View
217
Download
3
Category
Preview:
Citation preview
Company Introduction
Today‘s Security Challenges
Privileged Identity Management Suite Overview
Privileged Session Management Suite Overview
Customer Case Studies
Summary
Agenda
2
Established in 1999, HQ Boston, US
Offices Worldwide
Award-winning patented Vaulting Technology®
50% CAGR in the last 5 years
200 new Enterprise customers in 2010
Cyber-Ark Overview
Strategic Partnerships
„Enterprise Security Solution of
the Year‟ 2010 Winner
“The company has gradually expanded
from its initial start as an enterprise vault
for file and sensitive content sharing to
assume a commanding position in
privileged identity management (PIM)”
- Steve Copland, April 2010
―Cyber-Ark has one of the largest
customer bases of the vendors included
in this Market Scope and, because of its
focus on enterprise customers … the
largest market share by revenue by a
wide margin.”
- Ant Allan/Perry Carpenter, June 2009
“Cyber-Ark is perceived as a leader in
the rapidly expanding market for
Privileged Access Management
solutions.“
- Martin Kuppinger, 2010
“Cyber-ark is at the top of the PIM
market, based on product maturity & the
number of customer deployments”
-Mark Diodati, 2009
Recognized Market Leadership
4
Diversified Customer Base Securing over 850 Global Enterprise
customers
33% of Fortune 50 companies
8 of the top 10 global banks
All top 5 banks in Canada
95% Renewal Rate
Truly Global
Customers in approximately 50
countries
Customer Snapshot
5
Truly Global
54% 40%
6%
Americas
EMEA
APAC
Communications & Media
Financial Services
Pharmaceuticals
Energy & Utilities
Other Industries
Cyber-Ark‘s Solution Suites
6
Sensitive Information
Management Suite Privileged Identity
Management Suite
Privileged Session
Management Suite
Enterprise Password
Vault®
Application Identity
Manager™
On-Demand Privileges
Manager™
PSM for Servers
PSM for Databases
PSM for Virtualization
Governed File
Transfer Suite
Sensitive Document
Vault™
Who has access to privileged accounts?
Administrators
Contractors; Cloud Service Providers
DBAs
Terminated Employees
Applications
Why are these breaches happening?
Shared account usage
Excessive privilege
―Hidden/Sleeping‖ accounts
Non-existent/unenforced
access controls
Infrequent replacement of credentials
Privileged Accounts Give System-Wide Access
8 * Verizon, 2010 Data Breach Investigations Report
“48% of data breaches were caused by privileged misuse”
Proactively manage privileged access to prevent such attacks
Key Drivers for Privileged Account and Session Management
Insider Threats Risk and Compliance
Moving to the Cloud
> Insiders have 2 things hackers don‘t: access and trust
> Malicious insider attacks can take up to 42 days or more to resolve (Ponemon Institute, July 2010)
> Compliance and audit questions are going deeper and wider
> On average, non-compliance cost is 2.65 times the cost of compliance (Ponemon Insititute, The True Cost of Compliance, Jan 2011)
> CIO Survey: Security is the single biggest barrier to cloud computing adoption
> Migrating to the cloud means losing control over the human factor
Advanced Persistent Threats
> Better planned, sophisticated and targeted attacks
> Targeting the most valuable assets
> Go after the most powerful privileged system accounts
Create full accountability
& access control
“Cyber Crime costs can range from $1M to $52M per year per company”
Ponemon Institute, First Annual Cost of Cyber Crime Study, July 2010
Provide proof on privileged activity
Securely migrate to the Cloud with
control & visibility Secure privileged accounts & isolate
privileged sessions
9
Cyber-Ark Privileged Identity & Session Management
10
Improving Your Security Posture With A Preventative Approach
Continuous Activity Monitoring
Privileged Access Control
Securing Critical Applications
Protecting & Isolating Sensitive
Assets
Privileged Identity Management Suite v.6.0
12
PIM Portal/Web Access
Secure Digital Vault™
Central Policy Manager
Monitoring & SIEM
Applications
Ticketing
Systems
Identity
Management External Vendors
IT Personnel
Auditors
Developers & DBAs
Enterprise
Directory and more
Unified Workflows for Accessing Privileged Accounts
13
External
Vendors
Unix Admins Business
Applications Auditor/
Security & Risk
Privileged Identity
Management Suite
Network
Devices Virtual
Servers
Windows
Windows
