特权访问管理(PAM)之零信任特权Zero Trust Privilege

特权访问管理(PAM)之零信任特权Zero Trust Privilege

文|centrify，译|秦陇纪，数据简化DataSimp©20190126Sat

目录

B 特权访问管理(PAM)之零信任特权Zero Trust Privilege(13000字)

1. 零信任特权Zero Trust Privilege

2. 零信托特权的六个原则

3. 结论

参考文献(1160字)

1. 零信任特权Zero Trust Privilege

ZeroTrust Privilege为现代企业IT威胁景观重新定义了旧的特权访问管理(PAM)。组织必须放弃旧的“信任但验证”模式，这种模式依赖于明确定义的边界。ZeroTrust要求从网络内部或外部对特权访问采用“永不信任，始终验证，强制执行最小特权”的方法。

零信任权限要求基于验证谁请求访问权限，请求的上下文以及访问环境的风险来授予最小权限访问权限。通过实施最小权限访问，组织可以最小化攻击面，提高审计和合规性可见性，并降低现代混合企业的风险，复杂性和成本。[6]

What is Zero Trust Privilege?

ZeroTrust Privilege redefines legacy Privileged Access Management (PAM) for themodern enterprise IT threatscape. Organizations must discard the old model of“trust but verify”, which relied on well-defined boundaries. Zero Trustmandates a “never trust, always verify, enforce least privilege” approach toprivileged access, from inside or outside the network.

ZeroTrust Privilege requires granting least privilege access based on verifying whois requesting access, the context of the request, and the risk of the accessenvironment. By implementing least privilege access, organizations minimize theattack surface, improve audit and compliance visibility, and reduce risk,complexity and costs for the modern, hybrid enterprise.

FIGURE: The Zero TrustPrivilege Approach

传统的PAM对于扩展的Threatscape来说还不够

Legacy PAM已经存在了几十年，并且是在当天所有特权访问都限制在网络内部的系统和资源时设计的。环境是系统管理员具有共享的“root”帐户，他们将从密码保险库中检出，通常用于访问服务器，数据库或网络设备。Legacy PAM达到了目的。

但是，今天的环境不同，特权访问不仅包括基础设施，数据库和网络设备，还扩展到云环境。它还包括大数据项目，必须为DevOps自动化，现在需要覆盖数百个容器或微服务来代表以前的单个服务器。

除此之外，我们现在都生活在高级持续威胁(APT)的世界中，这些威胁为组织的金融资产，知识产权和声誉带来了不断增长的变化风险。扩展访问权限和获取凭据是大多数APT的重要组成部分，特权访问是皇冠上的宝石。Forrester(参见Forrester Wave：Privileged IdentityManagement：2016年第3季度)表示“80％安全漏洞涉及特权凭证。”

图：从传统特权访问管理向云就绪零信任特权的转变

支持云的零信任权限旨在处理不仅是人而且还有机器，服务和API的请求者。仍然会有共享帐户，但为了增加保证，最佳做法现在建议个人身份，而不是共享帐户，可以应用最小权限。所有控件都必须是动态的和风险感知的，这需要现代机器学习和用户行为分析。现在，PAM必须与更广泛的生态系统集成和互操作，包括AWS和Azure等IaaS提供商，HashiCorp和Ansible等DevOps CI / CD管道工具，以及Docker，Kubernetes和CoreOS等Container解决方案。

Legacy PAM Is Not Enough for the ExpandedThreatscape

LegacyPAM has been around for decades and was designed back in the day when ALL yourprivileged access was constrained to systems and resources INSIDE your network.The environment was systems admins with a shared “root” account that they wouldcheck out of a password vault, typically to access a server, a database ornetwork device. Legacy PAM served its purpose.

However,today’s environment is different, privileged access not only coversinfrastructure, databases and network devices, but is extended to cloudenvironments. It also includes big data projects, it must be automated forDevOps, and it now needs to cover hundreds of containers or microservices torepresent what used to be a single server.

Ontop of this, we now all live in a world of Advanced Persistent Threats (APTs)that create a growing and changing risk to organizations’ financial assets,intellectual property and reputations. Expanding access and obtainingcredentials is an essential part of most APTs, with privileged access being thecrown jewels. Forrester (see Forrester Wave: Privileged Identity Management: Q32016) stated that “80% of security breaches involve privilege credentials.”

