„IT Infrastructure without Administrator Role Accounts is ... · Privileged Access Management...

CONFIDENTIALSlide 1

„IT Infrastructure without Administrator Role Accounts, is it possible?

Alejandro Soret MadolellProduct Manager PEDM

[email protected]

Pawel RybczykBusiness Developer CEE/CIS

[email protected]

FA

mailto:[email protected]


CONFIDENTIALSlide 2

The WALLIX offer

WALLIX Admin Center

SaaS management console for WALLIX solutions

• Cybersecurity by design• Manage configurations• Back up and restore• License key management

DISCOVERYMap and explore your network

to unveil hidden privileged accounts

PEDMLeast Privilege protection to

secure critical endpoints

SESSION MANAGEREnsure real-time oversight of

critical resources

PASSWORD MANAGERMaintain the highest standards

of password protection

ACCESS MANAGERGrant & control secure access

for external connections

WALL4iOT• Bastion4iOT• ISC (Alleantia)

AAPM MFA

WALLIX for Industry 4.0

CONFIDENTIALSlide 3

PAM

CONFIDENTIALSlide 4

CONFIDENTIALSlide 5

Privileged users

Third party

contractors

Auditors, Risk and

Compliance officers

Bastion Key Architecture

Targets

Robots

Vault

BASTION

Session Manager

Password Manager

CONFIDENTIALSlide 6

PEDM

CONFIDENTIALSlide 7

CONFIDENTIALSlide 8

Privilege Elevation and Delegation Management (PEDM)

WALLIX PEDM

CONFIDENTIALSlide 9

3

2

1

4

4 good reasons to implement a PEDM solution

Security breaches are a plague

▪ 327 attacks every minute

▪ $400.000 billion cost from 2016 attacks

▪ More than 150 billion attacks on 2017

▪ Attacks to Critical Infrastructures has been multiplied by 20 in 4 years

Privileged accounts are involved on most of cyber attacksAbout 92% of malware affecting the systems require privilege elevation to infect and propagate to network systems.

By removing high level privileges most of malware are removed as well.

Old security solutions are now obsolete

New attacks have indicated that old traditional defense systems are not effective because they have to know the threats beforehand.

Their effectivity rate is (only) about 60%.

Vulnerabilities derived from the use of privileged accounts

▪ 91% of the vulnerabilities of Microsoft Office

▪ 96% of the vulnerabilities of Microsoft Windows OS

▪ 100% of remote code injection vulnerabilities

▪ 100% of the vulnerabilities of Microsoft Internet Explorer

CONFIDENTIALSlide 10

A good solution recommended by leading agencies…

Principle of Least Privilege - POLP

▪ Gartner Top 10 Security Projects for 2018. “Organizations should remove administrative rights from all users.”

▪ The USA’ Computer Emergency Readiness Team (CERT) best practice guidelines recommend to “Use extra caution with system administrators and technical or privileged users.“

Which goal is to

… However could impact businesses’ productivity

▪ IT team burden, Ticket overflow

▪ Employees reduced efficiency and increased frustration

Productivity

Security

Sources: https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/

Fight against

malware

https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/

CONFIDENTIALSlide 11

250 bis, rue du Faubourg Saint-Honoré

75008 Paris, France

+33 1 53 42 12 81

[email protected]

https://www.youtube.com/channel/UCKT58VqricukJJxBTlLonAw

https://twitter.com/wallixfr

https://www.linkedin.com/company/wallix

http://www.wallix.com/contact

WALLIX, a Limited Liability Company with share capital of €50,000, having its registered office at 250 bis, rue du Faubourg Saint Honoré,

75008 – PARIS - FRANCE, registered at the Registry of Trade and Companies of Paris under number B 450 401 153 – FR67 450 401 153

WALLIX BASTION

PRODUCT OVERVIEW

V7 – SEPTEMBER 2019

Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 2 / 20

Table of Content

I INTRODUCTION ........................................................................................................... 3

I.1 OBJECT .............................................................................................................................. 3

I.2 SCOPE AND EXPIRY .............................................................................................................. 3

I.3 RELATED DOCUMENTS ......................................................................................................... 3

I.4 REVISION HISTORY .............................................................................................................. 4

I.5 ABBREVIATIONS ................................................................................................................... 4

II BASTION POSITIONING AND VALUE PROPOSAL ........................................................ 5

II.1 WHY PROTECTING PRIVILEGED ACCESS? ................................................................................. 5

II.2 REGULATIONS ..................................................................................................................... 6

II.3 WHICH BUSINESS SECTORS REQUIRE A PAM SOLUTION? ............................................................ 6

II.4 POSITIONING ....................................................................................................................... 7

II.5 ABOUT WALLIX .................................................................................................................... 8

II.6 AWARDS............................................................................................................................. 8

II.7 CERTIFICATIONS .................................................................................................................. 9

III BASTION IN A NUTSHELL ......................................................................................... 10

III.1 OVERVIEW ........................................................................................................................ 10

III.2 SECURING INFORMATION SYSTEMS ....................................................................................... 12

III.3 CONFIGURED FOR COMPLIANCE ........................................................................................... 12

III.4 TECHNICAL BENEFITS OF THE BASTION.................................................................................. 12

IV BASTION MODULES .................................................................................................. 14

IV.1 SESSION MANAGER ............................................................................................................ 14

IV.2 PASSWORD MANAGER ........................................................................................................ 15

IV.3 ACCESS MANAGER ............................................................................................................ 15

IV.4 BESTSAFE PEDM ............................................................................................................. 16

IV.5 WALLIX ADMIN CENTER ...................................................................................................... 17

IV.6 DEPLOYMENT OPTIONS ....................................................................................................... 17

IV.7 INTEROPERABILITY ............................................................................................................. 18

V CASE STUDIES ......................................................................................................... 19


I INTRODUCTION

I.1 OBJECT

WALLIX is a cybersecurity software publisher and Europe’s leading player in Privileged Access

Management (PAM).

Privileged access is used to run equipment, applications, and data of IT infrastructures, including enabling access to equipment keys, applications, and of enterprise information systems data. As a result, these

are primary targets of most cyber-attacks that lead to the theft of sensitive and strategic data, fraud, and

the sabotage of corporate information systems.

Used by more than 700 customers and recipient of multiple awards, the WALLIX Bastion enables its

customers to manage, control, supervise and track privileged access, which are critical in responding to threats to their IT infrastructure. It guarantees both accountability of connections and accountability of

actions.

This document describes the Bastion, covering V7 release. It is not designed to present all Bastion’

functions and features. For details of how to use a specific functionality, please contact [email protected]

I.2 SCOPE AND EXPIRY

This document is released on a quarterly basis, and readers should obtain the latest version prior to use.

This document version has no expiration date. However, updated version may be released.

I.3 RELATED DOCUMENTS

TYPE TITLE

Whitepaper Privileged Access Management for Healthcare

Whitepaper HITECH-HIPP: PAM to reach Healthcare Security Compliance

Case Study Saint-Quentin hospital chooses for WALLIX Bastion

Whitepaper PCI and PA DSS compliance Assurance with the WALLIX Bastion

Whitepaper SWIFT Security Controls: the role of Privileged Access Management

Whitepaper Privileged Access Management for Financial Services

Whitepaper Securing Industry 4.0

Infographic Industry Regulations Compliance

Whitepaper Privileged Access Management for Energy and Infrastructure Companies

Whitepaper Digitally Transforming Governments: Protecting privileged access in the public sector

Case Study Gulf Air chooses WALLIX Bastion

Whitepaper Understanding the Need for Privileged Access Management in the Retail industry

Whitepaper The Benefits of PAM for Telecommunications Companies and Cloud Service Providers

Case Study Claranet chooses WALLIX Bastion

Overview WALLIX BestSafe Product Overview



I.4 REVISION HISTORY

VERSION OBJECT OF THE REVISION

2019 MAY Creation

2019 JUNE Updates: interoperability section, Bastion Technical benefits section

2019 SEPTEMBER Updates: addition of BestSafe PEDM, various little modifications

I.5 ABBREVIATIONS

ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (France)

AWS Amazon Web Services

CLOUD Act Clarifying Lawful Overseas Use of Data Act

CSPN Certification de Sécurité de Premier Niveau (issued by ANSSI)

DSP Digital Service Providers

ERPM Enterprise Random Password Manager

ESO Essential Services Operators

FSTEK Federal Service for Technical and Export Control (Russia)

GCP Google Cloud Platform

IAM Identity and Access Management

ICS Industrial Control Systems

IGA Identity Governance and Administration

IoT Internet of Things

IS Information Systems

MFA Multi-Factor Authentication

OCR Optical Character Recognition

PAM Privileged Access Management

PEDM Privileged Elevation and Delegation Management

PoLP Principle of Least Privilege

RDP Remote Desktop Protocol

SCADA Supervisory Control And Data Acquisition

SIEM Security Information and Event Management

SSH Secure Shell

SSO Single Sign On

TCO Total Cost of Ownership

VO Vital Operator


II BASTION POSITIONING AND VALUE PROPOSAL

II.1 WHY PROTECTING PRIVILEGED ACCESS?

Privileged access permissions are necessary entry points for users1 to be able to manage the components

that make IT infrastructure, such as servers, routers, firewalls, applications, databases and other functionalities, all of which having privileged access granting users the highest access rights. Used by

administrators in performing their tasks, privileged access permissions permit them to do anything,

including shutting down the system or extracting sensitive information from databases or devices.

Privileged access accounts are the primary targets of cyberattacks. Hackers start by trying to

take control of a privileged account and use that to then get into the information system to increase their permissions and open further doors to access more functionalities and devices. Their goal is to access

sensitive information and/or take control of devices, applications, databases, and the entire information

system that they are trying to attack.

Information piracy has very often been traced to weak security on privileged accounts, such as the

Snowden case in June 2013, the theft of financial information of 143 million Equifax clients in the United States2, and the hacking of 57 million Uber accounts in November 2017.

A Forrester3 study reports that some 80% of cyberattacks succeed by, at some time or other, hacking a

privileged account. Privileged accounts are IT security nerve centers, and the protection, control and

tracking of privileged access are key factors in any cybersecurity strategy.

