Your SlideShare is downloading. ×
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
securing the unified virtual data center with CA and Cisco ...
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

securing the unified virtual data center with CA and Cisco ...

444

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
444
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. TECHNOLOGY BRIEF Securing the Unified Virtual Data Center with CA and Cisco Solutions | May 2010 securing the unified virtual data center with CA and Cisco solutions Alok Ojha and Nimrod Vax PRODUCT MANAGEMENT — CA SECURITY MANAGEMENT we can
  • 2. Securing the Unified Virtual Data Center with CA and Cisco Solutions table of contents executive summary 01 SECTION 1 Challenge 02 Managing Virtual Data Centers and Cloud Services SECTION 2 Opportunity 03 Unified Computing and Unified Management Cisco Unified Computing System Extended Management: CA Security and Cisco UCS Manager Integration Protecting access to Privileged Accounts CA Access Control Privileged User Password Management Monitoring the Unified Virtual Data Center CA Enterprise Log Manager SECTION 3 Benefits 11 Comprehensive Virtual Data Center Controls SECTION 4 Conclusions 11 SECTION 5 About the Authors 11 02
  • 3. Securing the Unified Virtual Data Center with CA and Cisco Solutions executive summary Challenge Increased agility and massive cost efficiencies from scalable and elastic IT services delivered across the internet is fast becoming the new standard and the basis of business computing. Traditional architectures, platforms, and IT management methods have yet to thrive in the new age of cloud computing and will fall short. Furthermore, as organizations begin to deploy cloud services across massively virtualized data centers, the need for enhanced security models and best practices, including privileged user management and comprehensive auditing will increase. Opportunity As organizations begin to deploy the Cisco Unified Computing System (UCS) and combine disparate elements of computing (systems, networks and storage), the opportunity arises to unify disparate elements of IT management to reduce costs, increase efficiencies and mitigate risk. Nowhere is this more apparent than in the area of security, and especially the management of privileged user access and enterprise log management, which if neglected can severely compromise the business. Benefits By integrating CA Access Control Privileged User Password Manager and CA Enterprise Log Manager with Cisco UCS Manager, organizations can quickly realize the following benefits: • Reduce the risk and cost of managing privileged shared accounts, making them accountable and supporting compliance requirements. • Easier management of all aspects of privileged user management across physical and virtual platforms (including Cisco UCS). • Single point of control, capture, analysis and reporting of critical events and logs from many sources with actionable decision support. • Automates log management, enabling organizations and service providers to demonstrate compliance more efficiently, while improving security. 03
  • 4. Securing the Unified Virtual Data Center with CA and Cisco Solutions Section 1: Challenge Managing virtual data centers and cloud services The allure of self-service, elastic IT resources with pay-as-you-go pricing is causing many organizations to embrace virtualized infrastructure and cloud computing. And while public clouds are still maturing and evolving, the notion of building and deploying private clouds—where the infrastructure is wholly owned by a single organization and housed within the enterprise firewall—is quickly gaining traction. While private cloud computing undoubtedly holds great promise, its inherent characteristics will require far more flexibility from both the hardware platforms and the IT management tools that support them. Example characteristics and management requirements include: • Service-based and self-service: In cloud computing, everything IT delivers should be regarded as a service. Since users and customers need to subscribe to these services, the cloud model dictates that services should be presented and accessed in a simple way. This requires IT management solutions that enable organizations to operate as true service providers, providing a catalog of service options and prices, together with presenting charges and bills. • Virtualized and automated: In the cloud, delivery of services and ongoing usage tracking and measurement should be completely automated. IT management and processes should be completely hidden from the user and require no manual intervention. Additionally, since private clouds operate on pools of virtualized resources such as those provided by Cisco UCS, the ability is needed to scale resources up and down according to fluctuating conditions. • Assurance and service quality: At an operational level, processes need to be in place to provide for service delivery that is in accordance with business-based contracts and service levels agreements. Since private cloud services can be accessed by customers and business partners (e.g. SaaS), capabilities need to address operational performance and the quality issues well before they impact the end-user and customer experience. • Comprehensive security: As cloud computing gains traction, so will the requirement to provide for data privacy, support complex trust models, and access controls. Since cloud security is still the primary concern for organizations, incorporating robust yet flexible policy-based controls across an extended and dynamic service-supply chain will be critical to success. While each of these requirements is equally important, it is essential that the inherent security services provided by advanced platforms such as Cisco UCS are extended with fine-grained security controls to address critical security challenges across the virtualized data center. By working collaboratively, Cisco and CA have developed such a solution; one that combines Cisco’s role-based access control (RBAC) over the administrative functions for the UCS system, with extended capabilities to manage privileged user accounts and enterprise logs (both within a Cisco UCS management context and across other systems too). 04
