PIM FOR QUALYS

Presenter: Jan Dienstbier

Secure Digital Vault – Security You Can Bank On

2

LAN, WAN, INTERNET

Vault Safes (Local Drive or SAN)

Cyber-Ark Vault Server

Secure repository for information at rest and in motionSecuring data using multiple security layers, based on patented technology Tamper-proofMore than 10 years of maturity

Enterprise Password Vault: Preventing Threats, Improving Productivity

3

Windows Server

The result? A preventative approach that:Secures privileged credentials Gives you full control over access

Ticketing integration; approval workflowPersonalizes usageAutomatically replaces credentials on a periodic basis (policy driven)

Protection from terminated employees & 3rd partiesGenerates better productivity & shorter time to resolution

Who is accessing critical information assets?

John requests managerial approval to

retrieve password

and transparently connects without seeing

the password

John’s access is logged, personalized and reason

is entered

John, the IT admin, receives a ticket he needs to handle. There’s a problem on the Windows machines and he needs to install a patch to fix it which requires administrator access

Ticketing Application

Enterprise IT Environment

VaultCentral Policy

Manager

System User Pass

Unix root

Oracle SYS

Windows Administrator

z/OS DB2ADMIN

Cisco enable

Enterprise Password Vault In Action

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

y7qeF$1lm7yT5wX5$aq+pgviNa9%

tops3cr3t

Password Vault Web Access

Policy

1. Central and Integrated Policy Definition

2. Initial load & ResetAutomatic Detection, Bulk upload, Manual

3. Request WorkflowDual control, Integration with Ticketing Systems, One-time Passwords, exclusivity, groups

4. Direct Connection to Device5. Auditor Access

Policy

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

Tojsd$5fhOiue^$fgW

IT

Security/Risk Management

Auditors

Application Identity Management: Tighter Security; Better Compliance

5

Secure, manage and eliminate hard-coded privileged accounts from applications

Billing App

Websphere

CRM App

HRApp

Online Booking System

Secure & reset application credentials with no downtime or restart

Ensure business continuity & high performance with a secure local cache

Strong application authentication

Unique solution for Java Application Servers with no code changes

Avoid hard coding connection strings – no code changes & overhead

UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,

UserName, Password)

UserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,

UserName, Password)

Weblogic

Legacy

IIS / .NET

QualysGuard automates vulnerability management and policy compliance

AIM: Example of Integrating with 3rd Party Applications

With Cyber-Ark automate trusted scans using credentials that are stored and managed by the PIM Suite

Coverage of security scans is more in-depth, providing a complete view of IT security and compliance

Privileged credentials are securely protected and periodically changed based on enterprise policy

Overall, company data is better protected

6

•Supported Platforms:–Windows, Linux, Solaris, AIX

•Programming languages:–Java, C/C++, VB, .NET, command-line

•Application Servers:–Transparent solution for: WebLogic, WebSphere, JBOSS, Tomcat

Vault

Servers runningApplications and Scripts

App1App1

Application Password Provider

Cyber-A

rksecure cache

Database Servers/ Network Resources

Central Policy Manager

System User Pass

Oracle appId1

DB/2 backup1

SAP edi_user2

Windows service1

UserName = “app”Password = “y7qeF$1”Host = “10.10.3.56”ConnectDatabase(Host,

UserName, Password) OracleApp1

DB2backup1

SAP123WinService1

y7qeF$1lm7yT5wX5$aq+pgviNa9%kR59$ufg

1. Secure and Reset Application Credentials

2. Applications pull credentials– Using secure local cache

3. Password ResetUserName = GetUserName()Password = GetPassword()Host = GetHost()ConnectDatabase(Host,

UserName, Password)

Application Identity Manager In Action

Vault

Applications/Products using embedded credentials

Central Policy Manager

System User Pass

Oracle appId1

DB/2 backup1

SAP edi_user2

Windows service1

AIM “Push” mode

OracleApp1

DB2backup1

SAP123WinService1

Current State y7qeF$1lm7yT5wX5$aq+pgviNa9%

•Supported Platforms:–Windows Services–Windows Scheduled Tasks–IIS Application Pools–Windows Registry–F5 BigIP–….

gviNa9%gviNa9%X5$aq+plm7yT5wy7qeF$1y7qeF$1

Database Servers/ Network Resources

‘Push’ Mode

On-Demand Privileges Manager: Tightening Unix Security

9

Control superuseraccess

Manage who can run which commands

On-demand elevation for privileged commands

Monitor & audit with reports and text recording

When Who What Where What

Continuous Monitoring & Protection Across the Datacenter

10

Privileged Session Management Suite

PSM for Servers

PSM for Databases

PSM for Virtualization

Isolate

Control

Monitor

Value of Privileged Session Management

11

Isolate• Prevent cyber attacks by isolating desktops from

sensitive target machines

Control • Create accountability and control over privileged

session access with policies, workflows and privileged single sign on

Monitor• Deliver continuous monitoring and compliance with

session recording with zero footprint on target machines

Data on target systems is protected and sabotage is eliminated

Isolating Sensitive Assets – Preventing Targeted Attacks

12

How can I reduce the risk of malware infecting target systems?