FIGURE: The Shift fromLegacy Privileged Access Management to Cloud-Ready Zero Trust Privilege

Cloud-readyZero Trust Privilege is designed to handle requesters that are not only humanbut also machines, services and APIs. There will still be shared accounts, butfor increased assurance, best practices now recommend individual identities,not shared accounts, where least privilege can be applied. All controls must bedynamic and risk-aware, which requires modern machine learning and userbehavior analytics. Now PAM must integrate and interoperate with a much broaderecosystem including IaaS providers like AWS and Azure, with DevOps CI/CDPipeline tools such as HashiCorp and Ansible, and with Container solutions suchas Docker, Kubernetes and CoreOS.

2. 零信托特权的六个原则

零信任特权方法可帮助企业根据验证请求访问权限的人员，请求的上下文以及访问环境的风险来授予最小权限访问权限。通过实施最小权限访问，ZeroTrust Privilege可最大限度地减少攻击面，提高审计和合规性可见性，并降低现代混合企业的风险，复杂性和成本。零信任特权建立在六个原则之上，详情如下：

The Six Tenets of Zero TrustPrivilege

AZero Trust Privilege approach helps enterprises grant least privilege accessbased on verifying who is requesting access, the context of the request and therisk of the access environment. By implementing least privilege access, ZeroTrust Privilege minimizes the attack surface, improves audit and compliancevisibility, and reduces risk, complexity and costs for the modern, hybridenterprise. Zero Trust Privilege is built on six tenets, which are covered indetail below:

2.1 验证谁

今天，身份不仅包括人，还包括工作量，服务和机器。正确验证世卫组织意味着利用企业目录身份，消除本地帐户并减少帐户和密码的总数，从而减少攻击面。许多大型组织已经对Microsoft的ActiveDirectory进行了标准化，但使用ZeroTrust Privilege，您无需在任何特定目录上进行标准化。实际上，您可以在不同的目录中保留不同的身份群。重要的部分是通过HR审查的企业目录标识为用户建立身份，这意味着当该人的雇佣关系终止时，这些身份将自动禁用。您想要的最后一件事是要离开的数据库管理员(DBA)，但仍保留其特权访问权限。

特权访问的最佳实践是为每个管理员建立唯一的帐户以用于管理目的。Microsoft建议这些是“备用管理员帐户”(通常称为“破折号”，因为用户帐户附加了典型的“-A”)与管理员用户关联但与管理员的最终用户身份分开，这通常是具有电子邮件地址的公知帐户。这样，如果公共电子邮件帐户遭到入侵，则不会公开其备用管理员帐户。

要验证谁，我们还必须在任何地方应用多重身份验证(MFA)。在登录期间，在密码签出时，在权限提升时- 任何时候都有新请求。通过特权访问，在授予访问权限之前，我们必须确定谁在另一端。MFA是必备的，密码不够好。让我们面对现实，10％的人可能会将“admin”作为您的密码- 这不会削减它。好消息是MFA比以前更容易，当你以前需要等待120秒才能出现新的6位数代码并输入它。现在用户只需要通知他们的手机和/或只是触摸他们的FIDO键。

在实施MFA时，至少对管理职能部门执行国家标准与技术研究院(NIST)保证等级2至关重要。这意味着双重挑战：你知道的东西，以及你拥有的东西。一个很好的例子是密码与手机推送通知或手机生成的OTP相结合。对于大多数关键资产，建议尽可能进一步增加NISTAssurance Level-3。除了基于硬件的加密令牌(例如智能卡或FIDO密钥)之外，这还包括使用密码的双因素身份验证。谷歌声称他们没有一次成功的网络钓鱼攻击，因为他们为所有用户实施了FIDO密钥。

Verify Who

Today,identities include not just people but workloads, services and machines.Properly verifying WHO means leveraging enterprise directory identities,eliminating local accounts and decreasing the overall number of accounts andpasswords, reducing the attack surface. Many large organizations havestandardized on Microsoft’s Active Directory, but with Zero Trust Privilege youdon’t have to standardize on any particular directory. In fact, you can keepdifferent populations of identities in different directories. The importantpart is to establish identity for users via HR-vetted enterprise directoryidentities, meaning these identities are automatically disabled when theperson’s employment is terminated. The last thing you want is a databaseadministrator (DBA) to leave, but still, retain their privileged access rights.

