Post on 14-Jan-2015
description
transcript
Solution Overview
BestRegulatory Compliance
Solution
BestPassword Management
Solution
Mach 2010
Company Overview• Founded in 2001
• Compliance Driven Security Solutions for….– Shared Account/Service Account Password Management (SAPM*)– Remote Vendor Access– Developer Access to Production– Superuser Privilege Management (SUPM*)
• Proven Solutions Deployed Across ALL Market Verticals– Over 350 installations world-wide including…
• 4 of top 10 Forbes Ranked Enterprises• 3 of top 5 Largest Financial Services• Leading enterprises in Manufacturing, Financial, Services, Telecommunications,
Pharmaceutical/Chemical, Healthcare and more..• SC Awards 2010 “Best Regulatory Compliance Solution” Finalist
• Privately Held Profitable w/Organic Growth– Headquartered in Delaware– R&D Center in Raleigh NC– 7x24x365 eDMZ Support Operations– World-wide Partnerships
* Gartner defined terms & markets
Introducing TPAM
• Total Privileged Access Management (TPAM) Suite– A product Suite designed to solve security and compliance issues associated with
privileged users and privileged access– Modular design allows flexibility to grow
• Start with required base modules• Add additional modules as needs change
Introducing TPAM
• TPAM is built on either or Password Auto Repository™ (PAR) or eGuardPost™ base appliances
• From either platform you can enable additional modules as needed– Buy what you need today– Expand if needed in the future
Privileged Password Management
• Privileged Accounts are typically UBIQUITOUS
• Unlike “User” accounts, no individual association– Many times have known default passwords
• Privileged Accounts exist in every system, network device, database, etc.
• Privileged Accounts have extensive ACCESS and CONTROL– Many times full system access and control– Configuration and audit controls
• Regulatory and Compliance AUDIT ISSUES– Privileged/Shared/Service/Application account management growing audit area– What was acceptable yesterday is NOT accepted today
Issues and Challenges
Privileged Password Management
Enterprise Requirement
• Secure
• Dual release control• Change Controls
• Enterprise Integration
TPAM Suite/PPM Module
• Extensive built-in security– Password encrypted via RSA Bsafe– Full Disk encryption via Guardian Edge– Embedded hardware firewall– Purpose built appliance
• Dual or more release controls• Extensive configurable change control
– Time based (every X days)– Last-use based– Force change
• Extensive integration with– Strong authentication solutions– Active Directory– Ticketing systems
Privileged Password Management
Enterprise Requirement
• Effective workflow
• Ease of deployment & integration
TPAM Suite/PPM Module• TPAM Workflow values
– Web-base client access– Role-based– Dual authorization controls– eMail based notifications– Robust small screen support– Robust CLI/API
• Installed & configure in one day– Drop-in appliance– Client/agentless deployment– Tight integration w/AD– Import via .csv– Full API/CLI– Audit, SNMP, Syslog
Small screen support example
Privileged Password Management
Enterprise Requirement
• Individual Accountability
TPAM Suite/PPM Module
• Assured via PPM– Configuration options to limit
password release to one admin at a time.
– Last-use change control assures unique passwords each release
– Dual authorization controls
PPM delivers individualaccountability to shared
admin and other accounts
Workflow – Password Request
Initiate PasswordRequest
Filter & Select Account(s)
Enter Date/Time/Duration/ReasonPassword is needed
Optional ticket field. Can be active (check ticket) or passive.
Retrieve Password
Workflow – Small Screen
Hyperlink Format
Initiate Request
Filter Request or view most recent
Select Password. Quick Request automatically
submits with default reason “Request from mobile
device”
Enter ticket number (if required) and submit to
get password
Password retrieved from handheld.