The need of a PAM solution is sustained by numerous technological factors, the most important being:

▪ the increasing digitalization of corporate functions, which magnifies the business impact

of cyberattacks. The dematerialization of processes makes companies critically dependent on the proper operation of their IT infrastructure. In manufacturing, with the automation of production

chains that use computerized and connected equipment, a cyberattack can shut down a company’s core business. Indeed, production machines are also equipped with privileged access

and may become targets for cyberattack. For example, in a 2017 study of cybercrime, Accenture estimates that the average cost of cybercrime4 around the world had climbed to US$11.7 million

per company in 2017, 23% up on 2016 (survey of seven European countries, including France). ▪ the development of cloud-based IT infrastructures and the interconnection of networks

being accessed by increasing numbers of mobile devices and other equipment. The networks of businesses and other organizations no longer have physical limits; increasing volumes of data are

being stored in the cloud and data exchange is proliferating. Cisco predicts that Cloud Data Centers will account for 94% of global data processing capacity by 2021, versus 6% for traditional Data Centers5. As a result, the attack surface of IT infrastructures is growing.

▪ the trend to IT outsourcing, connected with the fact that companies lack the expertise or

budgets for rolling out, managing and operating IT solutions themselves or make a strategic choice to entrust their IT to specialized third-party firms. Such companies outsource the

management of all or part of their requirements to external providers (such as services operators) whose privileged access must be managed, controlled and supervised.

▪ the advent of the Internet of Things (IoT), which increases by several orders of magnitude

the number of devices connected to the infrastructures. According to a Gartner study, there were 8.4 billion connected things in 2017, 3.1 billion of them in corporations. The new connected

devices are, however, still very vulnerable to attack. The need to manage them will create further

requirements for privileged access which will therefore have to be protected by PAM solutions.

PAM solutions can meet these problems, but businesses and organizations are still too weakly equipped.

1 Users with privileged access can interact with systems to obtain sensitive information, which presents the risk of theft, compromise

or accident or even the destruction of the information system. In that respect, the accounts of system and network administrators, database managers, and cloud administrators are privileged permissions that present the highest risk level 2 Equifax just became the first company to have its outlook downgraded by Moody’s for a cyber-attack https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html 3 Source: Forrester, The Forrester Wave: Privileged Identity Management Q3 2016

4 Source: Accenture, The Cost of Cybercrime in 2017, 2017 5 Source: Cisco, Cisco Global Cloud Index Forecast 2016-2021, 2017

https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html


II.2 REGULATIONS

The proliferation of large-scale attacks and the resulting risks are driving governments and regulators to frame new legislation in Europe, America, Asia Pacific, Middle East and Africa, mainly to protect personal

and confidential data. Thus, regulations are the logical result of increased cybersecurity risks.

However, European and USA regulations are drawing lines that are each other in opposite:

▪ In Europe, GDPR and NIS regulations impose strict rules to companies in the treatment of the

data to ensure its privacy. ▪ In the United States of America, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act)

requires U.S.-based technology companies to provide requested data to US federal agencies

regardless of whether the data are stored in the US or on non-US soil, without the owner of the

data being informed, nor its country of residence, nor the country where the data are stored.

In addition, several regulations require players in certain sectors and/or countries to put in place PAM

solutions:

Europe USA Asia

▪ NIS Directive

▪ GDPR

▪ France: LPM, HDS, PGSSI

▪ Germany: IT Security Act, Federal Data

Protection Act

▪ UK: Computer Misuse Act

▪ DSP2

▪ Eidas

▪ CLOUD Act

▪ Computer Fraud & Abuse Act

▪ Electronic Com. Privacy Act ▪ NIST SP

▪ NERC/CIP ▪ US NRC

▪ HIPAA

▪ S-OX ▪ 23 NYCRR 500

▪ PCI-DSS ▪ Gramm-Leach Bliley Act

▪ State specific regulations

▪ China: National Security Law,

CINISPMR

▪ Japan: UCAL, APPI ▪ South Korea: APICI, ICNA, PIPA

▪ India: IT Act, Privacy Rules ▪ Singapore: CMCA, PDPA

▪ Australia: Telcos Act, Privacy Act

The global cybersecurity market is directly benefiting from the momentum of such regulations. For example, to comply with the GDPR, companies are required to protect the personal data of persons who

interact with their IT infrastructure (employees, customers, etc.). Liability for any leak of personal data may be imputed to the company that is the victim of this attack. To avoid such a situation, companies

must invest in data protection solutions and access management solutions such as WALLIX Bastion.

II.3 WHICH BUSINESS SECTORS REQUIRE A PAM SOLUTION?

All business sectors require a PAM solution. Among them, here below is a selection of which.

Healthcare

Healthcare institutions operate against a backdrop of constant change, and their ability

to modify their practices and procedures at the drop of a hat determines their success. Now that paper is passé, healthcare information systems must adapt to the digital and

mobile era. Patient protection extends beyond ensuring their health – it also includes

securing their medical records, which hold valuable information and must be protected

from theft, data leaks, and service disruptions.

The protection of private data is driving continuous improvement in healthcare information systems. In today’s environment, trust chains need to be created to smooth the process of seeking healthcare. With

organizations flocking to the cloud, data security risks take on a whole new dimension. The challenges

involved in securing healthcare data have a direct effect on the chain of hosting service providers or IT

services (e.g. magnetic resonance imaging systems, scanners, or radiographic solutions).


Industry

All the advantages of digitization have not been without some drawbacks. In the industrial sector specifically, productivity and availability issues have multiplied. As

industrial control systems (ICS) increasingly rely on information systems to perform

production, scheduling, and remote access operations, interconnecting ICS systems has

taken a toll on security.

Risks that were once only encountered on information systems have now crossed over and begun to contaminate industrial systems. Included among these risks are the various vulnerabilities associated with

access to supervisory control and data acquisition (SCADA) systems as well as the actions performed on them. In particular, privileged user access exposes these systems to sizable vulnerabilities with the

potential to strike a direct blow to the availability and operation of industrial systems.

Bank & Insurance

Ensuring the security of banking data, especially the potential implications when it falls

into the wrong hands, is a permanent and pressing concern for the financial sector. Highly coveted personal data and the potential payout it represents to cybercriminals make the

financial sector a prime target. Given the sheer number of service providers involved in

each step of a banking transaction, the processes required to guarantee the security of banking data are further complicated. This complication clouds the accountability of

banking systems and magnifies the scale of the threat.

Along with the new security challenges that the digital transition brings about — think applications, online

payment, mobile access, and cloud-hosted services that need to be secured — banks and insurance firms must always demonstrate due diligence. They need to implement innovative and specialized tools that

can guarantee the confidentiality, integrity, and traceability of their clients’ personal data.

Cloud & Telcos

Cloud computing has irreversibly revolutionized how and how much data can be stored

by virtualizing data hosting within private, public, and hybrid cloud environments. However, digital service providers (DSPs) and their clients cannot fully harness the

benefits of this transformation unless they adapt their security measures to these new

environments. It may seem easy, but virtualizing data is hard work. DSPs must protect and manage the migration of their systems to the cloud while also ensuring a seamless process for their

clients’ data and mission-critical applications regardless of business sector (finance, human resources,

healthcare, etc.).

To ensure that they are providing a service that adds real value to their end users, DSPs must ensure this

transition is smooth. They must ensure their compliance with all the regulations governing various sectors, offer reliable third-party application maintenance, and guarantee the encryption of crucial data as well as

the traceability of actions performed on their systems.

II.4 POSITIONING

The technological sector of cybersecurity encompasses numerous categories and sub-categories of

product and solution. The PAM and the Bastion feed into the Protect category and Access Control sub-

category.


II.5 ABOUT WALLIX

Founded in 2003, WALLIX is the French leader in IT security software solutions for managing network security and critical IT infrastructures. WALLIX is a European company located in France, the United

Kingdom and the United States. More than 700 companies and organizations now place their trust in

WALLIX for their IT security solutions around the world.

WALLIX works with the IT departments of customers ranging from mid-sized companies to large groups

and public organizations to provide innovative solutions that meet the challenges of tracing all operations and managing identities and access rights. Our solutions are engineered to fit seamlessly into the

customer’s IT system and ensure compliance with the latest IT security standards.

With a strategy based on innovation, agility and the capability to respond to emerging market needs, WALLIX offers a suite of open-ended solutions tailored to meet the specific needs of its customers.

Because companies rightly expect an efficient and swift response, WALLIX favors solutions that do not involve installing specific agents on hardware and which are easily integrated into the client's information

system.

WALLIX's products allow users to adapt to and comply with ISO27001, PCI, SOX, PSN etc. on information

and data security and guarantee the integrity of their IT system, while tracing all operations on their

system.

WALLIX distributes its solutions through a network of partners, who are fully trained and certified and

have comprehensive knowledge of our solutions.

WALLIX has developed the Bastion, a solution that is easily integrated as part of customers' IT systems

and which provides them with “who did what, when, where and how” information on user actions, in real

time or logs.

WALLIX has developed DataPeps, the end-to-end encryption technology, which enables to secure client’

data in any application: data stored are encrypted without access to decryption keys. Even successful

cyber-attacks won’t be able to access client’ data.

In 2019 WALLIX has acquired Simarks and Trustelem to extend its portfolio to PEDM and IDaaS markets.

More information is available on www.wallix.com/en

II.6 AWARDS

The Bastion solution has received multiple awards, including:

▪ named 2016 Best Buy by America’s leading cybersecurity magazine SC Media1, which annually

evaluates the products in the sector;

▪ the 2016 prize for the best “identity and access management” solution at the prestigious

Computing Security Awards event. Computing Security Awards are organized by a panel of industry experts, with winners in each category determined by Computing Security magazine

reader votes. At that ceremony, the panel said it was “impressed by the easy-to-deploy architecture of the WALLIX Bastion solution, and by its latest major release in early 2016 (....).”

The rich functionality of the Bastion solution led the independent Analyst organization KuppingerCole to

rank the Company as a “technology leader”, i.e., a leading supplier of PAM solutions on two grounds:

product and innovation.