  • 5. Securing the Unified Virtual Data Center with CA and Cisco Solutions Section 2: Opportunity Unified computing and unified management Cisco Unified Computing System The Cisco Unified Computing System (UCS) represents a radical simplification of traditional architectures, dramatically reducing the number of devices that must be purchased, cabled, configured, powered, cooled, and secured. The solution delivers end-to-end optimization for virtualized environments while retaining the ability to support traditional OS and application stacks in physical environments. Unlike traditional architectures, Cisco UCS is a next generation data center platform that unites computing, networking, storage access, and virtualization into one cohesive system. Components include: • Fabric interconnect and fabric extenders for 10 Gigabit Ethernet and Fiber Channels over Ethernet with extension capabilities • Blade servers and chassis for energy efficiency and memory expansion • Virtual adapters for virtual host bus adapters and network interface controller (NIC) adapters Cisco UCS also contains a management component—Cisco UCS Manager—which is embedded within the fabric interconnect for integrated system-level physical device management. From a management perspective, Cisco UCS Manager acts as a domain level manager for the Cisco UCS platform and devices, using service profiles and templates to provide role- and policy-based management. In addition to participating in the server provisioning, Cisco UCS Manager provides device level discovery, inventory, monitoring, fault detection, and auditing for Cisco UCS devices. As for security, Cisco UCS Manager delivers a Role-based access control (RBAC) function. Cisco UCS RBAC simplifies operating tasks that span server, network, and storage administrator teams, while preserving the specialized knowledge that exists within each group. This approach allows subject matter experts to continue with their normal procedures, but all the configuration data is captured in a single, unified device manager, instead of in the separate, individual device managers that exist in today’s data centers. The Cisco UCS Manager comes with server, network, and storage administrator roles predefined. These roles can be modified, merged, and deleted, and new roles can be created to fit the organization model in place. Coordination between roles is simplified on the Cisco Unified Computing System because, although roles are separated, an administrator assuming one role can view the actions taken by administrators having other roles. For example, a storage administrator can set up Fibre Channel configuration options to see the choices that a network administrator has made when setting up network options. Visibility between roles helps eliminate ambiguity and reduce the chance of error due to miscommunication or lack of communication that may occur when administrators instead rely on phone calls, spreadsheets, or email. 05
  • 6. Securing the Unified Virtual Data Center with CA and Cisco Solutions Extended management: CA security and Cisco UCS manager integration While Cisco UCS Manager provides RBAC over the administrative and management functions within a UCS management context, its power is amplified when integrated with enterprise level security policies and controls provided by two key security management solutions from CA: 1. CA Access Control® Privileged User Password Management (PUPM) is designed to provide secure access to privileged accounts. It helps maintain the accountability of privileged users’ access by issuing passwords, on a temporary, one-time use basis, or as necessary (break glass), and by auditing their actions. PUPM also allows applications to programmatically access system passwords and in doing so remove hard coded passwords from scripts. 2. CA Enterprise Log Manager simplifies IT activity compliance reporting and investigations. It collects, normalizes, and archives IT activity logs from multiple sources and provides search, analysis, and reporting capabilities that can significantly reduce the cost and complexity of proving compliance. It streamlines compliance audit tasks by automating log collection and analysis. It delivers rapid time-to-value through its soft-appliance model, agent-less log collection, and out-of-the-box compliance reporting. It offers potential lower total cost of ownership through centralized management and automatic content and program updates. In the Cisco UCS environment, CA Access Control PUPM manages privileged access to the UCS Manager by controlling who has access to shared accounts. The solution automates password management for these accounts, and facilitates accountability by maintaining an audit trail of who is accessing and using them. CA Enterprise Log Manager integrates with Cisco UCS Manager and CA Access Control PUPM to provide a holistic picture of privileged user access and identity management activity. The architecture supporting Cisco UCS is illustrated Figure 1 below. Figure 1 CA security and Cisco UCS Management Architecture. Using standard XML API and SSH, CA solutions provide privileged user password management over the Cisco UCS system and enterprise wide log management. 06