Abest practice for privileged access is to establish unique accounts for eachadministrator to use for admin purposes. Microsoft suggests that these be“Alternate Admin Accounts” (commonly referred to as “dash a” due to the typical“-A” appended to the user’s account) that are associated with the admin userbut are separate from the admin’s end user identity, which is typically apublicly-known account with an email address. This way, if the public emailaccount gets compromised, it does not expose their Alternate Admin Account.

Toverify who, we must also apply Multi-Factor Authentication (MFA) everywhere.During login,upon password checkout,at privilege elevation— anytimethere is a new request. With privileged access we must know with certainty whois on the other end before granting access. MFA is a must-have, passwords arenot good enough. Let’s face it, 10% of you probably have the word “admin” asyour password – that’s not going to cut it. The good news is MFA is way easierthan before, when you used to have to wait for 120 seconds for a new 6-digitcode to come up and type it in. Now users just get a push notification to theirphone and/or just touch their FIDO key.

Whenimplementing MFA, it is critical to enforce National Institute for Standardsand Technology (NIST) Assurance Level-2 at a minimum for admin functions. Thismeans a dual challenge: something you know, and something you have. A goodexample is a password combined with a push notification to your phone, or anOTP generated by your phone. For most critical assets it is recommended toincrease even further to NIST Assurance Level-3, where possible. This includestwo-factor authentication with a password in addition to a hardware-basedcryptographic token, such as a smart card or FIDO key. Google claims they havenot had a single successful phishing attack since they implemented FIDO keysfor all users.

2.2 语境化请求

首先，我们需要从为什么拥有“请求和批准”访问流程这一点开始。有意义的是，数据库管理员(DBA)不应具有访问所有数据库的默认权限，只能访问当天需要工作的数据库。这样，如果DBA的凭据被泄露，我们就限制了攻击面。对于每个请求，重要的是要知道为什么某人或某事正在执行特权活动。为此，我们必须了解访问请求背后的背景，并根据提供的上下文审查和批准请求。

最小特权的概念是仅提供执行特定任务所需的特权级别，并且仅提供执行该任务所需的时间量。要执行最小权限，访问权限必须了解上下文才能做出适当的访问决策。

记录请求上下文通常包括将请求与特定故障单相关联并提供原因，以及请求的内容和持续时间。一旦请求被上下文化，那么它必须被路由以获得批准，并且此工作流程可以像您希望的那样简单或复杂。对于大公司来说，要最好地实现这一步骤，可能需要将PAM解决方案与企业级ITSM(IT服务管理)解决方案(如ServiceNow或IGA(IdentityGovernance Administration)平台，如SailPointTechnologies)集成。

Contextualize Request

First,we need to start with why it is important to have a “request and approve”access process. It makes sense that a database administrator (DBA) should nothave default rights to access all databases, only to the ones they need to workon that day. That way, if that DBA’s credentials are compromised, we havelimited the attack surface. For each request, it is important to know WHYsomebody, or something is performing privileged activity. To do this, we mustunderstand the context behind the request for access, and review and approvethe request based on the context provided.

Theconcept of least privilege is to only provide the needed level of privilege toperform a certain task and only for the amount of time necessary to performthat task. To execute least privilege, the granter of access must understandthe context to be able to make the appropriate access decision.

Recordingthe request context typically includes associating the request with a certaintrouble ticket and providing a reason, as well as what is being requested andfor how long. Once the request is contextualized, then it must be routed forapproval and this workflow can be as simple or complex as you would like tomake it. For larger companies to best achieve this step, it’s likely going toinvolve the integration of a PAM solution with an enterprise grade ITSM (ITService Management) solution like ServiceNow or IGA (Identity GovernanceAdministration) platform like SailPoint Technologies.

