BEZPEČNÝ CLOUD

POD KONTROLOU A POD DOHLEDEM

Jan Dienstbier, Brno 21.6.2011

Company Introduction

Today‘s Security Challenges

Privileged Identity Management Suite Overview

Privileged Session Management Suite Overview

Customer Case Studies

Summary

Agenda

2

COMPANY

INTRODUCTION

3

Established in 1999, HQ Boston, US

Offices Worldwide

Award-winning patented Vaulting Technology®

50% CAGR in the last 5 years

200 new Enterprise customers in 2010

Cyber-Ark Overview

Strategic Partnerships

„Enterprise Security Solution of

the Year‟ 2010 Winner

“The company has gradually expanded

from its initial start as an enterprise vault

for file and sensitive content sharing to

assume a commanding position in

privileged identity management (PIM)”

- Steve Copland, April 2010

―Cyber-Ark has one of the largest

customer bases of the vendors included

in this Market Scope and, because of its

focus on enterprise customers … the

largest market share by revenue by a

wide margin.”

- Ant Allan/Perry Carpenter, June 2009

“Cyber-Ark is perceived as a leader in

the rapidly expanding market for

Privileged Access Management

solutions.“

- Martin Kuppinger, 2010

“Cyber-ark is at the top of the PIM

market, based on product maturity & the

number of customer deployments”

-Mark Diodati, 2009

Recognized Market Leadership

4

Diversified Customer Base Securing over 850 Global Enterprise

customers

33% of Fortune 50 companies

8 of the top 10 global banks

All top 5 banks in Canada

95% Renewal Rate

Truly Global

Customers in approximately 50

countries

Customer Snapshot

5

Truly Global

54% 40%

6%

Americas

EMEA

APAC

Communications & Media

Financial Services

Pharmaceuticals

Energy & Utilities

Other Industries

Cyber-Ark‘s Solution Suites

6

Sensitive Information

Management Suite Privileged Identity

Management Suite

Privileged Session

Management Suite

Enterprise Password

Vault®

Application Identity

Manager™

On-Demand Privileges

Manager™

PSM for Servers

PSM for Databases

PSM for Virtualization

Governed File

Transfer Suite

Sensitive Document

Vault™

TODAY‟S SECURITY

CHALLENGES

7

Who has access to privileged accounts?

Administrators

Contractors; Cloud Service Providers

DBAs

Terminated Employees

Applications

Why are these breaches happening?

Shared account usage

Excessive privilege

―Hidden/Sleeping‖ accounts

Non-existent/unenforced

access controls

Infrequent replacement of credentials

Privileged Accounts Give System-Wide Access

8 * Verizon, 2010 Data Breach Investigations Report

“48% of data breaches were caused by privileged misuse”

Proactively manage privileged access to prevent such attacks

Key Drivers for Privileged Account and Session Management

Insider Threats Risk and Compliance

Moving to the Cloud

> Insiders have 2 things hackers don‘t: access and trust

> Malicious insider attacks can take up to 42 days or more to resolve (Ponemon Institute, July 2010)

> Compliance and audit questions are going deeper and wider

> On average, non-compliance cost is 2.65 times the cost of compliance (Ponemon Insititute, The True Cost of Compliance, Jan 2011)

> CIO Survey: Security is the single biggest barrier to cloud computing adoption

> Migrating to the cloud means losing control over the human factor

Advanced Persistent Threats

> Better planned, sophisticated and targeted attacks

> Targeting the most valuable assets

> Go after the most powerful privileged system accounts

Create full accountability

& access control

“Cyber Crime costs can range from $1M to $52M per year per company”

