2. Secure Digital Vault – Security You Can Bank On
Secure repository for information at rest and in motion
Securing data using multiple security layers, based on patented
technology
Tamper-proof
More than 10 years of maturity
Vault Safes
(Local Drive or SAN)
Cyber-Ark LAN, WAN,
INTERNET
Vault Server
2
3. Enterprise Password Vault: Preventing Threats, Improving Productivity
Who is accessing critical information assets?
Ticketing Application
The result? A preventative approach that: John requests is logged,
John’s access
managerial approval to
personalized and reason
Secures privileged credentials
retrieve password
is entered
Gives you full control over access
Ticketing integration; approval workflow
Personalizes usage
Automatically replaces credentials on a periodic basis (policy driven)
Protection from terminated employees & 3rd parties
Generates better productivityticket he transparently
and
John, the IT admin, receives a & shorter time to resolution
needs to handle. connects without seeing
There’s a problem on the Windows the password
machines and he needs to install a patch to fix
it which requires administrator access Windows Server
3
4. Enterprise Password Vault In Action
1. Central and Integrated Policy
Definition y7qeF$1
gviNa9%
lm7yT5w
X5$aq+p
Oiue^$fgW
Tojsd$5fh
2. Initial load & Reset
Automatic Detection, Bulk upload, Manual
Policy
3. Request Workflow Central Policy
Dual control, Manager
Vault
Integration with Ticketing Systems,
One-time Passwords, exclusivity, groups
4. Direct Connection to Device
System User Pass
5. Auditor Access
Unix root tops3cr3t
Oracle SYS tops3cr3t
Windows Administrator tops3cr3t
z/OS DB2ADMIN tops3cr3t
Security/
Policy
Risk Management Cisco enable tops3cr3t
Password Vault
Web Access
IT
Enterprise IT Environment
Auditors
5. Application Identity Management: Tighter Security; Better Compliance
Secure, manage and eliminate
hard-coded privileged accounts from applications
UserName = GetUserName()
Password = GetPassword()
Billing Host = GetHost() Secure & reset application
App ConnectDatabase(Host,
UserName = “app”
UserName, Password)
Password = “y7qeF$1” credentials with no downtime or
Websphere Host = “10.10.3.56” restart
ConnectDatabase(Host,
UserName, Password)
Ensure business continuity &
CRM high performance with a secure
App local cache
Weblogic Strong application authentication
Unique solution for Java
HR Application Servers with no code
App changes
Legacy Avoid hard coding connection
strings – no code changes &
Online overhead
Booking
System
IIS / .NET
5
6. AIM: Example of Integrating with 3rd Party Applications
QualysGuard automates vulnerability management and policy compliance
With Cyber-Ark automate trusted scans using credentials that are stored
and managed by the PIM Suite
Coverage of security scans is more
in-depth, providing a complete view
of IT security and compliance
Privileged credentials are securely
protected and periodically changed
based on enterprise policy
Overall, company data is better
protected
6
8. ‘Push’ Mode
AIM “Push”
Current State y7qeF$1
X5$aq+p
lm7yT5w
y7qeF$1
gviNa9%
X5$aq+p
mode Central Policy
Vault
Manager
System User Pass
Oracle appId1 OracleApp1
DB/2 backup1 DB2backup1
SAP edi_user2 SAP123
Windows service1 WinService1
Applications/Products using
• Supported Platforms: embedded credentials
–Windows Services
–Windows Scheduled Tasks
Database Servers/
–IIS Application Pools
Network Resources
–Windows Registry
–F5 BigIP
–….
9. On-Demand Privileges Manager: Tightening Unix Security
When Who What Where What
Control superuser Monitor & audit with
access reports and text recording
Manage who can run On-demand elevation for
which commands privileged commands
9
10. Continuous Monitoring & Protection Across the Datacenter
Privileged Session
Management Suite
Isolate
PSM for Servers
Control PSM for Databases
PSM for Virtualization
Monitor
10
11. Value of Privileged Session Management
Isolate
• Prevent cyber attacks by isolating desktops from
sensitive target machines
Control
• Create accountability and control over privileged
session access with policies, workflows and privileged
single sign on
Monitor
• Deliver continuous monitoring and compliance with
session recording with zero footprint on target
machines
11
12. Isolating Sensitive Assets – Preventing Targeted Attacks
How can I reduce the risk of malware infecting target systems?
