cloud
Private Cloud
Traditional Data Center
© 2016 CA. ALL RIGHTS RESERVED.
6
CA Privileged Access Manager Deployment Architecture
 As shown, CA Privileged Access Manager
will support several thousand concurrent
CLI and graphical sessions.
 3 servers needed to deploy
• 2 CA Privileged Access Manager
appliances
• Existing NFS or CIFS mount for
Session Recording
 NFS/CIFS Mount for session recording
data
 No other 3rd party software required
 Patches and updates provided by CA
Technologies
 No 3rd party database
 Unified Access and Credential platform
13
© 2016 CA. ALL RIGHTS RESERVED.
Sample Use Case – ILOB Admin
Northern Data Center Primary
NFS/SMB Mount
Session Recording
Admins
Internet
RADIUS/RSA
Auth.
Load
Balancer
Southern Data Center DR
Individual Lines of
Business
Corporate
Nationwide MPLS
RADIUS/RSA
Auth.
Individual Lines of
Business
Individual Lines of
Business
NFS/SMB Mount
Session Recording
14
© 2016 CA. ALL RIGHTS RESERVED.
7
Centralized Remote Access
15
© 2016 CA. ALL RIGHTS RESERVED.
15
AWS Cloud Integration

CA Privileged Access Manager (PAM) has multiple integration points with Amazon Web
Services (AWS) including:
o Auto‐discovery of AWS EC2 instances and the ability to store access keys and leverage
EC2 key pairs for auto‐login.
o The ability to leverage S3 buckets for the storage of session recordings.
o The ability to provide federated login to the AWS Console using policy.
o
16
This federated access to the AWS Console is powerful because you don’t have to give direct access to AWS
directly, i.e. you don’t have to worry about setting up IAM accounts and controls inside of AWS for each of
your users, or each of the applications that might be running in the AWS account or multiple accounts.
You can do all of this privileged access management centrally just by loading an access key and secret
access key into PAM for each of the different AWS accounts you want to manage. You can have as many
different AWS accounts, (or separate access key ids and secret keys loaded into the CA PAM credential
safe, and you can make this happen around the world with centralized access.
© 2016 CA. ALL RIGHTS RESERVED.
8
CA Privileged Access Manager Server Control
Application jailing
Prevent the breach
Lock down of ports/services
File, directory and process protection
Trusted program execution
Defend against privilege escalations
and access to sensitive resources
Privileged account protection
Windows registry and services protection
Prevent compromise of new
systems and data exfiltration
Inbound and outbound network controls
Centrally manage security and access policies
Oversight
Entitlement reporting on access policies
17
© 2016 CA. ALL RIGHTS RESERVED.
Threat Analytics for PAM
Advanced Behavior Analytics and Automated Mitigation
Advanced Capabilities
Compelling Benefits
 Automated detection, mitigation and alerting for critical
threats that complements existing PAM, SIEM and SOC
workflows and provide continuous intelligent monitoring
 Advanced behavior analytics enable enterprise to detect
attacks using same approach used by banks to defeat credit
card fraud ‐ using historic and real‐time activity to assess
context and analyze risk
 Integrated risk mitigations and controls, including triggering
session recording and re‐authentication, close the door on
insiders and attackers.
18
 Reduced risk ‐ automated analytics provide both threat
detection and contextual rich view of user behavior.
 Meaningful insight ‐ simplifies risk mitigation, incident
response and compliance provided via context rich user
interfaces that expose and make it easy to access
information regarding user, events and system activities.
 Quick time‐to‐value ‐ Immediately delivers compelling user
experience with human‐understandable risk and insights
 Easy deployment ‐ Deploys as single, virtual machine—no
special skills or significant effort required
© 2016 CA. ALL RIGHTS RESERVED.
9
What Sets CA Apart From Traditional PAM ?
•
Quick and easy wizard based upgrade with almost zero downtime
•
Protects the entire hybrid enterprise, including VMware (vCenter and NSX) and AWS, protecting resources
and Management Consoles/APIs
•
Fast deployment, easy to use, functionally complete on a single appliance
•
Scalability – +10‐20x number of concurrent recorded sessions
•
Hardened Linux platform – more secure
•
Lower (TCO) – Self‐contained, scalable appliance designed for the enterprise (built‐in HA/DR). Unlimited
session recording, no 3rd party software/hardware required, no hidden costs
•
Deep integration with VMware & AWS – provides real differentiation
•
FIPS‐140‐2 Certified, holds Common Criteria EAL4+ certification, and is included on the U.S. DOD Unified
Command Approved Products List (UC/APL) – FedGov ready
•
Unlimited users, passwords, and unlimited recording sessions per device licenses – Cost effective with no
unexpected costs
•
Have integrated host‐based fine grained access control for ultimate defense‐in‐depth solution for further
requirement
19
© 2016 CA. ALL RIGHTS RESERVED.
CA PAM Version Journey – Till Date
10
Demo
11