Servers
Unix
Linux
Unix /Linux
Servers
AS400
iSeries
Mainframes
Databases Applications Security
Appliances
OS390
zSeries
Mainframes
AIM
Workflow
Windows
Admins DBAs VM Admins
SSH / X / Telnet
OPM
Workflow
AIM
Workflow EPV
Workflow Monitoring & Reporting
Workflow
Enterprise Password Vault: Preventing Threats, Improving Productivity
14
Windows Server
The result? A preventative approach that:
Secures privileged credentials
Gives you full control over access
Ticketing integration; approval workflow
Personalizes usage
Automatically replaces credentials on a periodic basis (policy driven)
Protection from terminated employees & 3rd parties
Generates better productivity & shorter time to resolution
Who is accessing critical information assets?
John requests
managerial approval to
retrieve password
and transparently
connects without seeing
the password
John‘s access is logged,
personalized and reason
is entered
John, the IT admin, receives a ticket he
needs to handle.
There‘s a problem on the Windows
machines and he needs to install a patch to fix
it which requires administrator access
Ticketing Application
EPV: Better Visibility & Control for Managers
15
When was the account accessed and why? Where do all my privileged accounts exist?
Auto-discovery automatically detects unmanaged devices and
service accounts for operational efficiency and full compliancy
Automatically manage hundreds of thousands of local admin
accounts
EPV: More Efficiency for Auditors
16
Was the access authorized?
Are privileged credentials being changed according to policy?
Built-in and
scheduled reports
Application Identity Management: Tighter Security; Better Compliance
17
Secure, manage and eliminate
hard-coded privileged accounts from applications
Billing
App
Websphere
CRM
App
HR
App
Online
Booking
System
Secure & reset application
credentials with no downtime or
restart
Ensure business continuity &
high performance with a secure
local cache
Strong application authentication
Unique solution for Java Application Servers with no code changes
Avoid hard coding connection strings – no code changes & overhead
UserName = “app”
Password = “y7qeF$1”
Host = “10.10.3.56”
ConnectDatabase(Host,
UserName, Password)
UserName = GetUserName()
Password = GetPassword()
Host = GetHost()
ConnectDatabase(Host,
UserName, Password)
Weblogic
Legacy
IIS / .NET
QualysGuard automates vulnerability management and policy compliance
AIM: Example of Integrating with 3rd Party Applications
With Cyber-Ark automate trusted scans using credentials that are stored
and managed by the PIM Suite
Coverage of security scans is more
in-depth, providing a complete view
of IT security and compliance
Privileged credentials are securely
protected and periodically changed
based on enterprise policy
Overall, company data is better
protected
18
On-Demand Privileges Manager: Tightening Unix Security
19
Control superuser
access
Manage who can run
which commands On-demand elevation for
privileged commands
Monitor & audit with
reports and text recording
When Who What Where What
Expanding from Managing Accounts to Managing Sessions
22
Portal/Web Access
Secure Digital Vault™
Central Policy Manager
Privileged
Identity
Management
Privileged
Session
Management Monitoring & SIEM
Applications
Ticketing
Systems
Identity
Management External Vendors
IT Personnel
Auditors
Developers & DBAs
Enterprise
Directory and more
Secure, manage
and track
privileged
accounts
Isolate, control,
and monitor
privileged
sessions
Continuous Monitoring & Protection Across the Datacenter
23
Privileged Session
Management Suite
PSM for Servers
PSM for Databases
PSM for Virtualization
Isolate
Control
Monitor
Value of Privileged Session Management
24
Isolate
• Prevent cyber attacks by isolating desktops from sensitive target machines
Control
• Create accountability and control over privileged session access with policies, workflows and privileged single sign on
Monitor
• Deliver continuous monitoring and compliance with session recording with zero footprint on target machines
Someone wants to steal customer accounts from ―Top Bank‖
They search Linked In and find John the DBA
John is sent an email with targeted malware and opens it
As John connects to Accounts DB, malware begins downloading info
Next week it‟s headline news
25
How Can I Reduce The Risk Of Advanced and Targeted Threats?
