SECURE, MANAGE & CONTROL PRIVILEGED …antoanthongtin.vn/Portals/0/UploadImages/kiennt2/KyYeu... ·...
Transcript of SECURE, MANAGE & CONTROL PRIVILEGED …antoanthongtin.vn/Portals/0/UploadImages/kiennt2/KyYeu... ·...
SECURE, MANAGE & CONTROLPRIVILEGED ACCOUNTS & SESSIONSPresenter: Terence Siau
Company IntroductionToday’s Security ChallengesPrivileged Identity Management Suite OverviewPrivileged Session Management Suite OverviewSensitive Information Management SuiteOverview
Agenda
2
COMPANYINTRODUCTION
3
Established in 1999, HQ Boston, USOffices Worldwide (including Singapore andMalaysia)1200+ customers globally
Customers in Vietnam: Banks, Oil & Gas,Government
Cyber-Ark Overview
Strategic Partnerships
“The company has gradually expandedfrom its initial start as an enterprise vaultfor file and sensitive content sharing toassume a commanding position inprivileged identity management (PIM)”
- Steve Copland, April 2010
“The company has gradually expandedfrom its initial start as an enterprise vaultfor file and sensitive content sharing toassume a commanding position inprivileged identity management (PIM)”
- Steve Copland, April 2010
“Cyber-Ark has one of the largestcustomer bases of the vendors includedin this Market Scope and, because of itsfocus on enterprise customers … thelargest market share by revenue by awide margin.”
- Ant Allan/Perry Carpenter, June 2009
“Cyber-Ark has one of the largestcustomer bases of the vendors includedin this Market Scope and, because of itsfocus on enterprise customers … thelargest market share by revenue by awide margin.”
- Ant Allan/Perry Carpenter, June 2009
“Cyber-Ark is perceived as a leader inthe rapidly expanding market forPrivileged Access Managementsolutions.“
- Martin Kuppinger, 2010
“Cyber-Ark is perceived as a leader inthe rapidly expanding market forPrivileged Access Managementsolutions.“
- Martin Kuppinger, 2010
“Cyber-ark is at the top of the PIMmarket, based on product maturity & thenumber of customer deployments”
-Mark Diodati, 2009
“Cyber-ark is at the top of the PIMmarket, based on product maturity & thenumber of customer deployments”
-Mark Diodati, 2009
Recognized Market Leadership
4
Best Identity Management SolutionHighly Commended:
Information Security Product of the Year
What it takes to be Market Leader?
Recognition from Authoritative Bodies
A Strong History of Acknowledged Excellence
Cyber-Ark’s Solution Suites
6
Sensitive InformationManagement Suite
Privileged IdentityManagement Suite
Privileged SessionManagement Suite
Enterprise PasswordVault®
Application IdentityManager™
On-Demand PrivilegesManager™
PSM for Servers
PSM for Databases
PSM for Virtualization
Inter-Business Vault®
Sensitive DocumentVault™
DIGITAL VAULT
TODAY’S SECURITYCHALLENGES
7
Privileged Account Types
AdministrativeAccountsAdministrativeAccounts
Owned by the system:Not owned by anyperson or “identity”
Shared Predefined:UNIX rootCisco enableDBA accountsWindows domainEtc.
ApplicationAccountsApplicationAccounts
Hard-coded, embedded:Resource (DB) IDsApplication / Generic IDsBatch jobsTesting Scripts
Service Accounts:Windows Service AccountsScheduled Tasks
PersonalComputerAccounts
PersonalComputerAccounts
Windows Local administrator:DesktopsLaptops
Shared:Help DeskOperationsEmergencyLegacy applicationsDeveloper accounts
Who has access to privileged accounts?AdministratorsContractors; Cloud Service ProvidersDBAsTerminated EmployeesApplications
Why are these breaches happening?Shared account usageExcessive privilege“Hidden/Sleeping” accountsNon-existent/unenforcedaccess controlsInfrequent replacement of credentials
Privileged Accounts Give System-Wide Access
9* Verizon, 2010 Data Breach Investigations Report
“48% of data breaches were caused by privileged misuse”Proactively manage privileged access to prevent such attacks
“48% of data breaches were caused by privileged misuse”Proactively manage privileged access to prevent such attacks
PRIVILEGED IDENTITYMANAGEMENT
10
Privileged Identity Management Suite v.7.1
11
PIM Portal/Web Access
Secure Digital Vault™
Central Policy Manager
Monitoring & SIEMApplications
Monitoring & SIEMApplications
TicketingSystems
TicketingSystems
IdentityManagement
IdentityManagementExternal Vendors
IT Personnel
Auditors
Developers & DBAs
EnterpriseDirectory and more
EnterpriseDirectory and more
Enterprise Password Vault: Preventing Threats, Improving Productivity
12
Windows Server
The result? A preventative approach that:Secures privileged credentialsGives you full control over access
Ticketing integration; approval workflowPersonalizes usageAutomatically replaces credentials on a periodic basis (policy driven)
Protection from terminated employees & 3rd partiesGenerates better productivity & shorter time to resolution
Who is accessing critical information assets?Who is accessing critical information assets?