Privileged Session Manager

Servers

Databases

Virtual Machines

3. Session is run on an isolated secure proxy, not on desktop.

1. John receives an email with targeted malware

With PSMWith PSM

Malware spread is blocked

Control who can connect to a privileged session and forhow long

Enable privileged single sign on without exposing credential (e.g. external contractors)

Enforce approval workflows

Implement strong authentication

More Control over Privileged Sessions

13

Privileged Session Management for Servers

14

IT personnel

PVWA

PSM

Vault

1. Logon through PVWA2. Connect3. Fetch credential from Vault4. Connect using native protocols5. Store session recording in tamper-

proof vault6. View session recording

1

2

3

4

5

6

Windows

Windows Servers

UnixLinux

Unix /Linux Servers

Routers & Switches

….

Privileged Session Management for Databases

15

What are my highly privileged DBAs

doing on the Production Servers?

What sensitive business data are they viewing and

changing?

Privileged DBA Users

“Turning on auditing kills performance!”

SIEM can’t really capture read operations

(“select …”)

Independent Oracle Users Group (IOUG) 2010 Survey: 75% of DBAs say their organizations can’t monitor them

16

Database Activity Monitoring Solutions

DAM Appliances

DAM Console

Application, Business Users

Privileged DBA

Every database interaction is monitoredCumbersome to deploy; very expensive for enterprise-wide protection

Not really designed to stop DBAs; only partially monitors themNo solution for controlling access to database host OS

17

PSM for Databases: Focusing on the Privileged DBAs

DAMOptional

PSMPrivileged DBA User

Application & Business Users

Control and monitor only the privileged DBAs where most of the risk liesZero footprint on databases means quicker deployment with no performance overheadProtecting and monitoring OS

17

The technology that enables the cloud

PSM for Virtualization

18

Image AImage BImage C

Traditional IT Servers

Virtual Server

VM/Hypervisor Manager

Hypervisor are highly privileged with wider system access – exponential risk!With wider system access, the hypervisor is more prone to targeted attacks

Auditor

PIM App

Vault

Hypervisor Manager

An Innovative Approach to Virtualization Security

Hypervisor ManagementConsole (vCenter)

PSM for Virtualization

Image AImage BImage C

Guest Machines

Hypervisor

Securing the Virtual Environment with a Central Command & Control Point

20

Control access to hypervisors, vCenter & guest machinesPersonalize access and track usageEnforce security policies for credential managementEnforce change management approval procedures

Privileged Identity Management

No footprint on hypervisorsMonitor VM admin & guest machine activities with DVR recordingEnforce session access & approval workflowsStrong authentication to hypervisorPrivileged single sign on

Privileged Session Management

Single policy, single audit for privileged account management in virtualized environments

Summary: Privileged Identity & Session Management

21

A comprehensive platform for isolating and preemptively protecting your datacenter – whether on premise or in the cloud

Discover all privileged accounts across datacenter

Manage and secure every credential

Enforce policies for usage

Record and monitor privileged activities

React and comply

THANK YOU!

22

BACKUP SLIDES

Schedule & Format Reports

Schedule & Format Reports

Schedule & Format Reports

Schedule & Format Reports

PSM for Privileged Remote Access

Internet

Routers and Switches

Corporate Network

Auditors

Windows Servers

UNIX ServersPIM App

Vault

HTTPS

Firewall

External Vendors

PSM for Distributed, Cross-Network Access

VaultCPM/PSM

CPM/PSM

HTTPSCPM/PSM

HTTPS

Prod Network OPS Network Dev Network

IT Personnel Auditor

Common Requirements for PIM Solutions

External Vendors IT Personnel Business Applications

Shared/Privileged Accounts

Hard coded/ embedded application accounts

AuditSecurity

Policy EnforcementWorkflows

ProvisioningBusiness Continuity

Enterprise IT Environment