1 “For its unique approach to the entire privileged account management problem, we make Wallix our Best Buy”

https://www.scmagazine.com/wallix-adminbastion-suite/review/7083/.

http://www.wallix.com/en


II.7 CERTIFICATIONS

As part of this quality-based approach, WALLIX has been audited since 2013 by the French Network and

Information Security Agency (ANSSI) and obtained its First Level Security Certification (CSPN).

The Bastion is also certified in Russia since March 2015 (FSTEK product certification).


III BASTION IN A NUTSHELL

III.1 OVERVIEW

The Bastion solution enables IT departments to protect privileged access by managing how privileged accounts operate. Instead of connecting directly to the machine to be configured, a depositary

administrator of a privileged account must go through Bastion which takes charge of performing the necessary verifications of that administrator’s rights. It then authorizes – or not – the administrator’s

connection to the machine and records the session.

The Bastion solution thus sits between the resources to be protected and the persons who have access to these resources, like a proxy security gatekeeper. In this way, it secures access to organizations’ critical

machines (central servers, routers, firewalls, etc.) and plays this role for all enterprise resources such as business applications, industrial machinery control chains, and databases that contain sensitive

information (personal data, manufacturing secrets, etc.).

The Bastion solution also ensures the traceability of administrators’ sessions by offering the ability to

review privileged sessions for audit purposes, troubleshooting, or identifying responsibilities for malicious events, for example. The product has a real-time alert system to flag users breaching corporate security

policy.

The Bastion solution consists of the following four main functional modules:

▪ Session Manager, a module for controlling privileged access, without knowing resources’

passwords, for viewing and recording privileged sessions, thanks to Wallix patented ephemeral session probe mechanism;

▪ Password Manager, a module for implementing a password rotation policy governing administrators’ access to IT resources (which enables system security to be strengthened with

respect to password modification and manipulation, and to prevent the risk of password leaks);

▪ Access Manager, a web administration console for supervising and auditing all actions by administrators and recorded by the Session Manager. This console also makes it possible to

aggregate the data recorded by multiple instances of Bastion in the case of “large” infrastructures. ▪ BestSafe PEDM, an agent-based solution allowing IT department to control administrator

operations and to block the launch of specific processes that are not necessary to achieve their

tasks

▪ Wallix Admin Center, a centralized Bastions’ administration portal.

Session Manager and Password Manager rely on a highly secure password vault based on AES 256 (256-

bit Advanced Encryption Standard) technology.

The Bastion solution protects privileged account access to cloud-based infrastructures hosted by the major public cloud service providers (AWS, GCP and Azure) with a version of the product available specifically

for these environments (in the form of a dedicated Virtual Machine).

Also, the combination of multiple instances of Bastion in cloud mode and in on-premises mode enables protection of access to hybrid infrastructures with an overall view of the information coming from the

various instances of the product deployed in the infrastructure and permits the administrator to manage

these instances in a simple and consolidated way.


The Bastion offers an easy-to-use and easy-to-learn user experience, thanks to its intuitive graphical user

interface.


III.2 SECURING INFORMATION SYSTEMS

The Bastion solution reduces the risk of technical error and counters malicious acts on IT

infrastructures. With Bastion:

▪ it is no longer possible to access critical infrastructure servers without undergoing strict access

control; this control applies to internal and external users; ▪ the supervisor can see in real-time what privileged account users are doing and can filter sessions

to prevent errors and attacks; ▪ the supervisor can replay admin sessions on video or in text format for command lines; in the

event of a server incident, it becomes easier and quicker to identify the origin of the malfunction;

▪ it is easy for the supervisor to produce proof of an action and pursue malicious perpetrators, as all connections to the web interfaces of equipment or applications are logged. An integrated

search engine can be used to quickly find the events corresponding to an incident; ▪ it is not necessary for administrators to know the passwords of the systems to which they have

access rights; thus, equipment password management is not impacted by administrator staff

changes.

The Bastion solution secures the information system by protecting confidential information against

data leaks and against various threats such as industrial espionage:

▪ external or internal administrators have access only to the authorized systems and not to the files

and data that they contain; ▪ every access to critical servers containing sensitive data is time-stamped and the actions are

recorded, so they can serve as proof and be used for post-mortem analyses;

▪ a system of alerts informs the supervisors of any unauthorized event or any attempt to access

confidential and/or sensitive data (such as a prohibited download).

III.3 CONFIGURED FOR COMPLIANCE

The traceability function of the Bastion software suite enables user sessions to be viewed in real time

and their activity to be recorded for audit or compliance purposes, particularly in view of the NIS Directive.

The privilege access control function of the Bastion software suite filters these activities to avoid abuses or human error and prevent data leaks, allowing businesses and organizations to meet their requirements

under the GDPR.

The Bastion software suite is certified by ANSSI. This makes it the PAM solution of choice for Vital

Operators (VOs) in France and places it in an ideal position to address the requirements of Essential

Services Operators (ESOs) in Europe, who are required to use certified solutions to comply with the NIS Directive. The Bastion therefore enables ESOs, and VOs, to meet the new compliance requirements

imposed by the GDPR and the NIS Directive.

In addition, the Bastion enables companies and organizations:

▪ to comply with applicable legislative, regulatory or professional frameworks (ISO 27001 recommendations, Basel rules, Sarbanes-Oxley Act, Arjel gaming rules, audit rules for computer-

based accounting, regulations governing the hosting of health data, etc.);

▪ to monitor on a daily basis the actions of external service providers via a tracking tool and to react more quickly in the event of an incident;

▪ to be more credible when applying for professional certification to, for example, host health data. ▪ With WALLIX’s PAM solutions, content becomes inaccessible to users who access servers,

applications and databases for management or administrative tasks.

III.4 TECHNICAL BENEFITS OF THE BASTION

A usual PAM solution includes two main modules: a Session Management module and a Password

Management module. Session Manager is the most technologically complex component as fine-tuning it requires excellent technical knowledge and in-depth understanding of the protocols for connecting to

resources such as RDP and SSH. WALLIX is one of only two market players to have specialized, since

2008, in Session Management, most other players having opted to focus on Password Management first.

WALLIX’s expertise enables it to market advanced functionalities such as:


▪ proxy-based and agent-free architecture: the Bastion solution requires no rollout agents1

onto user workstations, nor on servers to protect. Thanks to its architecture, it is non-intrusive

and transparent for administrators and users (it integrates seamlessly into existing tools and does not require to changes any of them), rolls out into information systems easily and fast, and costs

less to implement and maintain than solutions that necessitate that an agent be installed onto

every resource to be protected;

▪ automatic rollout of ephemeral session probes: a functionality based on a WALLIX patent issued in 2017. It allows an efficient traceability of performed actions on targets without the pain

of managing updates, rollout and compatibility of agents like in an agent-based PAM architecture. Last, the WALLIX probe being ephemeral, it disappears when the session is closed, thus is not in

an always-on intrusive mode;

▪ among its various functionalities, the Bastion ephemeral session probe: - does not rely on OCR for logging the opened/active windows;

- offers the possibility to block outbound TCP connections from RDP target system to block any attempts to penetrate the infrastructure out of target system;

- allows to deny the opening of some processes during RDP session. ▪ flexibility of management rules: for example, the WALLIX Bastion solution can be configured

to prohibit privileged login obtained through an intermediate resource;

▪ transparent mode which permits Bastion to be rolled out and used without affecting users’ existing access configurations (IP addresses of target resources, for example) and thus make

Bastion virtually transparent for them; ▪ protocol transcoding which permits Bastion to adjust to any method for accessing targeted

machines and resources while requiring a single method to access Bastion (SSH, for example) for

administrators; ▪ protocol control which allows to enable/disable some of the protocol features;

▪ simplicity: shared account, simple named account or strengthen named account, Bastion

enables these 3 modes with a low run cost.

1 An agent is a software component that forms part of a PAM software solution and has to be installed on every piece of equipment

that the solution secures. Agent-free solutions do away with the often burdensome and expensive need for IT departments to roll

out and maintain agents


IV BASTION MODULES

IV.1 SESSION MANAGER

Session Manager handles access to privileged accounts by permitting the enterprise to define security access levels. Users connect to their individual single account that gives them access to all the data they

need, thereby mitigating the risk of error and malicious actions while maximizing their productivity.

Session Manager records sessions graphically, capturing keystrokes as well as the applications used,

thanks to Wallix patented ephemeral session probe mechanism. It monitors and tracks the

activities of users who have logged in and shows which administrator accounts logged in when and for

how long, and to which resources (machine, application, data).

Session Manager permits user sessions to be viewed in real-time to analyze their content. The system generates alerts of incidents or human error. A search engine can be used to find proof of an incident or

for audit purposes.

Session Manager also provides the capability to prove that the rules governing privileged account access comply with applicable industry standards and regulations. This is extremely useful for corporations as

well as for users regularly accessing sensitive data (IT departments, IS security officers, security executives, risk executives, etc.) who can thereby prove their actions to their employer, company, or

customers.

Session Manager offers the following main functionalities:

▪ manage and control (govern) privileged accounts: by directly accessing resources via

native clients (putty, winscp, openssh, etc.) using connection rules; ▪ approbation workflow governance: refuse, authorize, or even conditionally authorize based

on duration or timeframe, through high-end access-authorization workflows;

▪ view sessions in real-time: watch Remote Desktop Protocol (RDP) sessions, Secure Shell (SSH) sessions, and application sessions; operate “4-eyes supervision” (two remote users for the

same session: one working, the other supervising) with ability to terminate any suspicious or inappropriate sessions;

▪ alerts: post alerts, and shut down remote sessions based on numerous criteria including whitelisting/blacklisting, optical character recognition (OCR), widget events, and analysis of

keyboard patterns;

▪ reporting and audit: identify perpetrators of actions, track logins, generate statistical reports of activity and audit logs, replay user sessions and generate session scripts and metadata; reports

can be created around filters such as the user names, device types, date, etc. a generated in CSV format for inclusion in other tools such as dashboards, etc.