  • 7. Securing the Unified Virtual Data Center with CA and Cisco Solutions Protecting access to privileged accounts with CA Access Control Privileged User Password Management With the integration to the UCS Manager configured and enabled CA Access Control Privileged User Account Management (PUPM) provides administrators controlled access to privileged accounts in and beyond the UCS system. These types of accounts (like superuser/root, admin and sa) are extremely powerful, creating a need to control who gets access, when they get access and for how long. The necessity to share these accounts among many users makes it difficult to hold people accountable for privileged activity. In addition, many processes and applications require access to these same accounts. Compliance with regulations such as PCI, HIPAA, and ISO 27001 demands that access to these accounts is enforced by policy, that accountability of shared privileged access is maintained, and that the passwords of these accounts are kept in compliance with policy just like any other account. CA Access Control (PUPM) provides a secure, workflow-controlled and audited solution to mitigate risk exposure from privileged users. CA Access Control PUPM manages access to applications and shared accounts by allowing privileged users a mechanism to check out privileged accounts on an as-needed basis. Some of the benefits of CA Access Control PUPM include: • Mitigating risk by securing privileged UCS account passwords in an encrypted storage, and providing appropriate access to the passwords based on a documented policy. • Making privileged users accountable. Users are no longer anonymous when accessing shared UCS privileged accounts, and their actions are securely recorded. • Facilitating regulatory compliance through centralized management and reporting on access entitlements and activity. • Potentially reducing costs through the automation of shared account password management and the streamlining of allocation and removal of privileged access. • Increasing efficiency through the ability to provision a privileged account on an ad hoc basis or in an emergency, break-glass situation. CA Access Control PUPM provides secure access to privileged accounts and helps provide accountability of privileged access through the issuance of passwords on a temporary, one-time use basis. PUPM is also designed to allow applications to programmatically access system passwords and, in so doing, remove hard coded passwords from scripts. Support for PUPM is available for a multitude of servers, applications (including databases) and devices in a physical or virtual environment (see Figure 2). 07
  • 8. Securing the Unified Virtual Data Center with CA and Cisco Solutions Figure 2 CA Access Control PUPM— major features. • Secure storage of shared passwords—PUPM stores critical application and system passwords in a secure and protected data store. Users who need access to these sensitive passwords can “check-out” and “check-in” these passwords using an intuitive, easy to use Web UI. PUPM enforces “privileged access policies” that govern which users can use which shared accounts. Typical Scenario for Cisco UCS Administrator Access to a Privileged Account 1. Cisco UCS Network Administrator logs in to the PUPM Web UI and requests access to a privileged account to the UCS Manager. This process is called “check out”. 2. PUPM can optionally route this “check-out” request through a workflow system that requires a system owner or manager to approve the request. 3. Once all approvals are attained, PUPM provides the UCS Administrator password to the end user in the Web UI. 4. After completing his/her work, the end user logs out of Cisco UCS Manager, then goes back to the PUPM Web UI and “checks-in” the UCS Administrator privileged account. 5. PUPM then automatically changes the password for UCS Administrator on the UCS Manager, providing a true OTP (One Time Password) facility. This feature is called “change password at check-in”. 6. In the event that the end user forgets to check-in the UCS Administrator account, PUPM can be configured to set a time limit on check-out and then automatically changes the password after this time limit has been reached. Optionally, the PUPM System Manager can manually “force check-in” an account, which automatically triggers a password change on the account. 08
  • 9. Securing the Unified Virtual Data Center with CA and Cisco Solutions • Provide accountability of shared account access—PUPM features an “exclusive check-out” capability that permits only a single individual to check-out an account at any given time. Furthermore, PUPM can track the original user actions by correlating access events on the systems to the check-out event generated by PUPM through the tight integration with CA Enterprise Log Manager. • Privileged account password policy—Passwords managed through PUPM can have an associated password policy which defines its uniqueness. This ensures that the passwords generated by PUPM are accepted by the end-point system, application or database. For example, you can configure the policy to mandate passwords that are at least eight characters long and contain a number and a letter. Password policies also determine an interval at which PUPM automatically creates a new password for the account. • Privileged access auditing and reporting—Privileged access is audited and logged within PUPM. PUPM provides a robust reporting infrastructure that can be used to report on user activity like check-in, check-out and workflow approvals. Additionally more than 40 reports are available. PUPM logs can also