Data on target systems is protected and sabotage is eliminated
Isolating Sensitive Assets – Preventing Targeted Attacks
26
How can I reduce the risk of malware infecting target systems?
Privileged Session Manager
Servers
Databases
Virtual Machines
3. Session is run on an
isolated secure proxy, not
on desktop.
1. John receives an email
with targeted malware
With PSM
Malware spread
is blocked
Control who can connect to a privileged session and for
how long
Enable privileged single sign on without exposing credential
(e.g. external contractors)
Enforce approval workflows
Implement strong authentication
More Control over Privileged Sessions
27
More Visibility into Privileged Activities
28
What was changed in the Windows configuration last week? What brought my production system down this morning?
Better root-cause analysis
Quicker time to recovery
Audit & compliance proof
Click to view
recording
Privileged Session Management for Servers
29
IT personnel
PVWA
PSM
Vault
1. Logon through PVWA
2. Connect
3. Fetch credential from Vault
4. Connect using native protocols
5. Store session recording in tamper-
proof vault
6. View session recording
1
2
3
4
5
6
Windows
Windows
Servers
Unix
Linux
Unix /Linux
Servers
Routers &
Switches
….
Privileged Session Management for Databases
30
What are my highly
privileged DBAs
doing on the
Production Servers?
What sensitive
business data are
they viewing and
changing?
Privileged DBA Users
“Turning on auditing
kills performance!”
SIEM can‘t really
capture read operations
(―select …‖)
Independent Oracle Users Group (IOUG) 2010 Survey:
75% of DBAs say their organizations can‟t monitor them
31
Database Activity Monitoring Solutions
DAM Appliances
DAM Console
Application, Business
Users
Privileged DBA
Every database interaction is monitored
Cumbersome to deploy; very expensive for enterprise-wide protection
Not really designed to stop DBAs; only partially monitors them
No solution for controlling access to database host OS
32
PSM for Databases: Focusing on the Privileged DBAs
DAM
Optional
PSM Privileged DBA User
Application & Business
Users
Control and monitor only the privileged DBAs where most of the risk lies
Zero footprint on databases means quicker deployment with no performance
overhead
Protecting and monitoring OS
32
With Privileged Session Management:
With Privileged Identity Management:
Securing Privileged Database Access & Activities
33
Manage database system accounts and DBA shared account
with Enterprise Password Vault
Manage access to the Unix/Linux database host users & data
files with On-Demand Privileges Manager
Remove hard-coded DBA credentials in applications/scripts with
Application Identity Management
Isolate database sessions from targeted attacks
Avoid exposing privileged credential with privileged single sign on
Control privileged session access
Monitor & record DBA activities with a zero footprint solution
Personalize DBA access
The technology that enables the cloud
PSM for Virtualization
34
Image A
Image B
Image C
Traditional IT Servers
Virtual Server
VM/Hypervisor Manager
Hypervisor are highly privileged with wider system access
– exponential risk!