▪ behavioral analysis and business intelligence: utilize the session manager to quickly detect

suspicious behavior to identify and prevent malicious activities; integrate this information into a

variety of SIEM systems for automatic decision making and/or alert reporting;


IV.2 PASSWORD MANAGER

Password Manager secures passwords and SSH keys in an ANSSI-certified vault (AES 256 encryption algorithm) and manages administrator

password rotation within the infrastructure. It also implements application

password management, to permit applications that must connect to critical resources to do so securely and without using unencrypted versions of the

passwords of these target resources in their source code (unfortunately all too often the case in application development environments). Thanks to

this new functionality, WALLIX addresses the enterprise application

developer (DevOps and DevSecOps) market.

Password Manager offers the following main functionalities:

▪ vault: secure passwords and SSH keys in a certified vault and

utilize our open architecture to integrate with other vaults. ▪ governance and security: schedule the rotation and

cancellation of passwords and SSH keys, ensure password complexity with customer defined

rules; ▪ advanced workflow secret: set up a configurable, granular security policy per check-in/check-

out workflow; ▪ interoperability: an Application Programming Interface (API) permits developers to build and

make available a library of password management plugins that support industry-standard

hardware (Microsoft, Linux/Unix) but also a variety of more specialized systems (Juniper SRX, Palo Alto PA-500, Fortinet FortiGate, etc.);

▪ Application-to-Application Password Management: ensure secure application connections to critical resources by controlling passwords and SSH authentication keys to the target resources

while preserving automation power. Hardcoded passwords and identification configuration files

are totally dispensed with.

IV.3 ACCESS MANAGER

Access Manager is a web platform that permits an environment running multiple instances of Bastion, each controlling a part of the infrastructure. This module permits the use of privileged accounts, and

control from a single point, of an entire multi-instance Bastion infrastructure for privileged user, approver

and auditor profiles.


Access Manager offers the following main functionalities:

▪ administration and organization: communicate with multiple Bastion targets via an encrypted https channel. The portal is customizable (design, file classification, etc.) and permits file transfers

between the workstation and the target Windows resource;

▪ authentication: in addition to standard “directory” authentications, Access Manager supports Security Assertion Markup Language (SAML) 2.0 so it can integrate easily into all infrastructures

that have identity federation mechanisms; ▪ multi-tenant architecture & scalability: breach-proof instances of multi-tenant architecture.

In cases where a resource is accessible by more than one instance of Bastion, Access Manager allows you to define clusters of active Bastions;

▪ audit and compliance: to supplement Bastion, Access Manager has its own audit functionalities

providing an unalterable audit trail of all the sessions it has authorized. The audit log has a multi-criteria search engine that facilitates searches in scripts and session metadata. Sessions can be

replayed in full.

IV.4 BESTSAFE PEDM

BestSafe PEDM offers a very effective solution for privilege management that allows organizations to

drastically reduce the risk of security breaches on Windows systems without impacting productivity. It uses a unique, patented privilege management technology allowing companies to

implement the Principle of Least Privilege in addition to the existing Bastion functionalities.

It increases system security by reducing administrator’ rights to the bare minimum needed to address

their tasks.

In addition, enriched metadata can be gathered, thanks to the BestSafe PEDM agent controlled by the

session probe, thus enhancing the traceability functionality of the Bastion.

BestSafe PEDM offers the following main functionalities on Windows-based devices:

▪ Reduce the administrator’s rights to the strict minimum: If a certain process, application,

or administrative task needs special privileges, BestSafe will only grant them to the corresponding

process (whitelist) in a completely transparent manner for the user, who will continue to work with minimum permissions. However, if there’s any reason to keep certain accounts as

administrator, BestSafe can reduce the privileges (gray list) to applications with Internet access (email clients, browsers, etc.) that are potentially dangerous and could compromise the system,

denying them access to their resources (registry, system folders, etc.), but without blocking their execution.

▪ Effective anti-ransomware solution: BestSafe can detect in real time when a given process

intends to perform an encryption operation before it is carried out. When detecting an operation of this kind, BestSafe can suspend the process and perform the actions established in the

corresponding rule. ▪ Real-time monitoring of applications: With the ability to control encryption operations also

comes the ability to control any other operating system function. The possibilities include, but


are not limited to, monitoring access to disk, to the registry, to the network, and actions like

creating new processes or local user accounts. The possibilities are endless. ▪ Control access to resources by application: BestSafe enables blocking of all outgoing

connections of a certain application regardless of the user's credentials.

IV.5 WALLIX ADMIN CENTER

Bastion Admin Center is a centralized Bastions’ administration portal.

It dramatically helps the Bastion administrators in their day to day activities by offering the ability, thru a simple web

browser client, to create and manage target accounts on

clusters of Bastions, along with their authorizations in a

simple and efficient manner.

Bastion Admin Center offers the following main

functionalities:

▪ Save & Store Bastion configuration:

import existing CSV configuration files (hostname,

username, port, account, etc.) and manage delta; save existing configuration securely: everything is

done on a Zero Knowledge system based (RSA encryption is done locally before any configuration

file is sent to the server, so the data is secured)

▪ Push & Manage Bastion configuration: deploy or replicate any existing configuration to

different Bastions

The Bastion Admin Center is a service operated by WALLIX.

IV.6 DEPLOYMENT OPTIONS

The Bastion can be deployed in several modes accordingly to customer environment and willingness: on

public major cloud platforms, in virtualization mode or on-premise are available to best fit the need. For customers not willing to manage the Bastion infrastructure, our managed services offer a variety of

hosting possibilities.

The Bastion can be deployed in master/slave configuration offering high availability of the solution.


IV.7 INTEROPERABILITY

The Bastion’ REST API web service allows administrators to control the main functions of the Bastion,

such as the provisioning of user accounts, target accounts or authorizations in a seamless manner.

The goal is to allow information synchronization between a central repository containing this information

(e.g. IAM or CMDB type solution) and a WALLIX infrastructure, leading to a drastic reduction of the total

cost of ownership of the Bastion solution.

In addition, WALLIX is developing technological partnerships and alliances with key actors of the

cybersecurity sector to ensure the Bastion interoperability in a best-of-breed environment.


V CASE STUDIES

The Bastion solution has been adopted by large accounts and mid-size companies

The Company believes it has an excellent image among large and mid-size companies. Of WALLIX’s

portfolio of customers, 15 are represented in the CAC 40, and 11 in the SBF 120.

PSA Group’s internal security policy requires that actions with strong privileges be

tracked to be able to detect potential threats. The main risks identified are identity theft

or permissions theft. Additionally, in its banking activities, PSA Group is subject to the standards of the Basel II Agreement and is audited annually. Initially installed in 2011

as an experiment, WALLIX Bastion is now fully deployed in an industrial environment and perfectly integrated with PSA’s existing business solutions such as Identity Access Management for rights and

equipment management (Configuration Management Database / CMBD).

PSA Group’s security expert has recognized the versatility of the tool and its ability to maintain service

quality in all circumstances: in normal operating mode as well as in disaster recovery mode. On the

strength of this success, in early 2017 PSA migrated to the latest, more powerful version of the solution which features faster response time and set up a project to roll it out on several thousand Windows

servers.

“We continue to deploy Bastion as we have demonstrated that the solution is reliable, that the integration is seamless, and that it meets all our tracking and automation requirements.”

Thierry Hec – PSA Group Security Expert

Claranet’s Security and Compliance Division, led by its Chief IS Security Officer,

ensures that security standards and best practices are followed in the operation of and changes to the information system and platforms hosted for its customers, to ensure the integrity,

availability and protection of data.

Claranet initially used WALLIX services as part of its e-Health offering in order to obtain health data hosting certification (Hébergeur de Données de Santé / HDS) from the French shared health information

systems agency (Agence des Systèmes d’Information Partagés de Santé / ASIP) which requires a system for tracking access to platforms via a single interface that centralizes all access. The installation of this

system in 2012 enabled it to set up and run a large-scale project for a major municipal hospital (Centre

Hospitalier Intercommunal de Créteil), the first-ever outsourcing of all the information of a hospital by a healthcare data hosting provider. All access traffic to the platform by the hospital’s administrators is now

tracked.

“Bastion has become the standard in the e-health market. It’s a sign of trust that reassures customers.”

Emmanuel Novice – Director, e-Health Services, Claranet

For some years, the growing threat of cybercrime associated with the digitalization of work methods (e.g.: advent of tablets, mobile phones) and the use of external

service providers led CASDEN’s Information Systems (IS) Security team to rethink its IS strategy and governance. Its first action was to put in place a privileged access management

solution.

CASDEN (Banque Populaire group) naturally turned to WALLIX Bastion. For CASDEN’s relatively small operations team and an infrastructure running several types of operating systems, Bastion’s ease of

installation, efficient deployment methodology and fast support response proved to be an ideal cost control and time control solution. Technical integration proceeded in 2012 with no problems. Hundreds

of Linux servers are now administered by Bastion and dozens of users are involved.

“It’s about raising awareness among users, administrators and service providers rather than repressing them. Without trust, you can’t do business.”

Benoit Fuzeau – Head of IS Security, CASDEN – Banque Populaire


SIAAP is the wastewater treatment consortium for the Paris region (Syndicat Interdépartemental d’Assainissement des eaux de l’Agglomération Parisienne). It is

not classified as a Vital Operator (VO) but strives to follow the rules issued by

ANSSI. As some of its sites are classified Seveso “High Threshold”, infrastructure security, and in

particular the control of access to water treatment equipment, is a major challenge for SIAAP.

The management of VPN access for external service providers and the introduction of rules for machinery and equipment were becoming a heavy workload for IT teams. Access to SCADA supervision had to be

secured for certain agents, particularly when on standby. As they would log in via RDP on a workstation situated between the IT firewalls and industrial firewalls, there had to be better visibility. SIAAP ultimately

wanted to implement a solution that was fast to deploy and easy to administer. WALLIX Bastion was

rolled out at SIAAP in 2016 to meet these requirements.

“Thanks to its functionalities for access control and tracking of administrative operations, Bastion has enabled us to substantially strengthen the security of our infrastructures and equipment.”