be routed to CA Enterprise Log Manager (ELM). CA ELM provides enhanced logging and reporting capabilities, including the ability to collect the native logs generated by systems, applications or databases and generate reports on privileged user activity. These logs can also be centralized in CA ELM and correlated to the check-out events generated by PUPM. • Automatic account discovery—PUPM automatically discovers the accounts on a managed end-point that is connected to the PUPM Enterprise Management Server. The PUPM administrator can then decide which accounts are to be used by PUPM. These accounts are then assigned to a “privileged access role”, which can be granted to end users as part of PUPM policy. Process for Creating and Managing Access to a Privileged Account 1. The PUPM System Manager creates endpoints in CA AC PUPM Enterprise Management Server. 2. The PUPM System Manager creates password policies for each application or end-point type that will be managed by PUPM. 3. The PUPM System Manager discovers privileged accounts on UCS, and can then choose which of those will be managed by PUPM. 4. PUPM then automatically assigns these accounts to privileged access roles, which can be used to manage access to these shared accounts via member policies. 5. Member policies can be granted based on Active Directory group membership, which greatly simplifies administration overhead. 6. For example, a “UCS privileged access” role can specify a member policy that authorizes the users who belong to the Active Directory group “UCS Administrators”. • Agentless architecture—PUPM provides a server-based architecture for minimal deployment effort and risk. No agents are required on PUPM managed end-points. All connections are handled from the PUPM Enterprise Management Server using native capabilities. For example, databases use JDBC, UNIX and Linux use SSH and Windows uses WMI. 09
  • 10. Securing the Unified Virtual Data Center with CA and Cisco Solutions • Dual-control workflow capabilities—PUPM provides dual-control workflow capabilities for regular and emergency access to privileged accounts. Workflow can be optionally enabled for certain end users and/or certain privileged accounts. • Break glass and emergency access—Users perform a “break glass check out” when they need immediate access to an account that they are not authorized to manage. Break Glass accounts are privileged accounts that are not assigned to the user according to the user’s traditional role. However, the user can obtain the account password without intervention and delay if the need arises. Process for break glass and emergency access 1. The end user requires emergency access to a privileged account that he/she is not regularly authorized to use, as per PUPM policy. 2. This end user must be part of the Break Glass Privileged Access Role, which has to be set up earlier by the PUPM System Manager. 3. The end user requests a “break glass check out”. 4. The password is automatically displayed on the screen; however a justification field is presented which must be filled in. 5. The user, as before, then uses this password to access the privileged account. 6. An automatic workflow message is sent to the PUPM administrator, which includes the justification filled out by the end user. 7. The transaction is securely logged. • Integration with help-desk systems—AC PUPM can be integrated with the incident and problem management systems, including CA Service Desk Manager. This enables privileged user activity to be validated against an existing help-desk request for privileged password access. • Programmatic check-out—You can use the PUPM Agent inside a script calling UCS to remove hard-coded passwords with programmatic password check out from AC PUPM Enterprise Management. This lets you avoid having to include hard-coded passwords inside scripts, resulting in increased efficiency and security. • Delegation and scoping of administrative PUPM roles—PUPM supports a scoping and delegation model. Privileged access roles within PUPM can be based on any Active Directory attribute as well. Some of the built-in administrative roles within PUPM include: PUPM System Manager, Policy Manager, and User Manager. Monitoring the unified virtual data center with CA Enterprise Log Manager CA Enterprise Log Manager (ELM) is a comprehensive solution to security log management challenges. CA Enterprise Log Manager offers a distributed collection architecture that scales linearly and delivers a cost effective solution. CA ELM provides key capabilities to solve log management needs for a virtual data center, including those supported by the Cisco UCS system: 10
  • 11. Securing the Unified Virtual Data Center with CA and Cisco Solutions • Available as a virtual appliance that can be hosted on a VMware server with built in log data base and subscription service for automated product and content upgrades. • Log collection from various sources in the data center including hypervisors, virtual network systems, network security appliances, operating systems, storage and applications. • Out-of-the-box reports and centralized reporting for data center activities to support various compliance requirements. • Ad hoc and multi-dimensional reporting to better enables incident investigation and problem determination. • Automated alerting capability for data center teams in case of policy violation or security incident via email, SNMP trap to NOC tools, integration with enterprise ticketing systems, remote execution of scripts and web services calls. • Longer term archival of logs with high data compression (10:1). CA ELM event integration with Cisco UCS stack along with Virtual Machine and Guest OS activities help provide solution to many of the challenges posed by fragmented virtual datacenter. Figure 3 Unified virtual data center monitoring with CA Enterprise Log Manager. • Addressing regulatory requirements for the virtual data center As most organizations turn towards virtualization to optimize resource utilization and operational efficiencies, they are faced with the reality that regulatory requirements and standards such as PCI Data Security Standard does not acknowledge or accommodate some of the unique challenges faced by an organization implementing virtualization in their IT environment. In fact, some PCI controls (such as requirement 2.2.1) can be easily misinterpreted to mean that virtualization is incompatible with PCI DSS compliance. 11