With wider system access, the hypervisor is more prone
to targeted attacks
Auditor
PIM App
Vault
Hypervisor Manager
An Innovative Approach to Virtualization Security
Hypervisor Management Console (vCenter)
PSM for Virtualization
Image A
Image B
Image C
Guest Machines
Hypervisor
Securing the Virtual Environment with a Central Command & Control Point
36
Control access to hypervisors, vCenter & guest machines
Personalize access and track usage
Enforce security policies for credential management
Enforce change management approval procedures
Privileged Identity Management
No footprint on hypervisors
Monitor VM admin & guest machine activities with DVR recording
Enforce session access & approval workflows
Strong authentication to hypervisor
Privileged single sign on
Privileged Session Management
Single policy, single audit for privileged account management
in virtualized environments
Value of Privileged Session Management
37
Isolate & Protect Against Cyber Attacks
Deliver Continuous Monitoring & Compliance
Integrated Privileged Database Activity Monitoring
Faster Deployment with No Performance Overhead
PSM for Servers
PSM for Databases
PSM for Virtualization
Company : North America Energy Provider
Regulation : FERC
Driver : Audit finding highlighting unmanaged access to sensitive systems,
applications and databases
Scope : Deployed PIM in multiple datacenters throughout their NA footprint
Benefits :
Privileged „Administrator‟ Example Privileged ‗Administrator‘ Example
Benefits of PIM reaped fast
• Implemented within 6 months on critical systems
Improved operations – error prone, time & cost savings
• Daily automatic change & verification of system passwords
Better security posture
• Able to prove to auditors that passwords are stronger and
regularly changed
Met FERC compliance goals
• Eliminated the risk of unauthorized access
39
―The PIM system ensures that now 98% of the passwords are
automatically, regularly, and successfully verified — moving the company
along a great deal toward achieving regulatory compliance‖
Company : Telco with over 100M subscribers
Regulation : Multiple
Driver : Compliance, control & monitor access to production environment, reduce operational costs
Scope : Integrated EPV & PSM implementation on 15,000 machines, tens of thousands of accounts. Extending to AIM
Benefits :
Privileged „Session‟ Example Privileged ‗Session‘ Example
Minimized security risks
• Detailed audit logging & recording – 26,000 PSM recorded
sessions within first 60 days
Met compliance goals
Reduced TCO
• Avoid performance impact of end-point logging agents –
savings of around 4% of total CPU power!
Operational efficiency
• Integrated solution with central management & unified
reporting & policies
• Improved IT work efficiency with privileged single-sign-on
40
Company : North American Airline
Regulation : PCI
Driver : Audit finding related to embedded identities within the
consumer online booking system
Scope : Phased approach, extending EPV to AIM, implemented on
hundreds of servers/systems, will extend to thousands
Benefits :
Privileged „Application‟ Example Privileged ‗Application‘ Example
Achieved PCI compliance
Improved security posture
• Removed clear text embedded passwords to
databases e.g. with credit card numbers
Operational efficiency
• Now able to change passwords every 90 days in line
with PCI regulations
High availability with secure caching
• Online booking system had to always be able to pull
the password (99.9% availability)
Risk mitigation, accountability & auditability
• Ensure access control, know what was done, when &
why on an individual level
41
―With PCI compliance as a
significant business driver,
specifically for our e-commerce
business, we turned to Cyber-
Ark to get our user and hard-
coded application passwords
under control, while at the
same time being able to
enforce new security policies
built to protect our customers.‖
What Our Customers Are Saying
42
―Cyber-Ark enables us to plan for future
compliance requirements and seamlessly
migrate to the cloud without any security
concerns.―
- Dries Robberechts, Senior Technical Consultant
―We now have a fully-automated,
24/7 system that lowers
operational risk and improves
reporting and audit processes.‖
- Burak Öztürk, Finansbank
―Our people like the EPV concept
and find the software easy to
use. The software deployment
and rollout was easy...‖
- Mary Travers, Data Security Analyst
―The new approach really improves our
ability to manage all access to privileged
accounts.‖
- Mike Brannon, Senior Manager of Information
Systems
Summary: Privileged Identity & Session Management
43
A comprehensive platform for isolating and
preemptively protecting your datacenter – whether on
premise or in the cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
Recommended