Stéphane Corblin – Head of Network and Security Architecture at SIAAP

Gulf Air owns 11 manufacturing plants at shop floor level and faced some complex,

default workflows, errors and malfunction which often required remote maintenance and the help of external support engineers for various machines. In addition, Gulf Air needed

to comply with multiple regulations such as PCI-DSS and ISO 27001.

Having deployed the Bastion in redundant mode in their premises, all remote maintenance

experts’ access to critical machines via WALLIX Access Manager. Gulf Air can now claim for 99,99%

uptime guarantee across 11 manufacturing sites, for 180 remote connections, and 650 critical shop floor

machines as well as a drastic reduction of the internal workloads.

“WALLIX helped in providing real time resource management, reporting and monitoring capabilities for IT administrators, improving the overall efficiency of Gulf Air’s IT function. Also, Privileged Access Management is instrumental for Gulf Air in complying with the required international and industry standards. We’re currently certified against the ISO 27001 standard and maintain compliance with PCI-DSS.”

Dr Jassim Haji, IT Director, Gulf AIr

The Saint Quentin hospital is a complex organization hosting several extremely sensible and high-tech equipment’s such as magnetic resonance imaging systems, scanners, or

radiographic solutions. These equipment’s require regular checks to ensure their availability and accuracy. Thus, multiple external providers connect remotely to specific

apps, IT and biomedical solutions on a weekly basis. The challenge is therefore to guarantee access to remote administrators performing maintenance operations at any time without jeopardizing the security

policy of the hospital.

The Bastion and its monitoring and recording function has been deployed in this hospital complex with precise access rights assigned to privileged users. The hospital complex is now meeting its regulatory

requirements.

"It is extremely reassuring for us and proof of our trust as we have more than a hundred external service providers logging on to our network.”

Jean-Baptiste Gard, CISO

WALLIX, a Limited Liability Company with share capital of €50,000, having its registered office at 250 bis, rue du Faubourg Saint Honoré,

75008 – PARIS - FRANCE, registered at the Registry of Trade and Companies of Paris under number B 450 401 153 – FR67 450 401 153

WALLIX BESTSAFE

PRODUCT OVERVIEW

V1 – SEPTEMBER 2019

B E S T S A F E

Wallix BestSafe - Product Overview V1 - AUGUST 2019 2 / 17

Table of Content

I INTRODUCTION ........................................................................................................... 3

I.1 OBJECT .............................................................................................................................. 3

I.2 SCOPE AND EXPIRY .............................................................................................................. 3

I.3 RELATED DOCUMENTS ......................................................................................................... 3

I.4 REVISION HISTORY .............................................................................................................. 3

I.5 ABBREVIATIONS ................................................................................................................... 3

II BESTSAFE POSITIONING AND VALUE PROPOSITION ................................................. 4

II.1 WHAT IS POLP? ................................................................................................................. 4

II.2 BENEFITS OF USING THE PRINCIPLE OF LEAST PRIVILEGE .......................................................... 4

II.3 THE DRAWBACKS FROM POLP ............................................................................................... 5

II.4 REGULATIONS ..................................................................................................................... 5

II.5 WHAT IS PEDM? ................................................................................................................. 6

II.6 WHICH BUSINESS SECTORS REQUIRE A PEDM SOLUTION? ......................................................... 6

II.7 POSITIONING ....................................................................................................................... 7

II.8 ABOUT WALLIX .................................................................................................................... 8

II.9 AWARDS............................................................................................................................. 8

III BESTSAFE IN A NUTSHELL ......................................................................................... 8

III.1 OVERVIEW ........................................................................................................................ 10

III.2 KEY FEATURES.................................................................................................................. 11

III.3 BENEFITS ......................................................................................................................... 12

III.4 BUSINESS BENEFITS.............................................................. ERROR! BOOKMARK NOT DEFINED.

III.5 TECHNICAL CONSIDERATIONS .............................................................................................. 13

III.6 TECHNICAL BENEFITS ......................................................................................................... 16

IV KEY USAGES SCENARII ............................................................................................ 17


I INTRODUCTION

I.1 OBJECT

WALLIX is a cybersecurity software publisher and Europe’s leading player focused to protecting the most

vulnerable element: the human behavior.

Although there are a wide variety of solutions for perimetral security, the reality is that malware is still reaching the end-user and the impact on the company’s assets is growing every day. Our Privileged

Elevation and Delegation Management technology combined with our Bastion, allows us to offer a suite

of solutions to completely help protect users and companies from any type of malware, either existing or to come, allowing to implement the Principle of Least Privilege (PoLP) on Microsoft Windows

environments.

This document describes BestSafe, covering V3 release. It is not designed to present all BestSafe’

functions and features. For details of how to use a specific functionality, please contact [email protected]

I.2 SCOPE AND EXPIRY

This document is released on a quarterly basis, and readers should obtain the latest version prior to use.

This document version has no expiration date. However, updated version may be released.

I.3 RELATED DOCUMENTS

TYPE TITLE

Presentation BestSafe in a Nutshell

Documentation BestSafe Admin Guide

I.4 REVISION HISTORY

VERSION OBJECT OF THE REVISION

2019 AUGUST Creation

I.5 ABBREVIATIONS

ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (France)

CLOUD Act Clarifying Lawful Overseas Use of Data Act

DSP Digital Service Providers

E2EE End-to-End Encryption

ESO Essential Services Operators

GCP Google Cloud Platform

IAM Identity and Access Management

IdaaS Identity as a Service

IGA Identity Governance and Administration

IoT Internet of Things

IS Information Systems

MMC Microsoft Management Console

PAM Privileged Access Management



PEDM Privileged Elevation and Delegation Management

PoLP Principle of Least Privilege

SIEM Security Information and Event Management

SSH Secure Shell

SSO Single Sign On

TCO Total Cost of Ownership

VO Vital Operator

II BESTSAFE POSITIONING AND VALUE PROPOSITION

II.1 WHAT IS POLP?

The Principle Of Least Privilege (POLP), an important concept in computer security, is the practice of

limiting access rights for users to the bare minimum permissions they need to perform their work. Under

POLP, users are granted permission to read, write or execute only the files or resources they need to do

their jobs: in other words, the least necessary privileges.

For example, an HR staffer may need read and write access to the enterprise payroll database, but that same employee would have no need to access the enterprise client database; at the same time, an

employee in the sales department would need access to the client database, but would be denied access

to the payroll database.

Ensuring that employees are assigned the correct privileges prevents giving employees access to systems

they don't need while also preventing malicious workers from accessing systems or data outside of their job functions. In addition, if an employee's credentials are compromised, the thief can only gain that

employee's privileges.

However, the principle of least privilege isn't just about taking away privileges from users who don't need

them. It is also about monitoring and managing access for those who do need access such as software

developers.

Security teams should use privileged access management tools to audit their development environments

to prevent privilege creep, the gradual accumulation of access rights beyond what developers need to do their jobs. Teams should also monitor when and how developers use their accounts so security

information and event management tools can immediately identify irregular activity.

II.2 BENEFITS OF USING THE PRINCIPLE OF LEAST PRIVILEGE

In 2016, Forrester Research estimated that 80% of security breaches involve privileged credentials.

Threat actors can obtain privileged credentials and then use the access granted by those credentials to move laterally through an enterprise environment, access critical applications and systems, and maintain

persistent access to the environment. However, enforcing least privilege reduces an organization's

security risk and minimizes the potential disruption to the business from a security incident or data breach.

Employing POLP provides numerous benefits to organizations, starting with reducing an organization's

attack surface. Restricting privileges for people, applications and processes also reduces the pathways

and entrances into enterprise networks.

The principle of least privilege is also important for reducing malware infection and propagation. Applying POLP means decreasing the risk that hackers will be able to steal passwords or install malicious

code that could be delivered via the web or email attachments. POLP can also help reduce the proliferation

of malware because when malware infects a system strengthened by the principle of least privilege, it is

often possible to contain the infection to the system where it first entered.

POLP also can help with data classification, which enables companies to know what data they have,

where it resides and who has access to it, in the event of unauthorized access.

Finally, applying the principle of least privilege can help restrict hacker access. Because users will only

have access to what they need, anyone who compromises user accounts will only have access to limited

resources.


In summary:

▪ Stronger security: Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. Since the

Snowden leaks, the NSA has employed the principle of least privilege to revoke higher-level

powers from 90% of its employees. ▪ Minimized attack surface: Hackers gained access to 70 million customer accounts from

TARGET company through the TARGET1 through credentials that were stolen from a third-party

contractor who had permission to upload executables. By failing to follow the principle of least privilege, TARGET company had created a very broad attack surface.

▪ Limited malware propagation: Malware that infects a system bolstered by the principle of least privilege is often contained to the small section where it entered first.

▪ Higher stability: Beyond security, the principle of least privilege also bolsters system stability

by limiting the effects of changes to the zone in which they’re made. ▪ Improved audit readiness: The scope of an audit can be reduced dramatically when the

system being audited is built on the principle of least privilege. What’s more, many common

regulations call for POLP implementation as a compliance requirement.

II.3 THE DRAWBACKS FROM POLP

When organizations have tried to implement PoLP in the past, the general practice was to go overboard to ensure that privilege abuse wasn’t possible. Unfortunately, this led to many organizations turning

everything off, including local administrator accounts, even making many of their important employee’s simple standard users. Standard users in most environments can’t even perform basic functions, such as

connecting to WiFi or installing a printer (or even change the clock time!).

This extreme least privilege position started to impact productivity and the general functioning of the business. Help desk calls would increase and the IT team would become overwhelmed with

problems that could have been easily avoided if a more

rational approach to the PoLP was taken.

Many organizations addressed this problem by making all

their users local administrators, creating the exact reverse problem of an abundance of over-privileged users. In

many ways, striking that balance is still a major issue for many businesses. It’s an important one to get

right as hackers often look for these local administrator

accounts to gain access to the system.

II.4 REGULATIONS

The proliferation of large-scale attacks and the resulting risks are driving governments and regulators to frame new legislation in Europe, America, Asia Pacific, Middle East and Africa, mainly to protect personal

and confidential data. Thus, regulations are the logical result of increased cybersecurity risks.