2.3 安全的管理环境

访问特权资源时，关键是我们不要在服务器连接期间启用恶意软件访问服务器或引入感染。为实现这一目标，我们需要确保只通过干净的源来实现访问。零信任特权意味着阻止来自也可以访问Internet和电子邮件的用户工作站的直接访问，这些工作站很容易被恶意软件感染。只能通过经过批准的特权管理控制台授予访问权限，这可以通过多种方式实现，包括通过管理跳转框对基于Web的敏感系统进行访问，例如CentrifyZero Trust Privilege Services及其连接器。

具有分布式连接器的现代云跳盒是实现分布式组织的安全管理环境的好方法。过去，您只需要从网络内部进行安全访问。但正确设计的ZeroTrust Privilege Admin Environment的优点在于它不仅允许远程员工全天候访问资源，而且非常适合外包IT或外包开发用户，因为它减少了对虚拟专用网络(V**)的需求并处理安全客户端和分布式连接器之间的所有传输安全性。

分布式跳转主机或“连接器”用于在同一网络中进行负载平衡以及支持多个不同的专用网络的双重目的。这些连接器位于资源所在的位置，例如DMZ，IaaS或具有私有，相互身份验证的连接的虚拟专用网络。这些安全连接允许基于Web的SSH或RDP在任何位置工作。对于外包的第三方用户，它包括联合入站认证，这意味着认证可以依赖于合作伙伴的授权员工目录，从而提供更高的身份保证。

Secure Admin Environment

Whenaccessing privileged resources, it is critical that we do not either enablemalware access to servers or introduce infections during our connection toservers. To achieve this, we need to make sure access is only achieved througha clean source. Zero Trust Privilege means preventing direct access from userworkstations that also have access to the Internet and email, which are tooeasily infected with malware. Access should only be granted through approvedPrivileged Admin Consoles, which can be achieved in many ways, includingweb-based access to sensitive systems via an administrative jump box, such asthe Centrify Zero Trust Privilege Services with its Connectors.


Moderncloud jump boxes with distributed connectors are a great way to achieve asecure admin environment for distributed organizations. In the past you onlyhad to secure access from inside your network. But the beauty of a properlydesigned Zero Trust Privilege Admin Environment is it not only allows remotestaff to access resources 24x7, but it is well-suited for outsourced IT oroutsourced development users because it alleviates the need for a VirtualPrivate Network (V**) and handles all the transport security between the secureclient and distributed connectors.


Distributedjump hosts or “connectors” serve the dual purpose for load balancing in thesame network and for supporting multiple, different private networks. Theseconnectors go where the resources are located, such as DMZ, IaaS, or VirtualPrivate Network with private, mutually authenticated connections. These secureconnections allow Web-based SSH or RDP that works from any location. Foroutsourced, third-party users it includes federated in-bound authentication,meaning authentication can depend on a partner’s directory of authorizedemployees, providing much higher identity assurance.

2.4 授予最少特权

作为概念的最小特权比您意识到的更为常见。考虑您办公室的物理访问控制：不同级别的用户拥有不同的访问权限，并且可以访问您必须请求并获得批准的某些区域。这在物理安全空间中都得到了很好的认可，同样的逻辑适用于逻辑安全性。它在授予对特权资源的基于角色的粒度访问时适用。

授予最小特权的另一个目标是限制网络上的横向移动。这是攻击者访问敏感数据的主要方式：它们从一个位置开始并横向移动，直到找到他们正在寻找的内容。如果我们将他们可以访问的内容分开，那么我们可以阻止横向移动。就像没有人应该有一个访问所有内容的密钥/徽章一样，你真的不想在服务器上使用root帐户，因为它提供了太多的访问权限而且没有归属于实际用户，我们称之为“鲍勃。“相反，Bob应该使用他的备用管理员权限直接登录到目标系统，这使他可以只重新启动一组特定的服务器。如果他需要更改配置或访问其他目标系统，那么他必须通过ServiceNow之类的请求访问指定的时间段，并且可能会要求进行多重身份验证(MFA)。完成后，Bob的权利将减少到所需的数量。

Grant Least Privilege

Leastprivilege as a concept is more common than you realize. Think of physicalaccess control at your office: different levels of users have different accessrights, and to get access to certain areas you must request and be approved.This is all very well recognized in the physical security space, and the samelogic applies for logical security. It applies when granting granularrole-based access to privileged resources.

