QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
•
0 j'aime•6,225 vues
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (8)
Similaire à QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Similaire à QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys (20)
Plus de Risk Analysis Consultants, s.r.o.
Plus de Risk Analysis Consultants, s.r.o. (20)
Dernier
Dernier (20)
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
- 1. PIM FOR QUALYS Presenter: Jan Dienstbier
- 2. Secure Digital Vault – Security You Can Bank On Secure repository for information at rest and in motion Securing data using multiple security layers, based on patented technology Tamper-proof More than 10 years of maturity Vault Safes (Local Drive or SAN) Cyber-Ark LAN, WAN, INTERNET Vault Server 2
- 3. Enterprise Password Vault: Preventing Threats, Improving Productivity Who is accessing critical information assets? Ticketing Application The result? A preventative approach that: John requests is logged, John’s access managerial approval to personalized and reason Secures privileged credentials retrieve password is entered Gives you full control over access Ticketing integration; approval workflow Personalizes usage Automatically replaces credentials on a periodic basis (policy driven) Protection from terminated employees & 3rd parties Generates better productivityticket he transparently and John, the IT admin, receives a & shorter time to resolution needs to handle. connects without seeing There’s a problem on the Windows the password machines and he needs to install a patch to fix it which requires administrator access Windows Server 3
- 4. Enterprise Password Vault In Action 1. Central and Integrated Policy Definition y7qeF$1 gviNa9% lm7yT5w X5$aq+p Oiue^$fgW Tojsd$5fh 2. Initial load & Reset Automatic Detection, Bulk upload, Manual Policy 3. Request Workflow Central Policy Dual control, Manager Vault Integration with Ticketing Systems, One-time Passwords, exclusivity, groups 4. Direct Connection to Device System User Pass 5. Auditor Access Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Security/ Policy Risk Management Cisco enable tops3cr3t Password Vault Web Access IT Enterprise IT Environment Auditors
- 5. Application Identity Management: Tighter Security; Better Compliance Secure, manage and eliminate hard-coded privileged accounts from applications UserName = GetUserName() Password = GetPassword() Billing Host = GetHost() Secure & reset application App ConnectDatabase(Host, UserName = “app” UserName, Password) Password = “y7qeF$1” credentials with no downtime or Websphere Host = “10.10.3.56” restart ConnectDatabase(Host, UserName, Password) Ensure business continuity & CRM high performance with a secure App local cache Weblogic Strong application authentication Unique solution for Java HR Application Servers with no code App changes Legacy Avoid hard coding connection strings – no code changes & Online overhead Booking System IIS / .NET 5
- 6. AIM: Example of Integrating with 3rd Party Applications QualysGuard automates vulnerability management and policy compliance With Cyber-Ark automate trusted scans using credentials that are stored and managed by the PIM Suite Coverage of security scans is more in-depth, providing a complete view of IT security and compliance Privileged credentials are securely protected and periodically changed based on enterprise policy Overall, company data is better protected 6
- 7. Application Identity Manager In Action 1. Secure and Reset Application Credentials kR59$ufg y7qeF$1 gviNa9% lm7yT5w X5$aq+p 2. Applications pull credentials – Using secure local cache Central Policy Vault 3. Password Reset UserName = GetUserName() Manager Password = GetPassword() Host = GetHost() ConnectDatabase(Host, UserName = “app” UserName, Password) App1 Password = “y7qeF$1” Host = “10.10.3.56” System User Pass ConnectDatabase(Host, secure cache UserName, Password) Oracle appId1 OracleApp1 Cyber-Ark DB/2 backup1 DB2backup1 SAP edi_user2 SAP123 Application Password Windows service1 WinService1 Provider •Supported Platforms: –Windows, Linux, Solaris, AIX •Programming languages: –Java, C/C++, VB, .NET, command-line Database Servers/ Network Resources •Application Servers: Servers running –Transparent solution for: WebLogic, Applications and Scripts WebSphere, JBOSS, Tomcat
- 8. ‘Push’ Mode AIM “Push” Current State y7qeF$1 X5$aq+p lm7yT5w y7qeF$1 gviNa9% X5$aq+p mode Central Policy Vault Manager System User Pass Oracle appId1 OracleApp1 DB/2 backup1 DB2backup1 SAP edi_user2 SAP123 Windows service1 WinService1 Applications/Products using • Supported Platforms: embedded credentials –Windows Services –Windows Scheduled Tasks Database Servers/ –IIS Application Pools Network Resources –Windows Registry –F5 BigIP –….
