Risk Management of Privileged Users

June, 2014

Understanding the Challenge

3

The situation for privileged users

Often these accounts are Non Personal

Created during Projects for Specific Task

Clear and Static set of Entitlements

When Created an End Date is not Foreseen

4

That creates Challenges

Often Privileged Accounts do not get Cleaned Up

Nobody knows How Many there are

Nobody knows Which Entitlements they have

Nobody knows which ones are No Longer In Use

Which steps do you need to follow to get back in to control

6

Step 1: Discover

In the Discovery Phase all NPA’s / Privileged Accountsare detected within the infrastructure. For most of

those we can assess right away if they are still actively being used or not.

7

Step 2: Monitor

For those accounts for which not directly canbe established if/how they are being used,

a monitoring process is started.

8

Step 3: Clean Up!

All NPA’s / Privileged Accounts that are no longer being used, will be decommissioned during

the third phase: the Clean Up.

9

Step 4: Manage

All accounts are being put into a Managed Lifecycle. Responsibility is placed under a role, owned by a‘normal’ identity and an expiration date is added.

10

Focus on the basics

Enforce access controls

Monitor user

activity

Minimizerights

How to make your Active Directory safe and compliant

12 © 2012 NetIQ Corporation. All rights reserved.

The Current State of Active DirectoryWhere are we at? Where are we going?

Native

Critical

Automation

SECURITYDemand for better controls over user permissions and

changes, richer reporting and auditing capabilities

Active Directory’s role in the enterprise is evolving to meet

business demands

Microsoft native tools lack fine-tuned administration

features

Automating processes could

decrease workload and simplify compliance

13 © 2012 NetIQ Corporation. All rights reserved.

What NetIQ Provides NetIQ Directory and Resource Administrator

• Features

‒ Secure delegated administration

‒ Centralized auditing & reporting of account management tasks

‒ Automation of repetitive tasks

‒ Enforcement of account policies

• Benefits

‒ Reduces administration costs

‒ Increases administration efficiency

‒ Assures enterprise security

‒ Helps achieve compliance

14 © 2012 NetIQ Corporation. All rights reserved.

Secure, Delegated AdministrationNetIQ Directory and Resource Administrator

• What is it?

‒ Dramatically simplifies the delegation of administrative entitlements across Active Directory

• Benefits

‒ Reduces the number of native privileged accounts

‒ Delegate administrative tasks out across the organization

‒ Using ActiveView technology, administrators only see what they are allowed to manage

Puts greater control overadministrative capabilities,assuring the security ofActive Directory

15 © 2012 NetIQ Corporation. All rights reserved.

Centralized Auditing of AdministrationNetIQ Directory and Resource Administrator

• What is it?

‒ Captures all account management activities

‒ Identifies who did what, when, and where

• Benefits

‒ Enforcement of activity auditing

‒ Capturing & centralizing activities in a multi-master environment

‒ AD security audit log conciseness & interpretation

‒ Complete audit trail

Helps achieve regulatorycompliance and securitybest practices

16 © 2012 NetIQ Corporation. All rights reserved.

‒ The Reporting Center Console allows you to view, configure, and create reports based on data collected by DRA servers.

Reporting Center Console

17 © 2012 NetIQ Corporation. All rights reserved.

Enforcement of Account PoliciesNetIQ Directory and Resource Administrator

• What is it?‒ Ensure policy is enforced across

administrative-related activities

• Benefits‒ Content control through data validation

policies

‒ Data correctness and compliance

‒ Assures content consistency as well as contextual control

‒ What and when changes are made

‒ Ability to review and rollback deleted objects

Assures data integrity,accuracy, and improvedcontrol over changes

18 © 2012 NetIQ Corporation. All rights reserved.

Automation of Repetitive TasksNetIQ Directory and Resource Administrator

• What is it?

‒ Facilitates the automation of repetitive activities to reduce the level of required human interaction

• Benefits

‒ Assures that all steps are carried out correctly, in order, and completely

‒ Ability to integrate and launch 3rd-party applications and scripts from within the console

‒ Examples: Mailbox creation, disk quota reporting and more

Increases administratorefficiency

19 © 2012 NetIQ Corporation. All rights reserved.

Privileged User Management

Microsoft AD

20 © 2012 NetIQ Corporation. All rights reserved.

Adm

inist

ratio

n la

yer

Privileged User Management

Microsoft AD

21 © 2012 NetIQ Corporation. All rights reserved.

Adm

inist

ratio

n la

yer

Privileged User Management

Privileged Users

Microsoft AD

Delegated Admin

22 © 2012 NetIQ Corporation. All rights reserved.

Granular Delegated Administration

Adm

inist

ratio

n la

yer

Privileged Users

Microsoft AD

Delegated Admin

23 © 2012 NetIQ Corporation. All rights reserved.

Adm

inist

ratio

n la

yer

Recycle Bin for Easy Restoration

Privileged Users

Microsoft AD

Delegated Admin

24 © 2012 NetIQ Corporation. All rights reserved.

Adm

inist

ratio

n la

yer

Full Audit Trail & Enhanced Reporting

Privileged Users

Microsoft AD

Delegated Admin

25 © 2012 NetIQ Corporation. All rights reserved.

Adm

inist

ratio

n la

yer

AD user provisioning through DRA

Privileged Users

Microsoft AD

Delegated Admin

Identity Manager

© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.26

Thank you.

© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.27

+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)info@netiq.comNetIQ.com

Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA

www.netiq.com/communities

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

Copyright © 2014 NetIQ Corporation. All rights reserved.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other countries.