Anotherobjective to granting least privilege is to limit lateral movement across thenetwork. This is the primary way attackers get access to sensitive data: theystart in one location and move laterally until they find what they are lookingfor. If we zone off what they have access to then we can stop lateral movement.Just like nobody should have a single key/badge that accesses everything, youreally don’t want to use the root account on a server, as it gives too muchaccess and has no attribution to the actual user, who we’ll call “Bob.” InsteadBob should login directly to the target system with his alternate adminentitlements that give him access to restart only a particular set of servers.If he needs to change the configuration or access a different target system,then he must request access for a specified period of time through somethinglike ServiceNow and may be asked for Multi-Factor Authentication (MFA). Oncecomplete, Bob’s entitlements will reduce back to just what is needed.

2.5 审核一切

对于特权会话，最佳做法是审核所有内容。通过记录所执行的所有操作的记录，审计日志不仅可以用于取证分析，以准确找到问题，还可以将操作归因于特定用户。由于这些会议非常重要，因此最佳做法是保留会话的视频录制内容，以便审核或用作最关键资产或高度监管行业的证据。有多种规定，包括支付卡数据的PCI-DSS，特别需要此级别的审核。

监控和会话记录可以通过基于网关和/或主机的技术来实现。基于主机确保不会绕过会话，也可以提供流程启动和文件系统更改审核，这对于您最关键的资源来说是一种非常需要的技术。

如果您有安全部门，最好将此审计数据与现有的安全信息和事件管理(SIEM)系统或云访问安全代理(CASB)服务集成，以进行自动挖掘，从而可以识别风险活动并发出警报。

Audit Everything

Forprivileged sessions, it is of course best practice to audit everything. With adocumented record of all actions performed, audit logs not only can be used inforensic analysis to find exactly the issue, but also to attribute actionstaken to a specific user. Because these sessions are so critical it is alsobest practice to keep a video recording of the session that can be reviewed orused as evidence for your most critical assets or in highly regulatedindustries. There are multiple regulations including PCI-DSS for payment carddata that specifically requires this level of auditing.

Monitoringand session recording can be achieved through either a gateway- and/or host-basedtechnique. Host-based ensures that sessions cannot be bypassed, as well as toalso provide process launch and file system change auditing, which is a highlydesired technique for your most critical resources.

Ifyou have a security department, a good practice is to integrate this audit datawith your existing Security Information and Event Management (SIEM) system orCloud Access Security Broker (CASB) service for automated mining where riskyactivities can be identified and alerts raised.

2.6 自适应控制

零信任权限控制需要适应风险上下文。Gartner推动CARTA- 持续，适应，风险和信任评估- 这也是PrivilegedAccess绝对必需的。零信任特权意味着即使用户输入了正确的凭证，但请求来自潜在风险的位置，也需要更强的验证才能允许访问。现代机器学习算法现在用于仔细分析特权用户的行为并识别“异常”或“非正常”(因此有风险)的活动并提醒或通知安全性。

自适应控制不仅意味着实时通知风险活动，而且还能够通过切断会话，增加额外监控或标记法医跟进来积极响应事件。

机器学习使公司能够在持续不断的基础上，通过数百万个事件进行扫描，并在大海捞针中扫描该指针，这是手动取证所无法实现的。更有价值的是在线和实时执行基于机器学习的分析，从而能够实施真正的自适应预防控制而不仅仅是事后检测控制。

Adaptive Control

ZeroTrust Privilege controls need to be adaptive to the risk-context. Gartnerpromotes CARTA – Continuous, Adaptive, Risk and Trust Assessment – and it’sabsolutely required for Privileged Access too. Zero Trust Privilege meansknowing that even if the right credentials have been entered by a user, but therequest comes in from a potentially risky location, then a strongerverification is needed to permit access. Modern machine learning algorithms arenow used to carefully analyze a privileged user’s behavior and identify“anomalous” or “non-normal” (and therefore risky) activities and alert ornotify security.

Adaptivecontrol means not only notifying of risky activity in real time, but also beingable to actively respond to incidents by cutting off sessions, addingadditional monitoring or flagging for forensic follow up.