Ponemon Institute, First Annual Cost of Cyber Crime Study, July 2010

Provide proof on privileged activity

Securely migrate to the Cloud with

control & visibility Secure privileged accounts & isolate

privileged sessions

9

Cyber-Ark Privileged Identity & Session Management

10

Improving Your Security Posture With A Preventative Approach

Continuous Activity Monitoring

Privileged Access Control

Securing Critical Applications

Protecting & Isolating Sensitive

Assets

PRIVILEGED IDENTITY

MANAGEMENT

11

Privileged Identity Management Suite v.6.0

12

PIM Portal/Web Access

Secure Digital Vault™

Central Policy Manager

Monitoring & SIEM

Applications

Ticketing

Systems

Identity

Management External Vendors

IT Personnel

Auditors

Developers & DBAs

Enterprise

Directory and more

Unified Workflows for Accessing Privileged Accounts

13

External

Vendors

Unix Admins Business

Applications Auditor/

Security & Risk

Privileged Identity

Management Suite

Network

Devices Virtual

Servers

Windows

Windows

Servers

Unix

Linux

Unix /Linux

Servers

AS400

iSeries

Mainframes

Databases Applications Security

Appliances

OS390

zSeries

Mainframes

AIM

Workflow

Windows

Admins DBAs VM Admins

SSH / X / Telnet

OPM

Workflow

AIM

Workflow EPV

Workflow Monitoring & Reporting

Workflow

Enterprise Password Vault: Preventing Threats, Improving Productivity

14

Windows Server

The result? A preventative approach that:

Secures privileged credentials

Gives you full control over access

Ticketing integration; approval workflow

Personalizes usage

Automatically replaces credentials on a periodic basis (policy driven)

Protection from terminated employees & 3rd parties

Generates better productivity & shorter time to resolution

Who is accessing critical information assets?

John requests

managerial approval to

retrieve password

and transparently

connects without seeing

the password

John‘s access is logged,

personalized and reason

is entered

John, the IT admin, receives a ticket he

needs to handle.

There‘s a problem on the Windows

machines and he needs to install a patch to fix

it which requires administrator access

Ticketing Application

EPV: Better Visibility & Control for Managers

15

When was the account accessed and why? Where do all my privileged accounts exist?

Auto-discovery automatically detects unmanaged devices and

service accounts for operational efficiency and full compliancy

Automatically manage hundreds of thousands of local admin

accounts

EPV: More Efficiency for Auditors

16

Was the access authorized?

Are privileged credentials being changed according to policy?

Built-in and

scheduled reports

Application Identity Management: Tighter Security; Better Compliance

17

Secure, manage and eliminate

hard-coded privileged accounts from applications

Billing

App

Websphere

CRM

App

HR

App

Online

Booking

System

Secure & reset application

credentials with no downtime or

restart

Ensure business continuity &

high performance with a secure

local cache

Strong application authentication

Unique solution for Java Application Servers with no code changes

Avoid hard coding connection strings – no code changes & overhead

UserName = “app”

Password = “y7qeF$1”

Host = “10.10.3.56”

ConnectDatabase(Host,

UserName, Password)

UserName = GetUserName()

Password = GetPassword()

Host = GetHost()

ConnectDatabase(Host,

UserName, Password)

Weblogic

Legacy

IIS / .NET

QualysGuard automates vulnerability management and policy compliance

AIM: Example of Integrating with 3rd Party Applications

With Cyber-Ark automate trusted scans using credentials that are stored

and managed by the PIM Suite

Coverage of security scans is more

in-depth, providing a complete view

of IT security and compliance

Privileged credentials are securely

protected and periodically changed

based on enterprise policy

Overall, company data is better

protected

18

On-Demand Privileges Manager: Tightening Unix Security

19

Control superuser

access

Manage who can run

which commands On-demand elevation for

privileged commands

Monitor & audit with

reports and text recording

When Who What Where What

PRIVILEGED SESSION

MANAGEMENT SUITE

Expanding from Managing Accounts to Managing Sessions

22

Portal/Web Access

Secure Digital Vault™

Central Policy Manager

Privileged

Identity

Management

Privileged

Session

Management Monitoring & SIEM

Applications

Ticketing

Systems

Identity

Management External Vendors

IT Personnel

Auditors

Developers & DBAs

Enterprise

Directory and more

Secure, manage

and track

privileged

accounts

Isolate, control,

and monitor

privileged

sessions

Continuous Monitoring & Protection Across the Datacenter

23

Privileged Session

Management Suite

PSM for Servers

PSM for Databases

PSM for Virtualization

Isolate

Control

Monitor

Value of Privileged Session Management

24

Isolate

• Prevent cyber attacks by isolating desktops from sensitive target machines

Control

• Create accountability and control over privileged session access with policies, workflows and privileged single sign on

