Accept Terms © 2016 CA. All rights reserved. CA confidential & proprietary information. For CA, CA Partner and CA Customer use only. No unauthorized use, copying or distribution. All names of individuals or of companies referenced herein are fictitious names used for instructional purposes only. Any similarity to any real persons or businesses is purely coincidental. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. These Materials are for your informational purposes only, and do not form any type of warranty. The use of any software or product referenced in the Materials is governed by the end user’s applicable license agreement. CA is the manufacturer of these Materials. Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227‐ 19(c )(1)‐(2) and DFARS Section 252.227‐7014(b)(3), as applicable, or their successors. Yes Select Yes to accept terms and begin the course, otherwise select Exit. 1 © 2016 CA. ALL RIGHTS RESERVED. CA Privileged Access Management Partner Momentum Training Vikas Kumar Principal Consultant, Cybersecurity Presales Ghanshyam Jamnadas Senior Instructor, CA Education July 2017 2 © 2016 CA. ALL RIGHTS RESERVED. 1 Agenda – Day 1 Self Introduction and General House Keeping What is PAM? PAM Requirement Identification How CA can Help? CA PAM – Architecture & Feature Overview Key Differentiators ‐ Why CA PAM? CA PAM Version History – Till Date Demo – Look N Feel Training Lab Setup Architecture and Lab Introduction Configuration Foundation 200 – Lab Hands On 3 © 2016 CA. ALL RIGHTS RESERVED. Self Introduction – Knowing each other is Important Name Organization – Partner Organization Name You are representing Job Profile – Your current Role (PreSales/Services/Operations, etc) Prior Experience in PAM – Your understanding on PAM (Novice / Intermediate / Advance) and prior experience on any other PAM solution(solution name) Expectation – Your Expectation from this Training (Basic Level / PreSales Level Demo Level / POC Level / Deep Dive) 4 © 2016 CA. ALL RIGHTS RESERVED. 2 House Keeping Exercise Restrooms Cell phone policy (silent mode) Emergency exit Breaks First Tea Break ~ 11.00 AM – 11.15 AM Lunch ~ 1.00 PM – 2.00 PM Second Tea Break ~ 3.15 PM – 3.30 PM End of Session ~ Expected by 5.30 PM 5 © 2016 CA. ALL RIGHTS RESERVED. What is Privilege Access Management? Who are Privileged Users? How they are different from Business Users? Why we need a focused solution for managing these Privileged User Access? How it is different from Identity and Access Management? What controls and audit a Privileged Access Management solution can offer? What consequences may occur if this solution is not in place? Who is mainly going to be benefitted from this solution? **(Identify your target Audience for discussing this solution) 6 © 2016 CA. ALL RIGHTS RESERVED. 3 Privileged Access Management – Qualifying Questions Do you control access to shared privileged accounts today? Can you limit what a user can do once they’re logged into a privileged account? Do you segregate duties? Can you track all actions of your administrators, both when they ARE and when they are NOT using shared accounts? Can you get the accountability of all administrative actions performed using shared account? Do you have a way of controlling administrative action on the virtualization host? 7 © 2016 CA. ALL RIGHTS RESERVED. What can you do to address the threat? Prevent breaches by protecting administrative credentials, controlling privileged user access, and monitoring and recording privileged user activity across the hybrid enterprise. Break the Attack Kill Chain with Privileged Access Management (PAM) Prevent Unauthorized Access • Strong authentication • Login restriction • Automated behavior analytics and threat detection 8 Limit Privileged Escalation • Command & socket filtering • Zero trust – deny all, permit by exception • Proactive policy enforcement Monitor, record & audit activity • Session recording & monitoring • Activity logging & auditing • SIEM integration © 2016 CA. ALL RIGHTS RESERVED. 4 Addressing security and compliance risks With Privileged Access Management STOP TARGETED ATTACKS MITIGATE INSIDER THREATS 9 ACHIEVE & SUSTAIN COMPLIANCE IMPROVE EFFICIENCIES SECURE THE HYBRID ENTERPRISE © 2016 CA. ALL RIGHTS RESERVED. How CA Technologies can help CA Privileged Access Manager Access requests Certification Risk analytics CA IDENTITY GOVERNANCE Delivering comprehensive Privileged Access Management solutions Strong authentication, including MFA Credential management Policy‐based, least privilege access control Command filtering Session recording, auditing, attribution Application password management Comprehensive, hybrid enterprise protection Self‐contained, hardened appliance CA Privileged Access Manager Server Control In‐depth protection for critical servers Highly‐granular access controls Segregated duties of super‐users Controlled access to system resources such as files, folders, processes and registries Unix Authentication Bridge Secured Task Delegation (sudo) Enforce Trusted Computing Base NETWORK‐BASED SECURITY HOST‐BASED SECURITY CA Threat Analytics for PAM 10 © 2016 CA. ALL RIGHTS RESERVED. 