Case Study:
Privileged Access in a World on Time
Trey Ray
SCT17S
SECURITY
IT Manager
FedEx
Cyber Security Advisor
FedEx
Laxmi Potana
Sr. Cyber Security Analyst
FedEx
Michael Scudiero

2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type
of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only
Terms of This Presentation

3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Today there are more privileged users than ever before. Providing access is not optional
it is a business necessity. But how do you avoid excessive access? Providing the right
access at the right time with CA Privileged Access Manager is the formula for reducing
your risk and securing a world of data. At FedEx empowering the right people at the
right time is not only good business it's also good security.
Trey Ray
FedEx
IT Manager
Laxmi Potana
FedEx
Cyber Security Advisor
Michael Scudiero
FedEx
Sr. Cyber Security Analyst

A GLOBAL SHIPPING NETWORK
TO TAKE ON THE FUTURE
HOW TO BUILD

VIDEO:
“FEDEX”
TRT:
1:31

Privileged Access in a World on Time
Trey Ray, Laxmi Potana, and Michael
Scudiero

Privileged Access in a World of Cyber Risk

PCI DSS 3.2 Created The Urgency

2 Factor Authentication
Automated Password
Rotation & Vaulting
Command Filtering
Leapfrog Prevention
PREVENT
DVR & Command Line Session Recording Available
Logging of All PAM User
Activity
SIEM Integration &
Alerting
DETECT
Built-in Reports on All
Integrated Accounts and
Passwords
Metrics Displayed in
Admin Dashboard
REPORT
Privileged Access is Preventive & Detective

Active Directory domain admin
Windows Server Admin
Unix root
Database admin (DBA) and developer break-fix
App service accounts
Web Portals
VMware Hypervisor admin
TACACS
Corporate social media accounts
Any shared privileged account in the environment
If privileged accounts are
the “Keys to the Kingdom,”
then PAM is the lockbox for
the keys.
Managing the Keys to Running the World on
Time

Unix Root
Admin
Active Directory
Domain Admin
Windows Local
Admin Accounts
Developer Access
To Privileged Data
USE CASESTO CONTROL PRIVILEGED ACCESS

Use Case: Active Directory Domain Admin
Domain Admin launches an RDP session from their own
PC/Laptop or from other Windows server in the domain
using a personal admin account.
This practice is subject to the “Pass the Hash”
vulnerability whereby the domain administrator’s
credentials can be harvested by an attacker and used to
gain privileged access to the domain.
Before PAM Integration

Use Case: Active Directory Domain Admin
Domain Admin logs into CA PAM client w/2FA and
checks out a Domain Admin credential.
RDP session to a Domain Controller is launched using
CA PAM transparent login with PAM managed
credentials.
The Domain Admin credentials are never exposed to the
administrator endpoint which eliminates the "Pass the
Hash" vulnerability.
Session is optionally recorded for audit purposes.
After PAM Integration

Use Case: Unix Root
No consistent method for managing Unix root passwords
by the SysAdmin teams.
The Unix root passwords had to be rotated manually on
a regularly scheduled interval.
No attribution for Unix root account usage
Before PAM Integration

Use Case: Unix Root
Unix SysAdmin logs into CA PAM client w/2FA to check
out the root password for a server when required.
SSH session to Unix server is launched using CA PAM
transparent login with PAM managed credentials.
The root password is never displayed to the SysAdmin.
Command filtering prevents accidents (rm –rf *.*)
Session is optionally recorded for audit purposes.
After PAM Integration

Use Case: Developer DB Break-Fix
Developer escalates his database privileges temporarily
(24 hours) using an IDM pre-approved break/fix
workflow.
Since the developer uses his own personal user account
for the escalated database access, the window of
opportunity for an attacker to gain access using
compromised credentials is lengthy.
Before PAM Integration

Use Case: Developer DB Break-Fix
Developer logs into CA PAM client w/2FA and checks
out a privileged database account.
Secure SQL session to database is launched using CA
PAM transparent login with PAM managed credentials.
The database password is never displayed to the
developer.
Session is optionally recorded for audit purposes.
After PAM Integration

Use Case: Microsoft LAPS Console
Administrator launches the LAPS console from their local
machine.
LAPS privileges are granted directly to the human
admins via an AD group.
An adversary utilizing a compromised human admin
account would be able to view local Windows admin
credentials for many devices in LAPS.
Before PAM Integration

Use Case: Microsoft LAPS Console
Administrator logs into CA PAM client w/2FA and checks
out a LAPS enabled credential.
CA PAM launches the LAPS console via RDP published
application.
The LAPS enabled credential is rotated at the end of the
session and once a day.
LAPS session is optionally recorded for audit purposes.
After PAM Integration

WHAT WE LEARNED
WILL HELP US SCALE
| | |DESIGN FOR HIGH
AVAILABILITY
EMPOWER
ADMINISTRATORS
PHASED
APPROACH
AWARENESS
PLANNING

21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Questions?

22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at communities.ca.com
Thank you.

23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Security
For more information on Security,
please visit: http://cainc.to/CAW17-­Security