Monitor

• Deliver continuous monitoring and compliance with session recording with zero footprint on target machines

Someone wants to steal customer accounts from ―Top Bank‖

They search Linked In and find John the DBA

John is sent an email with targeted malware and opens it

As John connects to Accounts DB, malware begins downloading info

Next week it‟s headline news

25

How Can I Reduce The Risk Of Advanced and Targeted Threats?

Data on target systems is protected and sabotage is eliminated

Isolating Sensitive Assets – Preventing Targeted Attacks

26

How can I reduce the risk of malware infecting target systems?

Privileged Session Manager

Servers

Databases

Virtual Machines

3. Session is run on an

isolated secure proxy, not

on desktop.

1. John receives an email

with targeted malware

With PSM

Malware spread

is blocked

Control who can connect to a privileged session and for

how long

Enable privileged single sign on without exposing credential

(e.g. external contractors)

Enforce approval workflows

Implement strong authentication

More Control over Privileged Sessions

27

More Visibility into Privileged Activities

28

What was changed in the Windows configuration last week? What brought my production system down this morning?

Better root-cause analysis

Quicker time to recovery

Audit & compliance proof

Click to view

recording

Privileged Session Management for Servers

29

IT personnel

PVWA

PSM

Vault

1. Logon through PVWA

2. Connect

3. Fetch credential from Vault

4. Connect using native protocols

5. Store session recording in tamper-

proof vault

6. View session recording

1

2

3

4

5

6

Windows

Windows

Servers

Unix

Linux

Unix /Linux

Servers

Routers &

Switches

….

Privileged Session Management for Databases

30

What are my highly

privileged DBAs

doing on the

Production Servers?

What sensitive

business data are

they viewing and

changing?

Privileged DBA Users

“Turning on auditing

kills performance!”

SIEM can‘t really

capture read operations

(―select …‖)

Independent Oracle Users Group (IOUG) 2010 Survey:

75% of DBAs say their organizations can‟t monitor them

31

Database Activity Monitoring Solutions

DAM Appliances

DAM Console

Application, Business

Users

Privileged DBA

Every database interaction is monitored

Cumbersome to deploy; very expensive for enterprise-wide protection

Not really designed to stop DBAs; only partially monitors them

No solution for controlling access to database host OS

32

PSM for Databases: Focusing on the Privileged DBAs

DAM

Optional

PSM Privileged DBA User

Application & Business

Users

Control and monitor only the privileged DBAs where most of the risk lies

Zero footprint on databases means quicker deployment with no performance

overhead

Protecting and monitoring OS

32

With Privileged Session Management:

With Privileged Identity Management:

Securing Privileged Database Access & Activities

33

Manage database system accounts and DBA shared account

with Enterprise Password Vault

Manage access to the Unix/Linux database host users & data

files with On-Demand Privileges Manager

Remove hard-coded DBA credentials in applications/scripts with

Application Identity Management

Isolate database sessions from targeted attacks

Avoid exposing privileged credential with privileged single sign on

Control privileged session access

Monitor & record DBA activities with a zero footprint solution

Personalize DBA access

The technology that enables the cloud

PSM for Virtualization

34

Image A

Image B

Image C

Traditional IT Servers

Virtual Server

VM/Hypervisor Manager

Hypervisor are highly privileged with wider system access

– exponential risk!