  • 12. Securing the Unified Virtual Data Center with CA and Cisco Solutions The following table summarizes some of the implications of most common regulatory requirements to the virtual data center: Table 1 Regulation/ Compliance Virtualization Virtualization Risks Standard Objectives Implications implications of PCI DSS Protect cardholder data Cardholder data is Cardholder data regulatory disclosed, either in transits virtualized requirements. transit or in storage networks, or is stored on virtualized infrastructure SOX-404 Ensure accurate Errors in calculation Calculations or financial reporting and fraud key reports done on virtualized infrastructure HIPAA Protect patient Private patient Patient healthcare healthcare data healthcare records records transits or is are disclosed stored on virtualized infrastructure CA ELM has a team of experts developing reports mapping to specific requirements for IT and user activity monitoring for regulations and standards such as PCI DSS, SOX section 404, HIPAA, FISMA, EU Directive, NERC, and more. The report packs are available out-of-the-box in the CA ELM without any additional cost. Figure 4 Administration resource access report showing activities performed by server administrators. 12
  • 13. Securing the Unified Virtual Data Center with CA and Cisco Solutions • Addressing administrative access control challenges Cisco UCS RBAC simplifies operating tasks that span server, network, and storage administrator teams, while preserving the specialized knowledge that exists within each group. This approach allows subject matter experts to continue with their normal procedures, but all the configuration data is captured in a single, unified device manager, instead of in the separate, individual device managers that exist in today’s data centers. As discussed above, CA Access Control PUPM integrates with Cisco UCS Manager to control who has access to the UCS management and shared accounts, automating password management for these accounts, and providing for the accountability of privileged access by maintaining an audit trail of who is using the privileged accounts. CA ELM extends this capability by providing a holistic picture of privileged user access and identity management activity. • Addressing change and configuration management challenges Core to the Cisco UCS Manager is the policy-based management of the server and network resources in the Cisco Unified Computing System. Cisco UCS Manager uses service profiles to provision servers and their I/O connectivity. Service profiles are created by server, network, and storage administrators and are stored in the Cisco UCS 6100 Series Fabric Interconnects. The profiles are automatically applied to newly provisioned UCS resources based on defined policy allowing Cisco UCS Manager to fully configure the servers, adapters, and fabric extenders and appropriate isolation, quality of service (QoS), and uplink connectivity on the Cisco UCS 6100 Series Fabric Interconnects. Cisco UCS implements Cisco VN-Link technology that enables policy based virtual machine connectivity, mobility of network and security properties during VMware VMotion migration. This helps in applying consistent network and security policies across multiple VM, while simplifying automation in the data center. CA ELM enhances these capabilities by monitoring Cisco UCS and virtual data center resources for changes that are taking place. These include changes to UCS policies, UCS service profiles, VMotion, firewall policy changes, Hypervisor configuration, and more. Based on pre-defined alerts, CA ELM can notify the rightful owner if there is a violation of security policy, etc. • Addressing network security and operations challenges Cisco and VMware developed the Distributed Virtual Switch (DVS) framework which decouples the control and data planes in a network. Based on the DVS framework, Cisco has delivered a portfolio of networking solutions referred as “VN-Link” that can operate directly within the distributed hypervisor layer and offer a feature set and operational model that are familiar and consistent with other Cisco networking products. This solves existing pain points around virtual machine vSwitch: ¬ Each embedded vSwitch represents an independent point of configuration. This makes large scale implementation of server virtualization very hard. ¬ vSwitch represents a piece of the network that is not managed consistently with the rest of the network infrastructure; in fact, network administrators often do not even have access to the vSwitch. 13
