qualysguard infoday 2012 - secure digital vault for qualys
DESCRIPTION
TRANSCRIPT
Secure Digital Vault – Security You Can Bank On
2
LAN, WAN, INTERNET
Vault Safes (Local Drive or SAN)
Cyber-Ark Vault Server
Secure repository for information at rest and in motionSecuring data using multiple security layers, based on patented technology Tamper-proofMore than 10 years of maturity
Enterprise Password Vault: Preventing Threats, Improving Productivity
3
Windows Server
The result? A preventative approach that:Secures privileged credentials Gives you full control over access
Ticketing integration; approval workflowPersonalizes usageAutomatically replaces credentials on a periodic basis (policy driven)
Protection from terminated employees & 3rd partiesGenerates better productivity & shorter time to resolution
Who is accessing critical information assets?
John requests managerial approval to
retrieve password
and transparently connects without seeing
the password
John’s access is logged, personalized and reason
is entered
John, the IT admin, receives a ticket he needs to handle. There’s a problem on the Windows machines and he needs to install a patch to fix it which requires administrator access
Ticketing Application
Enterprise IT Environment
VaultCentral Policy
Manager
System User Pass
Unix root
Oracle SYS
Windows Administrator
z/OS DB2ADMIN
Cisco enable
Enterprise Password Vault In Action
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
y7qeF$1lm7yT5wX5$aq+pgviNa9%
tops3cr3t
Password Vault Web Access
Policy
1. Central and Integrated Policy Definition
2. Initial load & ResetAutomatic Detection, Bulk upload, Manual
3. Request WorkflowDual control, Integration with Ticketing Systems, One-time Passwords, exclusivity, groups
4. Direct Connection to Device5. Auditor Access
Policy
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
Tojsd$5fhOiue^$fgW
IT
Security/Risk Management
Auditors
Application Identity Management: Tighter Security; Better Compliance
5
Secure, manage and eliminate hard-coded privileged accounts from applications
Billing App
Websphere
CRM App
HRApp
Online Booking System
Secure & reset application credentials with no downtime or restart
Ensure business continuity & high performance with a secure local cache
Strong application authentication
Unique solution for Java Application Servers with no code changes
Avoid hard coding connection strings – no code changes & overhead
UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,
UserName, Password)
UserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,
UserName, Password)
Weblogic
Legacy
IIS / .NET
QualysGuard automates vulnerability management and policy compliance
AIM: Example of Integrating with 3rd Party Applications
With Cyber-Ark automate trusted scans using credentials that are stored and managed by the PIM Suite
Coverage of security scans is more in-depth, providing a complete view of IT security and compliance
Privileged credentials are securely protected and periodically changed based on enterprise policy
Overall, company data is better protected
6
•Supported Platforms:–Windows, Linux, Solaris, AIX
•Programming languages:–Java, C/C++, VB, .NET, command-line
•Application Servers:–Transparent solution for: WebLogic, WebSphere, JBOSS, Tomcat
Vault
Servers runningApplications and Scripts
App1App1
Application Password Provider
Cyber-A
rksecure cache
Database Servers/ Network Resources
Central Policy Manager
System User Pass
Oracle appId1
DB/2 backup1
SAP edi_user2
Windows service1
UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,
UserName, Password) OracleApp1
DB2backup1
SAP123WinService1
y7qeF$1lm7yT5wX5$aq+pgviNa9%kR59$ufg
1. Secure and Reset Application Credentials
2. Applications pull credentials– Using secure local cache
3. Password ResetUserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,
UserName, Password)
Application Identity Manager In Action
Vault
Applications/Products using embedded credentials
Central Policy Manager
System User Pass
Oracle appId1
DB/2 backup1
SAP edi_user2
Windows service1
AIM “Push” mode
OracleApp1
DB2backup1
SAP123WinService1
Current State y7qeF$1lm7yT5wX5$aq+pgviNa9%
•Supported Platforms:–Windows Services–Windows Scheduled Tasks–IIS Application Pools–Windows Registry–F5 BigIP–….