However, European and USA regulations are drawing lines that are each other in opposite:

▪ In Europe, GDPR and NIS regulations impose strict rules to companies in the treatment of the

data to ensure its privacy. ▪ In the United States of America, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act)

requires U.S.-based technology companies to provide requested data to US federal agencies regardless of whether the data are stored in the US or on non-US soil, without the owner of the

data being informed, nor its country of residence, nor the country where the data are stored.

In addition, several regulations require players in certain sectors and/or countries to put in place PAM

solutions:

Europe USA Asia

1 https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/


▪ NIS Directive

▪ GDPR ▪ France: LPM, HDS,

PGSSI

▪ Germany: IT Security Act, Federal Data

Protection Act ▪ UK: Computer Misuse

Act

▪ CLOUD Act

▪ Computer Fraud & Abuse Act ▪ Electronic Com. Privacy Act

▪ NIST SP

▪ NERC/CIP ▪ US NRC

▪ HIPAA ▪ S-OX

▪ 23 NYCRR 500 ▪ PCI-DSS

▪ Gramm-Leach Bliley Act

▪ State specific regulations

▪ China: National Security Law,

CINISPMR ▪ Japan: UCAL, APPI

▪ South Korea: APICI, ICNA, PIPA

▪ India: IT Act, Privacy Rules ▪ Singapore: CMCA, PDPA

▪ Australia: Telcos Act, Privacy Act

The global cybersecurity market is directly benefiting from the momentum of such regulations. For example, to comply with the GDPR, companies are required to protect the personal data of persons who

interact with their IT infrastructure (employees, customers, etc.). Liability for any leak of personal data

may be imputed to the company that is the victim of this attack. To avoid such a situation, companies must invest in data protection solutions such as WALLIX PEDM in complement to existing cybersecurity

systems like end-to-end data Protection, Privileged Access Management and Identity Access Management.

II.5 WHAT IS PEDM?

PEDM, Privilege Elevation and Delegation Management is the solution which implements

PoLP, Principle of Least Privilege. A PEDM tool controls the escalation of privileged accounts. Such a tool enables to elevate and delegate privileged tasks to non-admin users that require temporarily access

to target systems. After the privilege tasks are completed, access rights are revoked.

II.6 WHICH BUSINESS SECTORS NEED A PEDM SOLUTION?

All business sectors need PEDM solutions. Among them, here below is a selection of which.

Healthcare

Healthcare institutions operate against a backdrop of constant change, and their ability to

modify their practices and procedures at the drop of a hat determines their success. Now that paper is passé, healthcare information systems must adapt to the digital and mobile

era. Patient protection extends beyond ensuring their health – it also includes securing

their medical records, which hold valuable information and must be protected from theft,

data leaks, and service disruptions.

The protection of private data and of the end point hosting these data is driving continuous improvement in healthcare information systems. In today’s environment, trust chains need to be created to smooth the

process of seeking healthcare. With organizations flocking to the cloud, data security risks take on a whole new dimension. The challenges involved in securing healthcare data have a direct effect on the chain of

hosting service providers or IT services (e.g. magnetic resonance imaging systems, scanners, or

radiographic solutions).

Bank & Insurance

Ensuring the security of banking end point, especially the potential implications when it falls into the wrong hands, is a permanent and pressing concern for the financial sector.

Highly coveted personal data and the potential payout it represents to cybercriminals

make the financial sector a prime target. Given the sheer number of service providers involved in each step of a banking transaction, the processes required to guarantee the

security of banking end points are further complicated. This complication clouds the accountability of

banking systems and magnifies the scale of the threat.

Along with the new security challenges that the digital transition brings about — think applications, online

payment, mobile access, and cloud-hosted services that need to be secured — banks and insurance firms must always demonstrate due diligence. They need to implement innovative and specialized tools that


can guarantee the confidentiality, integrity, and traceability of their clients’ personal data and of their

employees’ end point.

Cloud & Telcos

Cloud computing has irreversibly revolutionized how and how much data can be stored

by virtualizing data hosting within private, public, and hybrid cloud environments. However, digital service providers (DSPs) and their clients cannot fully harness the

benefits of this transformation unless they adapt their security measures to these new environments. It may seem easy, but virtualizing data is hard work. DSPs must protect and manage the

migration of their systems to the cloud while also ensuring a seamless process for their clients’ data and

mission-critical applications regardless of business sector (finance, human resources, healthcare, etc.).

To ensure that they are providing a service that adds real value to their end users, DSPs must ensure this

transition is smooth. They must ensure their compliance with all the regulations governing various sectors, offer reliable third-party application maintenance, and guarantee the encryption of crucial data and end

point as well as the traceability of actions performed on their systems.

WALLIX BestSafe can address these problems, but businesses and organizations are still

too weakly equipped.

II.7 POSITIONING

The technological sector of cybersecurity encompasses numerous categories and sub-categories of

product and solution. BestSafe feeds into the Protect category and Access Control sub-category.

The current WALLIX Bastion portfolio encompasses Session manager, Password Manager, Access

Manager, BestSafe and WALLIX Admin Center.

In addition, it must be noted that WALLIX BestSafe can also be deployed on desktops or laptops to protect

regular employees’ end points.


II.8 ABOUT WALLIX

Founded in 2003, WALLIX is the French leader in IT security software solutions for managing network security and critical IT infrastructures. WALLIX is a European company located in France, the United

Kingdom and the United States. More than 700 companies and organizations now place their trust in

WALLIX for their IT security solutions around the world.

WALLIX works with the IT departments of customers ranging from mid-sized companies to large groups

and public organizations to provide innovative solutions that meet the challenges of tracing all operations and managing identities and access rights. Our solutions are engineered to fit seamlessly into the

customer’s IT system and ensure compliance with the latest IT security standards.

With a strategy based on innovation, agility and the capability to respond to emerging market needs,

WALLIX offers a suite of open-ended solutions tailored to meet the specific needs of its customers.

WALLIX distributes its solutions through a network of partners, who are fully trained and certified and

have comprehensive knowledge of our solutions.

WALLIX has developed DataPeps, the end-to-end encryption technology, which enables to secure client’ data in any application: data stored are encrypted without access to decryption keys. Even successful

cyber-attacks won’t be able to access client’ data.

WALLIX has acquired in 2019 Simarks and Trustelem to extend its portfolio to PEDM and IDaaS market.

More information is available on www.wallix.com/en

II.9 AWARDS

The BestSafe solution has received multiple awards, including:

First prize for the most innovative product in terms of cybersecurity (June

2017): the magazine "Red Seguridad" presented the prizes corresponding to the 11th edition of the ICT Security Trophies to companies, institutions and

professionals that stood out for their work in this field. In this edition, BestSafe was awarded the first prize in the "Most Innovative Product, Service or System"

category within the scope of cybersecurity.

First finalist in the 11th edition of the EntrepreneurXXI Awards in the Community of Madrid promoted by Caixabank (March 2018). The

EntrepreneurXXI Awards are an initiative promoted by “la Caixa” which aims to identify, recognise and accompany young companies with greater growth

potential. These Awards are co-granted with the Ministry of Economy, Industry

and Competitiveness through Empresa Nacional de Innovación, S.A. (ENISA) in Spain and Banco BPI in Portugal and have the support of more than 130 leading

entities involved in supporting the development of innovative companies.

III BESTSAFE IN A NUTSHELL

BestSafe eliminates the need to use accounts with elevated permissions thanks to its privilege

management and process control never seen before, achieving unparalleled security in all endpoints.

▪ Eliminate administrator rights to standard user, get a highly secure network.

▪ White list for corporate applications, gray list for dangerous applications, blacklist for malware.

▪ At last, an effective solution against ransomware. ▪ Avoid having the same local password on all computers.

▪ Deny access of an application to local or remote folders. ▪ Centralized management and fully integrated with Active Directory.

▪ Visibility and analysis allow you to make sound decisions.

BestSafe can be deployed to address two contexts:

http://www.wallix.com/en


▪ Implementation of least privilege principle to Windows-based infrastructure type of targets

usually addressed by the WALLIX Bastion: servers, databases, heavy clients, etc. In such context, BestSafe is the PEDM module of WALLIX Bastion.

▪ Implementation of least privilege principle to Windows-based computers, laptops, groups of

computers or laptops. In such context, BestSafe addresses end points.

III.1 BESTSAFE AS THE PEDM MODULE OF WALLIX BASTION

III.2 BESTSAFE FOR END POINTS


III.3 OVERVIEW

BestSafe offers a very effective solution for privilege management that allows organizations to reduce drastically the risk of security breaches on Windows systems without impacting

productivity.

At the same time, it guarantees meeting company’s compliance guidelines. The BestSafe administration

tool is a rule-based tool that does not need a great dedication by the IT staff. With a simple and unique

rule, you can, for example, avoid the execution of

“ransomware” on any computer on your network close

to 100% of reliability.

BestSafe is a tool focused on privilege management for any Microsoft Windows operating system version and edition running on any workstation, desktop,

laptop or server running on any physical, portable or virtualized hardware.

The main goal of BestSafe is to allow administrators to assign a process the security context it has to be

executed with, no matter which user credentials it was created with. However, BestSafe also offers

complete support for traditional per user privilege management.

We use a unique privilege management patented technology allowing companies to implement the

Principle of Least Privilege and offering a real possibility to have zero administrators without affecting

productivity.

This approach allows users to work with their endpoints under their “standard user” account while

performing administration tasks, like running applications that need elevated privileges (perhaps to change power settings, add hardware, etc.), only when it is needed and when IT has granted them

permissions to do so. BestSafe gives IT and Security departments full control on whom, when and how

these actions are performed.

Very often companies try to implement PoLP (Principle of Least Privilege). POLP is the practice of limiting

the access a user has to the minimum level that’s required for normal functioning. Applied to employees,

PoLP translates to “give people the lowest level of rights they can have and still do their job”.

When organizations try to implement PoLP, it collides with other initiatives that have got more priority and impact on financial and economic terms, making it almost impossible to apply PoLP at an organization-

wide level.