  • 14. Securing the Unified Virtual Data Center with CA and Cisco Solutions ¬ vSwitches do not enable virtual machine mobility. The administrator is required to make sure that the vSwitches on both the originating and target VMware ESX hosts and the upstream physical access-layer ports are consistently configured so that the migration of the virtual machine can take place without breaking network policies or basic connectivity. VMware also has the implementation of VDS framework referred as vNetwork Distributed Switch on the hypervisor and the control plane component is implemented on VMware vCenter. By monitoring logs from Cisco UCS Manager, Cisco Nexus Switches, VMware hypervisors and VMware vCenter, CA ELM can track the following: 1. Addition of VM to a monitored system and changes to network assignments 2. Changes made to Port Profiles, including profile attributes such as VLAN, private VLAN, ACL, port security, QoS marking, and more. 3 Track VMotion of virtual machines from one host to another and across storage systems. 4. Monitor traffics between physical switches that are connected to individual vSwitches or traffics between two vSwitches using logs from physical/virtual firewalls • CA ELM content for Cisco Unified Computing System CA ELM provides an out-of-the-box integration with Cisco suite of products including Cisco UCS Manager. CA ELM collects audit events from Cisco UCS Manager using the XML API. Following table summarizes a list of log sources supported by CA Enterprise Log Manager which would be involved in a typical Cisco Unified Computing based Data Center: Table 2 Log Source Type Log Source Supported virtual datacenter log Hypervisor VMware ESX, vSphere sources. Xen Server MS Hyper-V Virtualization Management Cisco UCS Manager VMware vCenter Cisco Data Center Network Manager CA Spectrum Automation Manager Network Infrastructure Cisco Nexus Switches (1000V, 5000, 7000 series) Cisco MDS Switches (9000 series) Cisco Catalyst Switches (6500 series) Cisco Routers Network Security Cisco ASA (Firewall, VPN, IPS modules) Cisco PIX Network & Host Access Control CA Access Control Cisco Secure ACS Cisco NAC Storage Systems NetApp EMC 14
  • 15. Securing the Unified Virtual Data Center with CA and Cisco Solutions Section 3: Benefits Comprehensive virtual data center controls In summary, the benefits from CA Access Control Privileged User Password Management for the Cisco UCS Virtualized data center include: • Reduces the cost and risk of managing privileged shared accounts, making them accountable and enhancing regulatory compliance. • Provides for segregation-of-duties across server platforms within and across Cisco UCS, including: Windows, UNIX, Linux and Virtualization Hypervisors. • Increases efficiencies by managing privileged accounts from a single console. CA Enterprise Log Manager delivers the following additional benefits: • Reduces the time it takes to generate audit log related compliance reports with over 200 activity reports for PCI, SOX, HIPAA, FISMA, GLBA, ISO2700x and more. • Streamlines log analysis and investigation with visual log analysis tools and easy drill-down capabilities. Additionally, preconfigured and customizable alerts are provided for control or policy violations out-of-the-box. • Single dashboard provides overview of log collection process across the virtual data center. Section 4: Conclusions Increased agility and massive cost efficiencies from scalable, elastic IT delivered as services across the Internet are fast becoming the new normal and the basis of business computing. Traditional architectures, platforms, and IT management methods have yet to thrive in the new age of cloud computing and will fall short. Furthermore, as organizations begin to deploy massively virtualized platforms and cloud services, the need for enhanced security models and best practices, including privileged user password management and comprehensive auditing will increase. CA and Cisco have collaborated to enhance virtual data center security. By integrating Cisco UCS Manager with the CA Security solutions—CA Enterprise Log Manager and CA Access Control Privileged User Password Management, organizations can reduce risk and cost, and consistently address regulatory compliance requirements. 15
  • 16. Section 5: About the Authors Alok Ojha is a Product Manager at CA, where he has product management responsibilities for multiple products within CA Security Information Management product line including CA Enterprise Log Manager. He has over 5 years of experience working on IAM, SIM and middleware technologies. His current areas of interest include Insider Threat Monitoring, Virtualization and Cloud Security. Alok holds B.S and M.S degrees in Mathematics and Computing from Indian Institute of Technology (IIT) at Kharagpur, India and has published 6 research papers in leading IT conferences so far. You can reach Alok at Alok.Ojha@ca.com Nimrod Vax has over ten years of experience in Software Development including positions in R&D, and Product Management. As a security specialist Nimrod designed and built cryptographic devices and access control mechanisms in various environments ranging from Windows Kernel to J2EE, and as a development manager had engaged in IAM deployments for major enterprises in North America and EMEA. He is a member of the Product Management Team for the CA Security Management BU. Nimrod holds a B.Sc. in Computer Science and an MBA with a major in Marketing. CA Technologies is an IT management software and solutions company with expertise across all IT environments—from mainframe and physical, to virtual and cloud. CA Technologies manages and secures IT environments and enables customers to deliver more flexible IT services. CA Technologies innovative products and services provide the insight and control essential for IT organizations to power business agility. The majority of the Global Fortune 500 rely on CA Technologies to manage their evolving IT ecosystems. For additional information, visit CA Technologies at ca.com. Copyright ©2010 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. 1858_0510

×