- 9. On-Demand Privileges Manager: Tightening Unix Security When Who What Where What Control superuser Monitor & audit with access reports and text recording Manage who can run On-demand elevation for which commands privileged commands 9
- 10. Continuous Monitoring & Protection Across the Datacenter Privileged Session Management Suite Isolate PSM for Servers Control PSM for Databases PSM for Virtualization Monitor 10
- 11. Value of Privileged Session Management Isolate • Prevent cyber attacks by isolating desktops from sensitive target machines Control • Create accountability and control over privileged session access with policies, workflows and privileged single sign on Monitor • Deliver continuous monitoring and compliance with session recording with zero footprint on target machines 11
- 12. Isolating Sensitive Assets – Preventing Targeted Attacks How can I reduce the risk of malware infecting target systems? With PSM Servers 1. John receives an email with targeted malware Malware spread Privileged Session Manager is blocked Databases 3. Session is run on an isolated secure proxy, not on desktop. Data on target systems is protected and sabotage is eliminated Virtual Machines 12
- 13. More Control over Privileged Sessions Control who can connect to a privileged session and for how long Enable privileged single sign on without exposing credential (e.g. external contractors) Enforce approval workflows Implement strong authentication 13
- 14. Privileged Session Management for Servers 6 1 4 Windows PVWA Windows 2 Servers IT personnel Unix Linux PSM Unix /Linux 3 5 Servers 1. Logon through PVWA 2. Connect Routers & 3. Fetch credential from Vault Switches 4. Connect using native protocols …. 5. Store session recording in tamper- Vault proof vault 6. View session recording 14
- 15. Privileged Session Management for Databases Independent Oracle Users Group (IOUG) 2010 Survey: 75% of DBAs say their organizations can’t monitor them What are my highly What sensitive privileged DBAs Privileged DBA Users business data are doing on the they viewing and Production Servers? changing? SIEM can’t really “Turning on auditing capture read operations kills performance!” (“select …”) 15
- 16. Database Activity Monitoring Solutions Application, Business Users DAM Appliances DAM Console Privileged DBA Every database interaction is monitored Cumbersome to deploy; very expensive for enterprise-wide protection Not really designed to stop DBAs; only partially monitors them No solution for controlling access to database host OS 16
- 17. PSM for Databases: Focusing on the Privileged DBAs DAM Optional Application & Business Users 17 Privileged DBA User PSM Control and monitor only the privileged DBAs where most of the risk lies Zero footprint on databases means quicker deployment with no performance overhead Protecting and monitoring OS 17
- 18. PSM for Virtualization The technology that enables the cloud Image C Image B Image A VM/Hypervisor Manager Virtual Server Hypervisor are highly privileged with wider system access – exponential risk! With wider system access, the hypervisor is more prone to targeted attacks Traditional IT Servers 18
- 19. An Innovative Approach to Virtualization Security Hypervisor Management Console (vCenter) PSM for PIM App Virtualization Hypervisor Manager Hypervisor Image C Image B Image A Auditor Vault Guest Machines
- 20. Securing the Virtual Environment with a Central Command & Control Point Single policy, single audit for privileged account management in virtualized environments Privileged Identity Management Privileged Session Management No footprint on hypervisors Control access to hypervisors, Monitor VM admin & guest vCenter & guest machines machine activities with DVR Personalize access and track recording usage Enforce session access & approval Enforce security policies for workflows credential management Strong authentication to Enforce change management hypervisor approval procedures Privileged single sign on 20
- 21. Summary: Privileged Identity & Session Management A comprehensive platform for isolating and preemptively protecting your datacenter – whether on premise or in the cloud Discover all privileged accounts across datacenter Manage and secure every credential Enforce policies for usage Record and monitor privileged activities React and comply 21
- 22. THANK YOU! 22
- 23. BACKUP SLIDES
- 24. Schedule & Format Reports
- 25. Schedule & Format Reports
- 26. Schedule & Format Reports
- 27. Schedule & Format Reports
- 28. PSM for Privileged Remote Access Internet Corporate Network Windows Servers HTTPS UNIX Servers External Vendors PIM App Firewall Routers and Switches Vault Auditors
- 29. PSM for Distributed, Cross-Network Access CPM/PSM HTTPS HTTPS CPM/PSM CPM/PSM Vault IT Personnel Auditor Prod Network OPS Network Dev Network
- 30. Common Requirements for PIM Solutions External Vendors IT Personnel Business Applications Audit Shared/Privileged Security Hard coded/ embedded Accounts Policy Enforcement application accounts Workflows Provisioning Business Continuity Enterprise IT Environment