John requestsmanagerial approval to
retrieve password
and transparentlyconnects without seeing
the password
John’s access is logged,personalized and reason
is entered
John, the IT admin, receives a ticket heneeds to handle. There’s a problem on the Windowsmachines and he needs to install a patch to fixit which requires administrator access
Ticketing Application
Full Datacenter Coverage
• AD• SunOne• Novel• UNIX Kerberos• UNIX NIS
Databases
Central Policy Manager
Operating Systems
Security Appliances
Network Devices
Directories andCredential Storage
Remote Control andMonitoring
Applications
Generic Interface• Windows• Unix/Linux• IBM iSeries• Z/OS• HPUX• Tru64• NonStop• ESX/i• OVMS• OS X• XenServers
• Oracle• MSSQL• DB2• Informix• Sybase• MySQL• Any ODBC
• FW1, SPLAT• IPSO• PIX• IronPort• Netscreen• FortiGate• ProxySG• Panorama
• Cisco• Juniper• Nortel• Alcatel• Quntum• F5• HP• 3Com• RuggedCom• Avaya• BlueCoat• Yamaha
• HMC• HPiLO• ALOM• Digi CM• DRAC• iRMC• AlterPath
• SSH/Telnet• ODBC• Windows
Registry
• SAP• WebSphere• WebLogic• Windows:
• Services• Scheduled Tasks• IIS App Pools• IIS Anonymous• COM+• Cluster Service
• Oracle Application ERP• System Center Configuration Manager
Enterprise IT Environment
Web Applications
EPV: Better Visibility & Control for Managers
14
When was the account accessed and why?When was the account accessed and why?Where do all my privileged accounts exist?Where do all my privileged accounts exist?
Auto-discovery automatically detects unmanaged devices andservice accounts for operational efficiency and full compliancyAutomatically manage hundreds of thousands of local adminaccounts
Application Identity Management: Tighter Security; Better Compliance
15
Secure, manage and eliminatehard-coded privileged accounts from applications
Secure, manage and eliminatehard-coded privileged accounts from applications
BillingApp
Websphere
CRMApp
HRApp
OnlineBookingSystem
Secure & reset applicationcredentials with no downtime orrestart
Ensure business continuity &high performance with a securelocal cacheStrong application authenticationUnique solution for JavaApplication Servers with no codechangesAvoid hard coding connectionstrings – no code changes &overhead
UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,
UserName, Password)
UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,
UserName, Password)
UserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,
UserName, Password)
UserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,
UserName, Password)
Weblogic
Legacy
IIS / .NET
On-Demand Privileges Manager: Tightening Unix Security
Control superuser access(root, oracle, app1…)
Granular Access Controland Hardening
Monitor & audit with reports and text recording
When Who What Where What
Unix /LinuxServers
Reduce TCO of desktop management & IT overheadLeast privilege leads to less tickets/calls to IT, less “unintentionaldamage”
Gartner: “20% lower TCO with full least-privileged implementation”
Reduce the risk of infecting desktops with malware90% of Windows vulnerabilities are mitigated when running withoutadmin rights.Eliminating admin rights reduces the attack surface of malwares.
OPM for Windows
BUT IS ACCESSCONTROL ENOUGH?
PRIVILEGED SESSIONMANAGEMENT SUITE
Expanding from Managing Accounts to Managing Sessions
19
Portal/Web Access
Secure Digital Vault™
Central Policy Manager
PrivilegedIdentity
Management
PrivilegedSession
ManagementMonitoring & SIEM
ApplicationsMonitoring & SIEM
Applications
TicketingSystems
TicketingSystems
IdentityManagement
IdentityManagementExternal Vendors
IT Personnel
Auditors
Developers & DBAs
EnterpriseDirectory and more
EnterpriseDirectory and more
Secure, manageand trackprivilegedaccounts
Isolate, control,and monitorprivilegedsessions
Continuous Monitoring & Protection Across the Datacenter
20
Privileged SessionManagement Suite
PSM for Servers
PSM for Databases
PSM for Virtualization
Isolate
Control
Monitor
Platform Video Mode Text CommandMicrosoft: Windows XP Windows Vista Windows 7 Windows 2003 Server Windows 2008 Server
P
IBM: AS400 PIBM: AIX P PSun Solaris P PHP: HPUX Tru64 Open VMS
P P
SSH-compatible sessions P PSQL Plus / PLSQL Developer P PSQL Server Management Studio PSybaseASE PSybase Interactive SQL Client PSecureCRT PVirtualization: Hypervisors inc ESX, ESXi vSphere
P
Cyber-Ark PSM Platform Support
Remote Vendor Access – with PSM
Corporate Network
Auditors,PIM Admins
Routers andSwitches
WindowsServers
UNIXServers
PIM
Vault
Firewall
3rd partyvendor
Internet
HTTPS
PVWAPSM
DMZ
Firewall
Real-Time Monitoring with Session Interaction
23
Easily Search Privileged Sessions for Forensic Analysis
24
Search for SQL commands thatinclude the word 'Salary'
Click to Play ‘Point in Time’
* Supports SSH and SQL commands
Manage sensitive credentials to websites andweb-based/SaaS applications using PIMConnect transparently to the web-basedapplication without needing to know the passwordMonitor and record privileged sessions in webapplications in real-time or for forensic analysis
Accessing & Monitoring Websites & Cloud Applications
25
Value of Privileged Session Management
26
Isolate• Prevent cyber attacks by isolating desktops from
sensitive target machines
Control• Create accountability and control over privileged
session access with policies, workflows and privilegedsingle sign on
Monitor• Deliver continuous monitoring and compliance with
session recording with zero footprint on targetmachines
Sensitive Information Management SuiteSample use cases
Accelerate Business, Securely
Variety ofInterfaces
EnterpriseReady
BusinessAutonomy
THANK YOU!
29