Defense in Depth:

Implementing a Layered Privileged

Password Security Strategy

Nick Cavalancia Techvangelism

You already believe in layers

• A visitor to your building

• Access to a file

• Remote Connectivity

What are you doing today?

• Password vault?

• Spreadsheet?

• Accountability?

How are you protecting privileged passwords?

Layering security over priv. passwords

******

Do you need all those layers?

• In short, no.

• Privileged accounts aren’t all alike

• Layered strategy can’t be either

Consider the password risk

• Resource access?

• External threat damage?

• Internal threat damage?

Establishing defense in depth

• Layers are a part of IT security

• Think layered password protection

• Determine the layer/password mix

• Identifying password risk

PowerBroker Password Safe

v6.0

Martin Cannard – Product Manager

PAM – A collection of best practices

AD Bridge AD Bridge Privilege

Delegation

Privilege

Delegation

Session

Management

Session

Management

Use AD credentials to access

Unix/Linux hosts Once the user is logged on,

manage what they can do

Managed list of resources the user is

authorized to access. Gateway proxy

capability. Audit of all session activity

Password & SSH

Key Management

Password & SSH

Key Management

Automate the management of functional account

passwords and SSH keys

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Native desktop tool (MSTSC/PuTTY etc.) connects

to Password Safe which proxies connection through

to requested resource

Protected Resources User authenticates to Password Safe and requests

session to protected resource

RDP/SSH session is proxied through the Password

Safe appliance HTTPS RDP / SSH

RDP / SSH

Password

Safe Proxy Proxy Proxy Proxy

Privileged Session Management

Differentiator:

Adaptive Workflow Control

Adaptive Workflow Control

• Day

• Date

• Time

• Who

• What

• Where

Differentiator:

Controlling Application Access

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Differentiator:

Reporting & Analytics

Actionable Reporting

Advanced Threat Analytics

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on

the who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Market Validation

• Leader: Forrester PIM Wave, Q3 2016

− Top-ranked Current Offering (product) among all 10

vendors reviewed

− “BeyondTrust excels with its privileged session

management capabilities.”

− “BeyondTrust […] provides the machine learning and

predictive behavior analytics capabilities.”

• Leadership

− Gartner: “BeyondTrust is a representative vendor for all

five key PAM solution categories.”

− OVUM: “BeyondTrust […] provides an integrated, one-

stop approach to PAM… one of only a small band of

PAM providers offering end-to-end coverage.”

− SC Magazine: “Recommended product.”

− … and more from IDC, KuppingerCole, TechNavio, 451Research,

Frost & Sullivan and Forrester

DEMO

Poll

Q&A

Thank you for attending!