gviNa9%gviNa9%X5$aq+plm7yT5wy7qeF$1y7qeF$1
Database Servers/ Network Resources
‘Push’ Mode
On-Demand Privileges Manager: Tightening Unix Security
9
Control superuseraccess
Manage who can run which commands
On-demand elevation for privileged commands
Monitor & audit with reports and text recording
When Who What Where What
Continuous Monitoring & Protection Across the Datacenter
10
Privileged Session Management Suite
PSM for Servers
PSM for Databases
PSM for Virtualization
Isolate
Control
Monitor
Value of Privileged Session Management
11
Isolate• Prevent cyber attacks by isolating desktops from
sensitive target machines
Control • Create accountability and control over privileged
session access with policies, workflows and privileged single sign on
Monitor• Deliver continuous monitoring and compliance with
session recording with zero footprint on target machines
Data on target systems is protected and sabotage is eliminated
Isolating Sensitive Assets – Preventing Targeted Attacks
12
How can I reduce the risk of malware infecting target systems?
Privileged Session Manager
Servers
Databases
Virtual Machines
3. Session is run on an isolated secure proxy, not on desktop.
1. John receives an email with targeted malware
With PSMWith PSM
Malware spread is blocked
Control who can connect to a privileged session and forhow long
Enable privileged single sign on without exposing credential (e.g. external contractors)
Enforce approval workflows
Implement strong authentication
More Control over Privileged Sessions
13
Privileged Session Management for Servers
14
IT personnel
PVWA
PSM
Vault
1. Logon through PVWA2. Connect3. Fetch credential from Vault4. Connect using native protocols5. Store session recording in tamper-
proof vault6. View session recording
1
2
3
4
5
6
Windows
Windows Servers
UnixLinux
Unix /Linux Servers
Routers & Switches
….
Privileged Session Management for Databases
15
What are my highly privileged DBAs
doing on the Production Servers?
What sensitive business data are they viewing and
changing?
Privileged DBA Users
“Turning on auditing kills performance!”
SIEM can’t really capture read operations
(“select …”)
Independent Oracle Users Group (IOUG) 2010 Survey: 75% of DBAs say their organizations can’t monitor them
16
Database Activity Monitoring Solutions
DAM Appliances
DAM Console
Application, Business Users
Privileged DBA
Every database interaction is monitoredCumbersome to deploy; very expensive for enterprise-wide protection
Not really designed to stop DBAs; only partially monitors themNo solution for controlling access to database host OS
17
PSM for Databases: Focusing on the Privileged DBAs
DAMOptional
PSMPrivileged DBA User
Application & Business Users
Control and monitor only the privileged DBAs where most of the risk liesZero footprint on databases means quicker deployment with no performance overheadProtecting and monitoring OS
17
The technology that enables the cloud
PSM for Virtualization
18
Image AImage BImage C
Traditional IT Servers
Virtual Server
VM/Hypervisor Manager
Hypervisor are highly privileged with wider system access – exponential risk!With wider system access, the hypervisor is more prone to targeted attacks
Auditor
PIM App
Vault
Hypervisor Manager
An Innovative Approach to Virtualization Security
Hypervisor ManagementConsole (vCenter)
PSM for Virtualization
Image AImage BImage C
Guest Machines
Hypervisor
Securing the Virtual Environment with a Central Command & Control Point
20
Control access to hypervisors, vCenter & guest machinesPersonalize access and track usageEnforce security policies for credential managementEnforce change management approval procedures
Privileged Identity Management
No footprint on hypervisorsMonitor VM admin & guest machine activities with DVR recordingEnforce session access & approval workflowsStrong authentication to hypervisorPrivileged single sign on
Privileged Session Management
Single policy, single audit for privileged account management in virtualized environments
Summary: Privileged Identity & Session Management
21
A comprehensive platform for isolating and preemptively protecting your datacenter – whether on premise or in the cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
PSM for Privileged Remote Access
Internet
Routers and Switches
Corporate Network
Auditors
Windows Servers
UNIX ServersPIM App
Vault
HTTPS
Firewall
External Vendors
PSM for Distributed, Cross-Network Access
VaultCPM/PSM
CPM/PSM
HTTPSCPM/PSM
HTTPS
Prod Network OPS Network Dev Network
IT Personnel Auditor