Machinelearning allows companies to pore through millions of events and scan for thatneedle in the haystack on an ongoing and continuous basis, which would never beachievable by manual forensics. Even more valuable is performing machinelearning-based analytics inline and in real time and thus being able to enforcetruly adaptive preventive controls and not just after-the-fact detectivecontrols.

3. 结论

为了提供ZeroTrust，今天的特权访问管理(PAM)解决方案不能仅仅依赖于快速离开共享帐户。它们必须详细介绍特权帐户和会话管理以及权限提升和委派管理。但显然这还不够。为了充分验证请求者是谁(或什么)，今天的云就绪特权访问管理(PAM)必须包括特权身份和访问管理，多重身份验证以及权限威胁分析。

传统特权访问管理(PAM)在服务昨天的威胁情景方面做得很好，但在现代企业IT领域，为了保护自己，公司，客户和投资者，应采用零信任特权方法。

©2019Centrify公司版权所有。

Conclusion

Todeliver Zero Trust, today’s Privileged Access Management (PAM) solutions cannotrely on simply vaulting away shared accounts. They must cover, in detail, bothPrivileged Account and Session Management as well as Privilege Elevation andDelegation Management. But clearly that is not enough. To sufficiently verifywho (or what) a requester is, today’s cloud-ready Privileged Access Management(PAM) must include Privileged Identity and Access Management, Multi-FactorAuthentication as well as Privilege Threat Analytics.

LegacyPrivileged Access Management (PAM) did a great job of serving yesterday’sthreatscape, but in a modern enterprise IT world, to protect yourself, yourcompany, your customers, and your investors, a Zero Trust Privilege approachshould be applied.

©2019Centrify Corporation. All Rights Reserved.

—END—

免责说明：资料来自公开期刊媒体资料，文章只为学术新闻信息传播，注明出处参考文献可溯源。本公号不持有任何倾向性，亦不表示认可其观点或其所述。

中科院ZeroTrust零信任AI反腐系统效率太高被关闭(16k字)

(PDF公号发“零信任AI反腐系统”下载)

秦陇纪2010-2019©科学Sciences

Sciences220中科院ZeroTrust零信任AI反腐系统效率太高被关闭SP20190208FriQinDragon.docx

简介：中科院ZeroTrust零信任AI反腐系统效率太高被关闭。作者：秦陇纪。素材：南华早报/知识简化/数据简化社区NC非商业授权/秦陇纪微信群聊公众号，参考文献附引文出处。下载：如需本文21k字10图10页PDF资料，赞赏支持后，公号输入栏发送关键字“零信任AI反腐系统”或“零信任特权ZTP”获取链接；关注“科学Sciences”文章分类菜单。版权：科普文章仅供学习研究，公开资料©版权归原作者，请勿用于商业非法目的。数据简化社区保留相应版权，若有引文/译注/出处不明或遗漏/版权问题等，请给公号留言或邮件咨询QinDragon2010@qq.com。转载：请写明并保留作者、出处、时间等信息，如“此文出自：©科学Sciences，作者：秦陇纪，时间：20190504Sat©秦陇纪2010-2019汇译编”等字样。

“科学Sciences”公众科普分享

跋：科学传入我国整整一百年过去了，还是没有普及、被国人普遍接受。科学精神是假设和质疑，科学方法是实验和测量，科学理论的本质是科学家用数学工具对自然社会做从出定性定量解释。近卌百年，有些民族对自然社会的思考，最肤浅地就是盲信盲从情感型表达的模糊不清的简单语言；而理性之人分析具体的现象，直到以数学等工具为主的科学思维。科学实验、科学假说，均需工程技术支撑，理论和技术均丰富了科学之躯，切不可止步于语文工具之表象思维。更不可把科技当成语文来对待，拿书本文字代替实验设计工程实践。科学是璀璨的人类文明之一，但有其范围并非万能。科学Sciences公号不持有任何倾向性，只提供大家的学术观点。感谢您的阅读！《科学Sciences》倡导"理性之思想，自主之精神"，专注于学者、学界、学术的发展进步，不定期向您推荐人类优秀学者及其文章。欢迎科学、工程、技术、教育、传媒等业界专家投稿、加入数据简化社区！欢迎大家分享、赞赏、支持科普~~