The document provides an overview of the challenging environment of secure access for mobile workers and privileged insiders. It discusses how traditional security solutions have limitations in balancing user needs for mobility with enterprise IT needs to meet security and compliance requirements. The Uni Systems secure access solution is presented as providing layered protection through fine-grained access control, application protection, command filtering, detailed auditing and other capabilities. The implementation approach involves assessing needs, designing customized infrastructure, and deploying in phases. Success stories from telecom and financial clients highlight how the solution provided controlled, auditable access for remote users while meeting security objectives.
Secure adn Contained Access for Everybody, at Anytime
1. Secure and Contained Access for
Everybody, at Anytime
Anastasios Moustakis, Senior Solution Architect
Uni Systems Copyright 2013 1
2. Agenda
• The Challenging Environment of Secure Access
• Security Trends, User & IT Requirements
• Uni Systems Secure Access Solution Overview
• Implementation Approach
• Success Stories
3. 1.3 Billion
Mobile workers by 2015
Mobile Worker Population – IDC, Jan 2012
4. C-Suite 42%
The top 3 groups driving support
for non-standard devices VPs &
Directors 43%
are in management
Managers 27%
Consumerization of IT Study. April 2011, IDC
5. “How many “How many days a
different computing devices week on average do you
do you use on a daily basis?” work outside the office?”
Family PC | Work PC | Personal Laptop | Tablet | Smartphone
42%
0 21%
34% 1-2 52%
16% 3-4 15%
6%
2% 5 12%
1 2 3 4
5+
Global BYOD Index - Survey of Corporate Employees February 2011, Citrix Systems
12. Who are “Privileged Insiders”
Well Controlled
Not So Much?
Mobile/Any
device
Highly Trusted Business Highly Trusted IT Users:
Users Systems, Database, Network Administrators
13. The Changing Security Landscape
• Redefining the Perimeter
• New Trust Model Needed
• Spearfishing Attacks Targeting Privileged Users
• Increasingly Stringent Compliance
and Audit Requirements
“The biggest issue facing information
security professionals is that our traditional
trust model is broken.” Forrester Research
14. Frequency & Cost of Insider Breaches
30 % of large enterprise customers experienced a malicious insider
breach
Average days to resolve
Source: Second Annual Cost of Cyber Crime Study Benchmark Study of U.S. Companies (Ponemon Institute, 2011)
14
15. Challenges for Secure Access
• Increasing Compliance, Audit Requirements and Security Mandates
• Changing Trust Model
• 3rd Party and Employees - No differentiation
• Remote or Internal and Mobility- Disappearing perimeter – “Remote” an obsolete
term
• User and Asset / System Policy - Policy does not intersect
• Movement to Centralized Computing
• Operational Efficiency and Reduced Cost
• Virtualized Servers/Desktops, Cloud - Landscape Change
16. Traditional Solutions have Limitations
Issues
NW focus, not user/app level access
Firewalls
control
VPNs + Jump Box Hard to audit, difficult to manage
Complicated ACLs, NW Layer Only
Routers
End-user focused
Active Directory
No inside access control, containment
NAC
Risks are amplified
Virtual Desktop
SIEM/Log Mgmt Reactive, lacks data for privileged
“insider”
17. Uni Systems answer: “Zero Trust” via Layered Protection
Attributed Use of Shared Privileged
Account
Leapfrog Prevention
Session Monitoring/Recording
Command Filtering
Whitelist/Blacklist
White List/
Least Privilege Access
Positively ID
The User
Vault
Server A:
Tamper-proof ID: abc123
Log PW: xyz$21
Server B:
Complete Activity Logging ID: cde234
Policy Violation Logging with DVR-Like Playback and Skip PW:eie10$
18. Solution Scope
• Provision of a System that will offer:
• Configurable,
• Secure,
• Recordable, and
• Fully Controllable
• Secure Local & Remote or Mobile Access for:
• Privileged Users, (internal or 3rd party)
• Employees and
• Business Partners
18
19. Solution Essential Capabilities (1/2)
• Enforce fine-grained Access Control on different type of users
• Configurable multi-level authentication with time-based access rights
• Protect applications and expose only the presentation layer
• Contain privileged users to authorized resources and prevent leapfrogging
19
20. Solution Essential Capabilities (2/2)
• Protect data and prevent leakage
• Generate a detailed Audit Trail for proof of compliance and investigations
• Record access sessions – video & CLI recording
• Protect privileged user and application passwords
• Eliminate the use of shared passwords for administrative accounts
20
21. Solution Architecture
User Zone Secure Access Component Zone Trusted and Protected Zone
Internal/External/Mobile SSO, Password and 7 Internal Protected
User Device
10 Shared Account Password Systems 1
Management Vault
Any
Device 8
Gateway Application / 3
Access Session and
ICA Client User, Session-
Control Desktop 2 based access
USB Boot Desktop (SSL, Proxy Access control & DLP