Organizations have to make a decision based on financial terms, security risks, employee productivity and

overall operational effectiveness as a result of PoLP’s application. Most organizations make the hard

decision to allow users to work with their desktops, laptops or workstations under an administrator account. That decision puts the company in a very risky situation by being unprotected against any form

of malware and allowing users to make an inappropriate use of their corporate desktops. Even when the

users are making a good judgement, malware is still there as a threat.

IT loses control on whom, when and how to deploy any corporate or non-corporate software on the

company’s workstation and rely only on the antivirus to protect endpoints against any form of malware,

advanced threat or targeted attacks.

There may be times when an organization prioritizes IT Security and doesn’t want to assume any security risks. In those cases, organizations find themselves with traditional software deployment tools that don’t

make use of any privilege management technology and prevents them from applying PoLP. That’s because the traditional software deployment approach collides with the operating system’s security

settings, and applying PoLP would lead to a big impact on user productivity and IT operational

effectiveness.

Traditional Privilege Management tools are focused on limiting the time an account may have

administration rights and manage when, where, and who can use that account. However, once the account is granted administrator rights and the employee uses it to log on to the machine, every process

thereon will also have administrator rights.

With BestSafe companies can go further and, besides assigning privileges at a user level, it

can assign privileges at a process level.

BestSafe can apply rules based on any combination of the following filters:


▪ Computer, group of computers

▪ User or group of users ▪ Computers located under any Organizational Unit

▪ Computers located under any container

▪ Computers belonging to any Subnet ▪ Computers belonging to any Site

▪ Every computer contained in an Active Directory domain ▪ Windows Desktop version (from Windows XP to Windows 10)

▪ Windows Server version (from Windows 2003 to Windows 2019)

▪ Windows edition (32 or 64 bit).

Additionally, BestSafe provides the following other services:

▪ Local Administrator Password management ▪ Local group membership management

▪ Cryptographic operation control

▪ Restrict file modifications at NTFS level

III.4 KEY FEATURES

Real possibility of having zero administrators

Right after the deployment of BestSafe, organization can begin to get rid of privileged accounts. If a

certain process, application, or administrative task needs special privileges, BestSafe will only grant them to the corresponding process (whitelist) in a completely transparent manner for the end user, who will

continue to work with minimum permissions. However, if there’s any reason to keep certain accounts as

administrator, BestSafe can reduce the privileges (gray list) to applications with Internet access (email clients, browsers, etc.) that are potentially dangerous and could compromise the system, denying them

access to their resources (registry, system folders, etc.), but without blocking their execution.

The possibilities of BestSafe do not end there. The ability to control the security context offers a series of

functionalities to protect applications that go far beyond the traditional concepts existing until now.

Effective anti-ransomware solution

BestSafe is able to detect in real time when a certain process intends to perform an encryption operation

before it is carried out. When detecting an operation of these characteristics, BestSafe suspends the process and performs the actions established in the corresponding rule, which can be generic or based

on thresholds decided by the administrator (e.g., a high amount of encryption operations in very little time can never be done by a human being). Also, they can be decided by a Smart SOC or an artificial

intelligence who can kill the process or allow it to resume. In addition, BestSafe offers the possibility of

storing every key used to encrypt to be able to decrypt later.

The results obtained with this technology have a percentage of effectiveness close to 100%, much higher

than the mechanisms of other technologies such as probes, baits, etc.

Real-time monitoring of applications

With the ability to control encryption operations also comes the ability to control any other operating

system function. The possibilities include, but are not limited to, monitoring access to disk, to the registry, to the network, and actions like creating new processes or local user accounts. The possibilities are

endless.

Administrators will no longer have the same password

In organizations with a high number of computers it is very common and advisable to enable different local administrator accounts to perform administrative or support tasks. Being a large number of machines

the password for these accounts is, in many cases, the same for all of them, thus generating a huge

security breach usually exploited by insiders.

BestSafe solves this problem in a very simple way and guarantees that the password of these accounts

is unique per computer, account, and day, based on a seed that the administrator establishes. If the password is compromised, it will be valid only on that computer and only during that day, and any attempt

to change the password will be registered. In addition, you can predict the password that you will have

in future days and without the need to connect to the network.


Control access to resources by application

BestSafe allows blocking all outgoing connections of a certain application regardless of the user's credentials. In addition, BestSafe allows blocking access to protected local folders or generating specific

firewall rules for each application to block potentially dangerous applications access to shared documents.

Centralized management at no additional cost

The Enterprise Edition of BestSafe (refer to section III.6.1) is fully integrated into Microsoft Active

Directory and takes advantage of all its features to offer a high level of centralized management, high availability and fault tolerance. In addition, the use of Active Directory means BestSafe does not require

additional infrastructure (DB servers, web servers, etc.).

The administration tool is based on MMC (Microsoft Management Console) so the learning curve is

extremely fast. The configuration can be applied, either directly to a specific computer or a set of

computers through Active Directory elements that can contain them (such as organizational units, groups, containers, etc.), applying all the characteristics of inheritance and hierarchy that Active Directory has to

offer.

Once the configuration is established, the computers at the endpoints, through a light agent, will

download the corresponding configuration. This configuration is stored in cache and is applied even

without connectivity to the network. The update interval is defined by the BestSafe administrator.

III.5 BENEFITS

Most anti-malware solutions currently on the market, known mainly as antivirus, use signature-based heuristic analysis to identify possible malware. When a certain virus ends up in the hands of a

manufacturer, it is analyzed by professional researchers and/or by dynamic analysis systems. If it is

classified as malware, it generates a signature that is added to its database and that is later used by the corresponding antivirus software to constantly analyze the files of the system in search of matches. The

problem, apart from the great consumption of resources, is that there is a period of time until a malware

is identified as malicious in which the end user and its data are completely unprotected and exposed.

The fastest return on investment

The implementation of traditional privilege management solutions usually take months to achieve the proper configuration. However, the implementation of BestSafe is so extremely simple and its

management environment so familiar, that a full implementation can be done in a few hours thanks to its brilliant integration with Active Directory. But not only that. Our high level of experience allows us to

offer a series of templates permanently available and among which you can choose to adapt them to

most organizations, making it even easier to deploy.

Security from day one

Security experts and the leading consultants in the sector agree that the first step to comply with the best security practices is the suppression of as many administrator privileges as possible, along with the

supervision of corporate applications, preventing the execution of all the rest. With BestSafe, this goal is extremely easy to achieve since, in addition to security at the application level and to facilitate a phased

implementation, BestSafe also offers the possibility of maintaining privilege management at the user level.

Thanks to the minimal impact that the deployment of BestSafe has on the infrastructure of the organization, you can delete administrative permissions at the same time that a white list of applications

is created, or you can plan on the fly a strategy of reduction of privileges and apply it stepwise. And all

with the flexibility that characterizes our products.

100% scalable solution at zero cost

The unparalleled integration with Active Directory together with a client-server approach (instead of the

most common server-client) allows BestSafe to be as scalable as the organization itself. If a team has

access to the corporate network, it will also have access to the BestSafe configuration.

This approach allows BestSafe to use all of the built-in features and capabilities that replicate Active

Directory objects to every Domain Controller in the domain, eliminating the need of additional database servers and availability approaches. And, if there is no Active Directory connection present on a specific

endpoint, the last configuration fetched will be applied.

Simply powerful, transparent for end users


The effectiveness on which BestSafe is based is to make the operating system itself the guarantor of

security against intrusions, through the prior reduction of privileges at the application level. BestSafe is not an antivirus that needs to inspect each and every one of the files to determine, as far as possible, the

risk associated with each file. It only acts at the process level and when there is a corresponding rule

established by the administrator. This means that the impact on computer performance is so insignificant

that it is completely unnoticeable in normal use.

In addition to being virtually imperceptible to the end user, BestSafe’s features are as powerful and as flexible as the most demanding IT department can demand. What they will appreciate, both users and

administrators, is a drastic increase in productivity since their work tools will no longer be an impediment in their daily tasks. There will be no more slowdowns, more unpleasant viruses, or queries related to such

incidents, which in turn results in greater productivity in the IT department.

Prevention of attacks, known or unknown

The new approach that we propose with BestSafe is to take advantage of the power of the security

mechanisms of the operating system itself so that it is the one who denies access to intrusions. The great advantage of this strategy is that, with a correct reduction of privileges, it does not matter if the malware

is known or is about to be known, because none of them will make modifications in the system, since

they do not have the necessary privileges to carry out the infection.

With BestSafe, it is very easy to delete administrator privileges in most accounts, including IT personnel,

and from there assign them only to the applications, tasks, or scripts that are necessary, so that each user can carry out their tasks without affecting productivity. The application of the Principle of Least

Privilege provides a highly secure environment mitigating deliberate or accidental threats, both from within and from outside the organization, since the first objective of the vast majority of existing malware

is the escalation of privileges to be able to make the infection in the system and spread throughout the

network.

An efficient work environment

BestSafe was born from the analysis of a problem common to all IT departments of most organizations. Most of this problem comes down to the decision between compromising safety or gaining productivity

in which finding the balance between the two is often too expensive and difficult to implement.

With BestSafe, however, the right tools are provided to reinforce both the productivity and safety of the

end user, reducing the intervention of technical and/or support personnel.

Get regulatory compliance

Leading regulatory compliance consultancies and agencies, such as Forrester and Gartner, agree that

eliminating excessive privileges and white-listing applications is the best strategy for the security of

corporate networks. BestSafe complies with the guidelines defined by these large companies through the management of minimum privileges at the application level and through the elimination of administrators

in all endpoints, including the IT department. In addition, reports and trend analysis demonstrate

compliance with GDPR and derivatives.

III.6 TECHNICAL CONSIDERATIONS

III.6.1 DEPLOYMENT OPTIONS

BestSafe is a comprehensive security and privilege management solution available for all Windows

platforms, desktop or Windows Server. It is supplied in three editions: the Enterprise edition for companies with Active Directory, the Elite edition for SMEs that do not have Active Directory, and the

Home edition for the domestic environment.