* Small screen support configured on a per user basis
Application Password Management
• Embedded/Hard-coded passwords represent an often “hidden” exposure– Accounts/passwords known to programmers– Back-door accounts
• Application requirements can vary widely– Continuous A2A connectivity– Transaction A2A connectivity
Issues and Challenges
Application Password Management
Enterprise Requirement
• Replace Embedded Passwords
• Support “High Demand” transaction type applications
TPAM Suite/APM Module
• Full API/CLI – C/C++– Java– .NET– Perl
• PAR Cache– Add-on capability– Available as Cache appliance or VM– Supports central or distributed needs– Over 500 requests/second
Privileged Session Management
• Compliance often drives the need to know WHAT was done during certain privileged or sensitive access – do you need to know exactly what as done by:– Remote Vendors?– Outsourced service providers?– Developers granted access to production systems?– Fire-call activities?– Users or admins accessing sensitive resources or applications (Financial/Sox servers, HR,
etc.)
• Certain access demands higher audit and control
• Need to restrict direct resource access
Issues and Challenges
Privileged Session Management
Enterprise Requirement
• Fine grain access control
• Connection controls
• Session Audit
TPAM Solution/PSM Module
• User control point– Limits resource view based on role
• Full control over connections– Dual authorization controls– Session time limits– Alarm notification session overrun– Manual session termination options
• Unmatched session audit– Audit/log all connection requests,
approvals– FULL session recording with DVR
replay
Privileged Session Management
Enterprise Requirement
• Strong Audit
TPAM Suite/PSM Module
• Unmatched session audit– Audit/log all connection requests,
approvals– FULL session recording with DVR
replay
DVR Style Replay Control
Full Session Recording andReplay of ALL activities
Workflow – Session Request
Request a session connection
Select from a list of systems and accounts the specific user has
authorization to request connections too.
Enter date/time/duration of connection request. Can request for future date/time to allow advanced approval if under dual authorization
control.
Once connection approved (or auto approved) simply
CONNECT!
Workflow – Session Request
Connection proxy created to selected
System and Account
User connected and performs required work
Session can be configured for interactive or auto-login
EVERY action on the target system will be recorded (Keystrokes, mouse, links, etc.)
If user session extends beyond requested time, configurable alert notifications of session overrun can be sent
Active sessions can be manually terminated by authorized administrators
Workflow – Session Replay
Session recordings are kept local or can be automatically archived. Stored sessions can be searched based on date,
system, account, user and/or ticket number
Once selected, REPLAY SESSION will retrieve session and replay.
Workflow - Session Replay
DVR- Style controls allow control of replay of Recorded sessions.
All session activity is recorded and viewableVia session replay. Recording are NOT AVI
type files – recording size is compressed and VERY manageable.
Privileged Command Management
• Strong compliance need to restrict Superuser privilege access– Need to grant superuser rights without full superuser control
• Need to restrict what remote vendors or services providers can do
• Reduction in staff driving a need to “do more with less”– Need to delegate certain privileged functions without granting total privileged control
• Need support across both Unix and Windows platforms
Issues and Challenges
Privileged Command Management
Enterprise Requirement
• Superuser Privilege Management (SUPM)
• Support multi-platform environments
TPAM Solution/PCM Module
• SUPM Values– Command level access controls– No ability to execute outside of
command limit– Record all activity
• TPAM supports PCM for:– Unix– Windows– Others (coming in future release)
Session Restricted to Single Command(this example Computer Management)
No other Windows functions available
Workflow – Command Management
Commands are added via the Privileged Command Management Tool.
Workflow – Command Limited Session
Same workflow as normal session request.
Same workflow as normal session request
Session is to back-end target/account (Windows A3/e22egp) via PCM, user session is established and user is placed into the specific “command”.
In this example, Computer Management.
No access to other target commands, menu’s, etc. is allowed. The session will only exist within the context of
the specific command (eg. Computer Management). Once the user exits the command, the session is
immediately terminated.
Workflow – Command Limited Session
TPAM Summary
Deployment Overview
Deployment Options
• Central deployment of all TPAM management functions– Configuration– Release controls– Change controls– Audit
Central TPAM Deployment
Deployment Options
• Business Unit/Geographical control• License flexibility – can support central or BU license purchase
agreements
De-centralized TPAM Management
Deployment Options
• Central configuration control and audit• Distributed (local) password check/change via DPA
– Only require SSH from PAR to PAR DPA– All check/change connectivity (SSH, RDP, etc.) internal to the datacenter/location*
Distributed Privileged Password Management
Sample Customers
Sample Customers