With wider system access, the hypervisor is more prone

to targeted attacks

Auditor

PIM App

Vault

Hypervisor Manager

An Innovative Approach to Virtualization Security

Hypervisor Management Console (vCenter)

PSM for Virtualization

Image A

Image B

Image C

Guest Machines

Hypervisor

Securing the Virtual Environment with a Central Command & Control Point

36

Control access to hypervisors, vCenter & guest machines

Personalize access and track usage

Enforce security policies for credential management

Enforce change management approval procedures

Privileged Identity Management

No footprint on hypervisors

Monitor VM admin & guest machine activities with DVR recording

Enforce session access & approval workflows

Strong authentication to hypervisor

Privileged single sign on

Privileged Session Management

Single policy, single audit for privileged account management

in virtualized environments

Value of Privileged Session Management

37

Isolate & Protect Against Cyber Attacks

Deliver Continuous Monitoring & Compliance

Integrated Privileged Database Activity Monitoring

Faster Deployment with No Performance Overhead

PSM for Servers

PSM for Databases

PSM for Virtualization

CUSTOMER CASE

STUDIES

Company : North America Energy Provider

Regulation : FERC

Driver : Audit finding highlighting unmanaged access to sensitive systems,

applications and databases

Scope : Deployed PIM in multiple datacenters throughout their NA footprint

Benefits :

Privileged „Administrator‟ Example Privileged ‗Administrator‘ Example

Benefits of PIM reaped fast

• Implemented within 6 months on critical systems

Improved operations – error prone, time & cost savings

• Daily automatic change & verification of system passwords

Better security posture

• Able to prove to auditors that passwords are stronger and

regularly changed

Met FERC compliance goals

• Eliminated the risk of unauthorized access

39

―The PIM system ensures that now 98% of the passwords are

automatically, regularly, and successfully verified — moving the company

along a great deal toward achieving regulatory compliance‖

Company : Telco with over 100M subscribers

Regulation : Multiple

Driver : Compliance, control & monitor access to production environment, reduce operational costs

Scope : Integrated EPV & PSM implementation on 15,000 machines, tens of thousands of accounts. Extending to AIM

Benefits :

Privileged „Session‟ Example Privileged ‗Session‘ Example

Minimized security risks

• Detailed audit logging & recording – 26,000 PSM recorded

sessions within first 60 days

Met compliance goals

Reduced TCO

• Avoid performance impact of end-point logging agents –

savings of around 4% of total CPU power!

Operational efficiency

• Integrated solution with central management & unified

reporting & policies

• Improved IT work efficiency with privileged single-sign-on

40

Company : North American Airline

Regulation : PCI

Driver : Audit finding related to embedded identities within the

consumer online booking system

Scope : Phased approach, extending EPV to AIM, implemented on

hundreds of servers/systems, will extend to thousands

Benefits :

Privileged „Application‟ Example Privileged ‗Application‘ Example

Achieved PCI compliance

Improved security posture

• Removed clear text embedded passwords to

databases e.g. with credit card numbers

Operational efficiency

• Now able to change passwords every 90 days in line

with PCI regulations

High availability with secure caching

• Online booking system had to always be able to pull

the password (99.9% availability)

Risk mitigation, accountability & auditability

• Ensure access control, know what was done, when &

why on an individual level

41

―With PCI compliance as a

significant business driver,

specifically for our e-commerce

business, we turned to Cyber-

Ark to get our user and hard-

coded application passwords

under control, while at the

same time being able to

enforce new security policies

built to protect our customers.‖

What Our Customers Are Saying

42

―Cyber-Ark enables us to plan for future

compliance requirements and seamlessly

migrate to the cloud without any security

concerns.―

- Dries Robberechts, Senior Technical Consultant

―We now have a fully-automated,

24/7 system that lowers

operational risk and improves

reporting and audit processes.‖

- Burak Öztürk, Finansbank

―Our people like the EPV concept

and find the software easy to

use. The software deployment

and rollout was easy...‖

- Mary Travers, Data Security Analyst

―The new approach really improves our

ability to manage all access to privileged

accounts.‖

- Mike Brannon, Senior Manager of Information

Systems

Summary: Privileged Identity & Session Management

43

A comprehensive platform for isolating and

preemptively protecting your datacenter – whether on

premise or in the cloud

Discover all privileged accounts across datacenter

Manage and secure every credential

Enforce policies for usage

Record and monitor privileged activities

React and comply

THANK YOU!

44