USB Secure Web (ICA)) 4
Browser Portal Web Video-like and CLI 5 Leapfrog
prevention
Interface Logging and
Sandboxed Apps Sessions
Recording
Certificate
Token
Endpoint Token
User Report &
11
Management Infrastructure Repository Workflow
Desktop, Thin
(MDM, USB (Hard, SMS) (A.D.) 6 db
Server, Storage, Network, S
Boot, Isolated
client, Laptop, Mobile
Browser) Workflow & Report Engine 9 ecurity Devices,
Device, Smartphone
21
22. Vendors
Internal/External/Mobile SSO, Password and Internal Protected
User Device Shared Account Password Systems
Management Vault
Any
Device Gateway Application /
Access Session and
ICA Client User, Session-
Control (SSL, Desktop based access
USB Boot Desktop Proxy (ICA)) Access control & DLP
Token
Portal Web Video-like and CLI Leapfrog
USB Secure Web Interface Logging and prevention
Browser Sessions
Recording
Certificate
Sandboxed Apps
Endpoint Token
User Report &
Management Infrastructure Repository Workflow
(MDM, USB (Hard, SMS) (A.D.) db
Desktop, Thin Boot, Isolated Server, Storage, Network,
client, Laptop, Mobile
Browser) Workflow & Report Engine Security Devices,
Device, Smartphone
22
23. Implementation Approach (1/2)
• Systems Integration Project
• Modular Architecture
• Based on:
• Type of users – 3rd party privileged users, Business partners, Internal
Administrators
• Type and Number of internal protected systems
• Type and Number of Services required (Applications, Desktops, Resources)
• Type and Number of Endpoint Device usage
• Integration points with existing systems (Workflow, Helpdesk, etc)
24. Implementation Approach (2/2)
• Specific Methodology:
• Analysis Phase:
• Infrastructure Assessment and Readiness Evaluation
• Proof of Concept
• User Requirements – Application, Services, Resources, Policies
• Design Phase: Infrastructure Design, Policies
• Build & Test Phase
• Roll-out Phase
25. Secure Access Solution with Uni Systems
The proven expertise and practical guidance needed for success
Assess Design Deploy
Devices Documented solution design Training
Apps - Services Hardware and infrastructure Independent analysis/
verification
Mobility - BYOD Operations and support
Pilot
Security Test and QA
26. Success Stories : TOP Telecom Provider
Problem: Answer:
• Consolidate & grant secure access to • Centralize access control across critical
3rd Party Administrators users with distinct missions
• Different method of access • Ensure contained and auditable access
• Points of Vulnerability • Meet federal compliance requirements
• Absence of uniform management • Workflow driven operation
Results:
• Control over privileged users and critical infrastructure and assets
• Tight control over who gets access to what, when and for how long
• Contain users to authorized systems only
• Audit quality logging for compliance
“With the Uni Systems Secure Remote Access Solution we have an all-in-one solution for these higher
risk users which gives us the peace of mind that we are meeting our objectives to safeguard our
network and the sensitive information it contains.” Security Expert at Telecom Provider
26
27. Success Stories : Top Financial Institute
Problem: Provide secure access to hundreds of remote developers, administrators and auditors
– no containment of users to authorized resources
– IT resource intensive, cumbersome and ineffective access controls
– no audit trail or ability to match controls to specific users
Results: A unified, easy to manage solution
– hundreds of business critical 3rd parties now granted secure, controlled access
– increased operational efficiency with a single solution
– provided an audit trail for internal security requirements and external compliance mandates
“What is so special about you --- ‘containment, containment, containment.’”
VP Security officer, Top Financial Institution
28. Uni Systems empowering Secure Access of the future
With the mobility and agility users need today
Intro: They are part of what could be referred to as the mobile workforce revolution, and that revolution is occurring as we speak.. Key Points:IDC has noted expectations that we’ll see 1.3 billion mobile workers by 2015, accounting for close to 40% of the entire global workforce. (37.2% of the workforce.) (Are there data points more specific to executive adoption/use—numbers, growth rates?)Transition:So why execs? Because they are the ones driving this revolution
Intro: Research proves that executives are the force of change. Key Points:Execs and managers are the ones driving organizations to adopt non-standard devices, because they are seeing the value in their own lives now. Illustration/Anecdotes/Proof: We’ve seen this at Citrix. Our own CEO Mark Templeton has pushed for this type of mobility because he is on the go all the time and he needs to stay productive.Transition: While supporting all mobile workers is important for the business, our view is that you need to make the requirements of your highest impact employees an immediate priority. Here’s why..