5 CA Privileged Access Manager Privileged Account Management for the Hybrid Enterprise HYBRID ENTERPRISE Traditional Data Center Software Defined Data Center Public Cloud ‐ IaaS SaaS Applications Cloud Console and APIs SaaS Consoles and APIs Mainframe, Windows, Linux, Unix, Networking Enterprise Admin Tools SDDC Console and APIs A New Security Layer ‐ Control and Audit All Privileged Access Vault Credentials for Users and Apps Centralized Authentication Federated Identity Privileged Single Sign‐on Role‐Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution Unified Policy Management CA Privileged Access Manager Identity Integration Enterprise‐Class Core AWS AMI OVA Virtual Appliance Hardware Appliance 11 © 2016 CA. ALL RIGHTS RESERVED. CA Privileged Access Manager in action HYBRID CLOUD ENVIRONMENT Integrated Controls and Unified Policy Management 12 Attribute Identity for Shared Accounts Record Sessions and Metadata Monitor and Enforce Policy Federate Identity and Attributes (SSO) Restrict Access to Authorized Systems Positively Authenticate Users Vault & Manage Credentials Public Cloud Private Cloud Traditional Data Center © 2016 CA. ALL RIGHTS RESERVED. 6 CA Privileged Access Manager Deployment Architecture As shown, CA Privileged Access Manager will support several thousand concurrent CLI and graphical sessions. 3 servers needed to deploy • 2 CA Privileged Access Manager appliances • Existing NFS or CIFS mount for Session Recording NFS/CIFS Mount for session recording data No other 3rd party software required Patches and updates provided by CA Technologies No 3rd party database Unified Access and Credential platform 13 © 2016 CA. ALL RIGHTS RESERVED. Sample Use Case – ILOB Admin Northern Data Center Primary NFS/SMB Mount Session Recording Admins Internet RADIUS/RSA Auth. Load Balancer Southern Data Center DR Individual Lines of Business Corporate Nationwide MPLS RADIUS/RSA Auth. Individual Lines of Business Individual Lines of Business NFS/SMB Mount Session Recording 14 © 2016 CA. ALL RIGHTS RESERVED. 7 Centralized Remote Access 15 © 2016 CA. ALL RIGHTS RESERVED. 15 AWS Cloud Integration CA Privileged Access Manager (PAM) has multiple integration points with Amazon Web Services (AWS) including: o Auto‐discovery of AWS EC2 instances and the ability to store access keys and leverage EC2 key pairs for auto‐login. o The ability to leverage S3 buckets for the storage of session recordings. o The ability to provide federated login to the AWS Console using policy. o 16 This federated access to the AWS Console is powerful because you don’t have to give direct access to AWS directly, i.e. you don’t have to worry about setting up IAM accounts and controls inside of AWS for each of your users, or each of the applications that might be running in the AWS account or multiple accounts. You can do all of this privileged access management centrally just by loading an access key and secret access key into PAM for each of the different AWS accounts you want to manage. You can have as many different AWS accounts, (or separate access key ids and secret keys loaded into the CA PAM credential safe, and you can make this happen around the world with centralized access. © 2016 CA. ALL RIGHTS RESERVED. 8 CA Privileged Access Manager Server Control Application jailing Prevent the breach Lock down of ports/services File, directory and process protection Trusted program execution Defend against privilege escalations and access to sensitive resources Privileged account protection Windows registry and services protection Prevent compromise of new systems and data exfiltration Inbound and outbound network controls Centrally manage security and access policies Oversight Entitlement reporting on access policies 17 © 2016 CA. ALL RIGHTS RESERVED. Threat Analytics for PAM Advanced Behavior Analytics and Automated Mitigation Advanced Capabilities Compelling Benefits Automated detection, mitigation and alerting for critical threats that complements existing PAM, SIEM and SOC workflows and provide continuous intelligent monitoring Advanced behavior analytics enable enterprise to detect attacks using same approach used by banks to defeat credit card fraud ‐ using historic and real‐time activity to assess context and analyze risk Integrated risk mitigations and controls, including triggering session recording and re‐authentication, close the door on insiders and attackers. 18 Reduced risk ‐ automated analytics provide both threat detection and contextual rich view of user behavior. Meaningful insight ‐ simplifies risk mitigation, incident response and compliance provided via context rich user interfaces that expose and make it easy to access information regarding user, events and system activities. Quick time‐to‐value ‐ Immediately delivers compelling user experience with human‐understandable risk and insights Easy deployment ‐ Deploys as single, virtual machine—no special skills or significant effort required © 2016 CA. ALL RIGHTS RESERVED. 9 What Sets CA Apart From Traditional PAM ? • Quick and easy wizard based upgrade with almost zero downtime • Protects the entire hybrid enterprise, including VMware (vCenter and NSX) and AWS, protecting resources and Management Consoles/APIs • Fast deployment, easy to use, functionally complete on a single appliance • Scalability – +10‐20x number of concurrent recorded sessions • Hardened Linux platform – more secure • Lower (TCO) – Self‐contained, scalable appliance designed for the enterprise (built‐in HA/DR). Unlimited session recording, no 3rd party software/hardware required, no hidden costs • Deep integration with VMware & AWS – provides real differentiation • FIPS‐140‐2 Certified, holds Common Criteria EAL4+ certification, and is included on the U.S. DOD Unified Command Approved Products List (UC/APL) – FedGov ready • Unlimited users, passwords, and unlimited recording sessions per device licenses – Cost effective with no unexpected costs • Have integrated host‐based fine grained access control for ultimate defense‐in‐depth solution for further requirement 19 © 2016 CA. ALL RIGHTS RESERVED. CA PAM Version Journey – Till Date 10 Demo 11