With PSM
Servers
1. John receives an email
with targeted malware
Malware spread
Privileged Session Manager
is blocked Databases
3. Session is run on an
isolated secure proxy, not
on desktop.
Data on target systems is protected and sabotage is eliminated
Virtual Machines
12
13. More Control over Privileged Sessions
Control who can connect to a privileged session and for
how long
Enable privileged single sign on without exposing credential
(e.g. external contractors)
Enforce approval workflows
Implement strong authentication
13
14. Privileged Session Management for Servers
6
1
4 Windows
PVWA
Windows
2 Servers
IT personnel
Unix
Linux
PSM
Unix /Linux
3 5 Servers
1. Logon through PVWA
2. Connect
Routers &
3. Fetch credential from Vault Switches
4. Connect using native protocols
….
5. Store session recording in tamper- Vault
proof vault
6. View session recording
14
15. Privileged Session Management for Databases
Independent Oracle Users Group (IOUG) 2010 Survey:
75% of DBAs say their organizations can’t monitor them
What are my highly What sensitive
privileged DBAs Privileged DBA Users
business data are
doing on the they viewing and
Production Servers? changing?
SIEM can’t really
“Turning on auditing
capture read operations
kills performance!”
(“select …”)
15
16. Database Activity Monitoring Solutions
Application, Business
Users
DAM Appliances
DAM Console
Privileged DBA
Every database interaction is monitored
Cumbersome to deploy; very expensive for enterprise-wide protection
Not really designed to stop DBAs; only partially monitors them
No solution for controlling access to database host OS
16
17. PSM for Databases: Focusing on the Privileged DBAs
DAM
Optional
Application & Business
Users
17
Privileged DBA User
PSM
Control and monitor only the privileged DBAs where most of the risk lies
Zero footprint on databases means quicker deployment with no performance
overhead
Protecting and monitoring OS
17
18. PSM for Virtualization
The technology that enables the cloud
Image C
Image B
Image A
VM/Hypervisor
Manager
Virtual Server
Hypervisor are highly privileged with wider system access
– exponential risk!
With wider system access, the hypervisor is more prone
to targeted attacks
Traditional IT Servers
18
19. An Innovative Approach to Virtualization Security
Hypervisor Management
Console (vCenter)
PSM for
PIM App
Virtualization
Hypervisor
Manager Hypervisor
Image C
Image B
Image A
Auditor
Vault
Guest Machines
20. Securing the Virtual Environment with a Central Command & Control Point
Single policy, single audit for privileged account management
in virtualized environments
Privileged Identity Management Privileged Session Management
No footprint on hypervisors
Control access to hypervisors, Monitor VM admin & guest
vCenter & guest machines machine activities with DVR
Personalize access and track recording
usage Enforce session access & approval
Enforce security policies for workflows
credential management Strong authentication to
Enforce change management hypervisor
approval procedures Privileged single sign on
20
21. Summary: Privileged Identity & Session Management
A comprehensive platform for isolating and
preemptively protecting your datacenter – whether on
premise or in the cloud
Discover all privileged accounts across datacenter
Manage and secure every credential
Enforce policies for usage
Record and monitor privileged activities
React and comply
21
28. PSM for Privileged Remote Access
Internet Corporate Network
Windows Servers
HTTPS
UNIX Servers
External Vendors PIM App
Firewall
Routers and
Switches
Vault Auditors
29. PSM for Distributed, Cross-Network
Access
CPM/PSM
HTTPS HTTPS
CPM/PSM CPM/PSM
Vault
IT Personnel Auditor
Prod Network OPS Network Dev Network
30. Common Requirements for PIM
Solutions
External Vendors IT Personnel Business Applications
Audit
Shared/Privileged Security Hard coded/ embedded
Accounts Policy Enforcement application accounts
Workflows
Provisioning
Business Continuity
Enterprise IT Environment