Intro: Here are some data points that demonstrate how quickly things are moving. Key Points:First, the sheer number of devices that employees use is exploding. Nearly two-thirds of workers use 3 or more separate devices every day, and the number keeps growing. And the device types employees are demanding are changing rapidly as well, from the old expectation of work PCs, to the demand for access from home computers, to today’s reality of more workers wanting to work more effectively using their mobile devices and tablets.Then there is the shift of work time away from the office. Increasingly, the borders of “work time” and “work place” are disappearing. Employees want and need the ability to do their work at the times and places of their choosing. Today, almost 80% of the workforce must work outside of the office at least 1 day or more per week.Illustration/Anecdotes/Proof: (Prompt a discussion of examples of different user groups that can be more productive and efficient when they have the devices they need and they can work from wherever… sales teams, executives, doctors, attorneys, etc.)Transition: But we at Citrix recognize that adapting to these fundamental shifts is truly challenging for a CIO and an IT department.
First and foremost, let’s take a look at the current state of mobile from the end users perspective. I don’t care if you’re in engineering, IT, sales, or finance, I think most people can relate to this picture. Don’t get me wrong, we’ve come a long way from being dependent on a desktop or laptop for every task, but at times it feels like you need a decision tree or decoder ring to know exactly which device you’ll need to have in order to accomplish a specific tasks. The truth is that only the thrill seekers are going to take the chance of bringing just their tablet along for a business trip. Most of us are still going to haul the laptop along just in case.
And so users are still on the quest for the freedom to access all their apps and data from any of their devices. They want to feel confident that they can experience work and life their way.
Now, things change a bit if you’re in IT. For as much as they’d like to deliver on this promise, mobile presents some big challenges. Multiple mobile operating systems, multiple platforms along with a whole new universe of applications to understand and contend with. And that’s just part of it…
IT is still beholden to the same security and compliance requirements that they had before all of these new devices and apps were introduces. The reality is that mobile just makes things harder. For starters, it’s just easier to lose or get these devices stolen. In fact, 70 million smartphones were lost or stolen in 2011 alone and only 7% of those devices were recovered*. And if just one of those devices leads to a data breach, you’re looking at an average of $7.2 million in recovery costs**. From a compliance perspective, IT now has to consider device ownership and privacy laws in different countries, not to mention the regulatory requirements that get introduced in certain vertical markets.*February 10, 2012, Tabtimes.com, Doug Drinkwater** Morgan Stanley Market Trends
Now if just one of these perspectives were pertinent we wouldn’t really be having this discussion, would we? No. We must balance the needs of security and compliance along while giving users the freedom they need to experience work and life in harmony.
All users are not created equal. Some of your users are granted significantly more trust.
There are basically two classes of “Privileged Users” – Privileged Business Users and Privileged IT UsersHistorically, businesses have implemented a set of policy, process and application level controls to mitigate the risk posed by trusted business users. For example there are policies for background checks, and requirement for two signatures financial transactions over a certain threshold amount, etc.Unfortunately in many cases the Privileged IT users have not received the attention they deserve – especially since they often have unfettered and even anonymous access to network devices holding your critical data assets.
Redefining the PerimeterThe old school M&M security model (hard on the outside and soft in the center) is dead. The classic security perimeter concept is dying as “anywhere network access” and mobile device access becomes the new norm. Enterprises are implementing a defense in depth strategy.New Trust Model NeededDefense in depth is fine but new business realities requires enterprises to revise their trust models.WikiLeaks made it abundantly clear that organizations must pay attention to the trust and associated access granted to “privileged insiders”. In addition to employees, there are many new “privileged insiders”. New business models have introduced “trusted” third parties while changes in IT support models have introduced contractors, consultants, vendors, outsourcers and managed service providers to the list of “privilege insiders”.Spearfishing Attacks Targeting Privileged UsersHackers are specifically targeting employees with privileged account access – spearfishing attacks are often aimed at uncovering administrative passwords that allow attackers to gain a significant foothold in the network, avoid detection and cover their tracksIncreasingly Stringent Compliance and Audit RequirementsAs a result of WikiLeaks and other notable insider breeches, regulators and auditors are paying attention and requiring: Proactive controls be required for privileged accounts and passwordsThat privileged user activities are connected to individuals (not shared admin account passwords)Continuous monitoring for users who access critical infrastructure and/or sensitive/regulated dataThe ability to easily prove compliance with these requirements is of paramount importance to resource strapped IT security organizations
Insider threat remains a clear and present danger while the ramifications of an insider breach are expensive.In a 2011 Study or large enterprises by the Ponemon Institute, 30% of the organizations experienced an attack from a “Malicious Insider”While the “Malicious Insider” breaches were not the most common attack these organizations experienced they were the most costly and time consuming breaches to resolve – bottom chart – taking on average over 45 days to remedy. This only accounts for the very direct cost of investigating/cleaning up for a breach. It does not include direct financial loss or fines associated with the breach. It also does not factor in other soft costs such as the cost of a tarnished brand and loss of reputation.