▪ BestSafe Enterprise: The Enterprise Edition of BestSafe stands out for its complete integration with Active Directory, providing companies with centralized management without additional

infrastructure costs and fully exploiting its full potential such as fault tolerance, high availability and replication mechanisms. In addition, it offers complete integration with any SIEM solution,

which facilitates the collection of information for further analysis. ▪ BestSafe Elite: The Elite Edition of BestSafe contains all the productivity and security features

offered by the Enterprise Edition but does not use Active Directory to store the configuration.


Instead, this configuration can be established stand-alone or obtained remotely through web

services and managed centrally.

III.6.2 BESTSAFE REQUIREMENTS

BestSafe stores all its data and configuration on the Active Directory itself, specifically on a container

destined to be used only by BestSafe. The installation of this container is the only step for which you will need a member of the “Domain Admins”. Incidentally, the BestSafe Administration tool will only have

permissions to modify that container. All of this can be done from any desktop; there is no need to access or install any software on the Domain Controllers. Then, every BestSafe Client will read the Active

Directory to fetch the configuration that is relevant to it, and interpret it on the end endpoints.

This approach allows BestSafe to use all of the built-in features and capabilities that replicate Active Directory objects to every Domain Controller in the domain, eliminating the need of additional database

servers and availability approaches. And, if there is no Active Directory connection present on a specific

endpoint, the last configuration fetched will be applied.

BestSafe supports any Active Directory Domain Services starting from Microsoft Windows Server 2003 to

Microsoft Windows Server 2019.

III.6.3 PRIVILEGE RULES

BestSafe’s unique patented technology and most important feature is its ability to modify a process’s security context at the time of its creation, no matter which user has run it. This allows you, the BestSafe

administrator, to decide which processes need to be executed with a specific security context regardless

of the credentials of the user who runs it.

To better understand this innovative approach, think of the traditional, less effective “Run as…” method

when right-clicking on an executable file, or the command-line interface tool called “runas.exe”. These traditional methods require you to identify a user, and will actually run the entire process under that

user’s context, different from the one of the user that is really logged on. This means that every property regarding the identified user’s context will be applied to that new process, including the security context.

This may work in some cases, but there are other important properties that will also be different for that

specific process and cause problems, such as environment variables or mapped drives. And even if they

don’t, the management of privileged users can be tedious or dangerous at the very least.

BestSafe, on the other hand, allows you to modify only the security context of any process that is run on a machine, regardless of the users who run it, while maintaining the rest of their user context. Even if

the process in question is run using the “Run as…” method and identifying a privileged user, BestSafe will prevail on top of anything and apply the corresponding settings. This new approach can be used to, for

example, grant an unprivileged user access to a specific application, or to reduce an administrator’s

privileges to a dangerous one (such as a web browser or an email client). Although they are simple

examples, both can be used to apply POLP, thus considerably increasing security.

Mentioned above are BestSafe’s most powerful features in a nutshell, but BestSafe also has lots of other ones that allow you to further modify the process. All of these modifications are defined on a per-process

basis in what we can call a “privilege rule”.

As you already know, BestSafe uses Active Directory to store its data, including privilege rules. Then, every BestSafe Client will read the Active Directory to fetch the configuration that is relevant to it, and

interpret it on the end endpoints. Every client maintains a cache on the endpoints with their rules and settings in order to keep applying them even when the computer is disconnected from the network. The

data update is made upon reconnecting the computer to the network and every refresh interval specified

in the option “Refresh Interval on clients (minutes)”.

BestSafe also features full integration with Active Directory in order to make use of the object hierarchy

when applying settings to target Computer objects. Rules can be applied to the domain objects User, Group, Computer, Organizational Unit, Domain, Subnet and Site. Active Directory inheritance would allow

you to apply rules to a container, such as an Organizational Unit, and have them applied to Computer

objects inside that container. Although Active Directory inheritance can be broken at any level.

As mentioned earlier, BestSafe’s most important feature consists of modifying a process’s security context

at the time of its creation no matter the security of the user who has executed it. This allows the user to


run a process with privileges different than his or hers while maintaining the rest of their user context on

that same process. The security assigned to a user by Active Directory becomes almost irrelevant when applying a BestSafe privilege rule. The results can be verified with tools such as “Process Explorer” or

“Process Hacker”.

In a nutshell, this innovative approach can be used to, for example, grant an unprivileged user access to a specific application, or to reduce an administrator’s privileges to a dangerous one (such as a web

browser or an email client), all under the same credentials.

III.6.4 SECURITY RIGHTS

BestSafe also supports traditional privilege management at the user level, one of its additional most

powerful features.

This feature allows you to manage the membership of any user or group (whether it is domain or local)

to be able to grant it to the groups that come built-in with any Windows endpoint. Such membership can also be set a time limit, and even end the Windows session if the user is logged on and this time limit is

reached. This allows the administrator to not be so aware of when or if a membership needs to end,

simplifying his or her work.

This user-level privilege management is done by implementing what we call “Security Rights”. Such

rules are defined using the same BestSafe Administration tool and are taken and interpreted by the BestSafe Client, in a fashion much like any other BestSafe rule. They will be stored in the Active Directory

domain, and they will make use of object hierarchy when applying a target computer’s rules, as well as its parent objects. Every endpoint stores a cache locally with its corresponding Security Rights in order to

keep applying them even when the computer is disconnected from the network. The Security Rights as

well as the configuration will be updated upon reconnecting the computer to the network and every

refresh interval specified in the global configuration.

There are some options and configurations that need some previous planning before they are enabled, because a careless implementation may lead to undesired results. The user-level privilege management

is definitely one of them, because there may already be local group memberships that were created

manually or with some other PAM tool.

If this BestSafe feature is enabled and it finds that there are no security rights created, any membership

created previously in the local built-in “Administrators” group will be considered unauthorized by BestSafe. Therefore, for security reasons, such unauthorized local group memberships will be deleted, and any

users or groups will be automatically removed from it. The BestSafe Client has no group membership rules by default, which means that if it has just been deployed with this option enabled, every previous

local group membership will be immediately removed.

Enabling this option before or after the BestSafe Client deployment can make a big difference depending on the state of your organization at such time. One option is to first create the security rights that match

your organization in BestSafe and then enable this option. An alternative is to first enable the feature, and then gradually deploy the BestSafe Client while tending to the people that used to need those

memberships and may be having trouble now that they don’t. This is entirely for you to plan and decide.

III.6.5 INHERITANCE

BestSafe features full integration with Active Directory in order to make use of the object hierarchy when

applying settings to target Computer objects. Properties can be applied to the domain objects User, Group, Computer, Organizational Unit, Domain, Subnet and Site. Also, BestSafe supports applying

properties to configuration objects, like the objects Site and Subnet.

Active Directory inheritance will allow you to apply properties to, for instance, an Organizational Unit, and

have them applied to Computer objects inside it. Although Active Directory inheritance can be broken at

any level. BestSafe allows you to set properties in the following Active Directory object types:

▪ Computer – Properties set in a “Computer” object will apply to that specific computer only.

▪ Group – Properties set in a “Group” object will apply to all computers that are members of that specific group object. If it has other group objects as members, the properties will apply to them

too.


▪ Organizational Unit – Properties set in an “Organizational Unit” object will apply to all computer

and group objects contained by that specific organizational unit. If it also contains organizational units, the properties will also apply to them.

▪ Container – Properties set in a “Container” object will apply to all computer and group objects

contained by that specific container object. ▪ Domain - Properties set in a “Domain” object will apply to all computers contained by that specific

domain object, as well as groups and organizational units, for that matter. ▪ Subnet – Properties set in a “Subnet” object will apply to all computers whose IP address belongs

to that specific subnet. The “All Subnets” object represents every subnet, and properties set in this object will apply to all computers whose IP address belongs to any defined subnet.

▪ Site – Properties set in a “Site” object will apply to all computers whose IP subnet belongs to that

specific site. The “All Sites” object represents every site, and properties set in this object will

apply to all computers whose IP subnet belongs to any defined site.

III.7 TECHNICAL BENEFITS

Privilege Management: Based on rules, BestSafe allows you to grant privileges to processes and

applications as well as to users and computers. Besides supporting traditional privilege management at a

user level, BestSafe has the capability to build the security context under which an application must be

executed, no matter the permissions that the account that launches the application has.

Permission Levels: Apply rules at application level for:

▪ Avoid untrusted software to be executed.

▪ Assign restricted permissions.

▪ Assign administrator permissions. ▪ Assign local groups.

▪ Assign Windows privileges.

Password Management: Daily change of any local administrator password on every computer in the

domain. Different for each computer. Password management tool has the capability to obtain the

password without connecting to the network.

Preventing Cybersecurity Attacks: Ability to deny access to both network and local folders that are

been defined as protected. That way, any type of ransomware will not have access to the files on the network nor to protected folders. Ability to control cryptographic operations that are going to be

performed and request authorization before executing.

Don’t let malware spread into your business: Around 95% of critical Microsoft Windows

vulnerabilities would be mitigated by removing admin privileges.

Software Distribution joins Advanced Security: Build your own secure true IT self-service Corporate

Application Catalog. Boost productivity and reduce time, costs and risks.

Privilege Management at user and process level: Implementing Principle of Least Privilege should

not be a headache. Apply privilege management for either, users and applications.

Make your IT personnel as happy as your VIPs: Give your VIPs their requirements without impacting your

IT personnel mood through an easy and secure way.

Flexibility and efficiency: Application deployment can be performed by the end user or it can be

unattended and automatically deployed by using different categories:

▪ On Demand

▪ Mandatory ▪ Uninstallation and/or forbidden

▪ Periodic

▪ Update ▪ Repair

▪ Urgent Deployment

Analysis and Reporting:

▪ Logs: Integration with any SIEM system by sending logs to a TCP or UDP port.

▪ Permissions: monitoring on assignment of users to groups and process execution with elevated permissions.


▪ Statistics: report use of applications and processes for license control, unauthorized software,

etc.

▪ Reporting: reporting on rule implementation

IV KEY USAGES SCENARII

Here below are some examples of usage scenario of BestSafe technology.

„IT Infrastructure without Administrator Role Accounts is ... · Privileged Access Management...

Documents

Transcript of „IT Infrastructure without Administrator Role Accounts is ... · Privileged Access Management...