There are alternatives Do It Yourself methods organizations have used to address privileged user threat. The chart lists technologies that some of our customers have tried to leverage alone or in conjunction with one another. None of provides the full set of essential capabilities required to mitigate this threat. These are all partial solutions. Even when knit together it is not a comprehensive solution and it become a very expensive method of controlling privileged user access and providing the proof to auditors that you are protecting key data from “privileged insiders” threat.We have multiple examples of this, but one large financial services customer – as noted in the quote – made a real attempt to cobble together multiple technologies to address this risk but it was expensive, unmanageable and did not cover everything they needed.
This simplified use case example details the essential controls Unisystems Secure Remote Access Delivery Services provides to mitigate the threat privileged insiders pose.In this scenario an IT employee requires access to the server to perform some maintenance.Explain each control:Vault Passwords – The first step is to change and vault critical passwords (so they don’t show up in spreadsheets) and so privileged users no longer have direct and uncontrolled access to devicesPositively ID User – Employee logs onto Unisystems Secure Remote Access forcing a positive user identification – Our solution supports integration with directories, single-sign-on and two factor ID systemsWhite List/Least Privileged Access – the employee is presented a list of ONLY the servers and network devices they are explicitly authorized to accessCommand Filtering – the commands the employee is enabled to perform can be constrained as requiredSession Monitoring/Recording – all activities are logged and the policy can be set to record the full sessionLeapfrog Prevention – prevent the user from jumping from the authorized device to unauthorized devices.Attributed Use of Shared Privileged Account – even thought the user may be logged in as “root” our solution knows which user was logged in.Complete Activity Logging - all of this activity is logged in a tamper proof log database – Session recordings can be viewed liked a DVR like skip ahead to policy violations.
These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
These are the essential capabilities a solution to effectively protect your organization from the threat privilege insiders pose.
Intro: Citrix has the proven expertise and best practices to help you work through these considerations.Key Points:Citrix has the proven expertise and best practices to help you work through these considerations.And we can help you assess, design and deploy an exec mobility solution that will meet the requirements of your most challenging users, helping you think through:Assess: We’ll help you as you to do an assessment thedevices,apps, mobility and security requirements of your mobile execs. With this, we can help define a technology roadmap.Design:Citrix can also help put together a well-documented design that allows you to install, configure and build a solution that leverages your organization’s infrastructure. To do this, you need to be thinking about what hardware and infrastructure is required and what can you leverage, etc, what’s the operations and support design, such as SLAs, Staff required, support agreements required, etc.. And we can design for Test & QA, making sure that Scalability,Performance,Security,Functionality,Usability and Interoperability are covered.Deploy: And lastly, we can help you build, test and rollout a solution in an effectivemanner to ensure that back-end systems and processes are there. This includes User Training / Education / How To guidance, independent analysis & verification of the design implementation, a pilot, and a phased rollout. Transition: We also built the content to help you go through your executive mobility journey…
Intro: The way Citrix looks at executive mobility is this…Key Points:Mobility helps high-value professionals to put their skills and creativity to work more effectively, in more ways, to achieve the best results for the business. Citrix executive mobility solutions empower executives of the future with the mobility they need today with:Wherever, whenever productivityThe best device in any scenarioFace-to-face contact across the globe andHealthier work-life balanceWrap-Up the Presentation: Establish clear next steps and objective of the next meeting.Who is in the room and who is not in the room? Who can serve as a sponsor or be the influencers? Who is it that is most interested?Would they be interested in an assessment – come in to understand their requirements in more detail (devices, users, apps, etc)Technical presentation – other people not there who need to delve into the details of any of the products?POC?Meeting – higher-level group – maybe do a demo in the technologyBring this brochure back to them and see if we can get into another meeting to show them the technology in action.
Intro: The way Citrix looks at executive mobility is this…Key Points:Mobility helps high-value professionals to put their skills and creativity to work more effectively, in more ways, to achieve the best results for the business. Citrix executive mobility solutions empower executives of the future with the mobility they need today with:Wherever, whenever productivityThe best device in any scenarioFace-to-face contact across the globe andHealthier work-life balanceWrap-Up the Presentation: Establish clear next steps and objective of the next meeting.Who is in the room and who is not in the room? Who can serve as a sponsor or be the influencers? Who is it that is most interested?Would they be interested in an assessment – come in to understand their requirements in more detail (devices, users, apps, etc)Technical presentation – other people not there who need to delve into the details of any of the products?POC?Meeting – higher-level group – maybe do a demo in the technologyBring this brochure back to them and see if we can get into another meeting to show them the technology in action.