QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys

  1. 1. PIM FOR QUALYSPresenter: Jan Dienstbier
  2. 2. Secure Digital Vault – Security You Can Bank On Secure repository for information at rest and in motion Securing data using multiple security layers, based on patented technology Tamper-proof More than 10 years of maturity Vault Safes (Local Drive or SAN) Cyber-Ark LAN, WAN, INTERNET Vault Server 2
  3. 3. Enterprise Password Vault: Preventing Threats, Improving Productivity Who is accessing critical information assets? Ticketing Application The result? A preventative approach that: John requests is logged, John’s access managerial approval to personalized and reason Secures privileged credentials retrieve password is entered Gives you full control over access Ticketing integration; approval workflow Personalizes usage Automatically replaces credentials on a periodic basis (policy driven) Protection from terminated employees & 3rd parties Generates better productivityticket he transparently and John, the IT admin, receives a & shorter time to resolution needs to handle. connects without seeing  There’s a problem on the Windows the password machines and he needs to install a patch to fix it which requires administrator access Windows Server 3
  4. 4. Enterprise Password Vault In Action1. Central and Integrated Policy Definition y7qeF$1 gviNa9% lm7yT5w X5$aq+p Oiue^$fgW Tojsd$5fh2. Initial load & Reset Automatic Detection, Bulk upload, Manual Policy3. Request Workflow Central Policy Dual control, Manager Vault Integration with Ticketing Systems, One-time Passwords, exclusivity, groups4. Direct Connection to Device System User Pass5. Auditor Access Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Security/ PolicyRisk Management Cisco enable tops3cr3t Password Vault Web Access IT Enterprise IT Environment Auditors
  5. 5. Application Identity Management: Tighter Security; Better Compliance Secure, manage and eliminate hard-coded privileged accounts from applications UserName = GetUserName() Password = GetPassword() Billing Host = GetHost() Secure & reset application App ConnectDatabase(Host, UserName = “app” UserName, Password) Password = “y7qeF$1” credentials with no downtime or Websphere Host = “” restart ConnectDatabase(Host, UserName, Password) Ensure business continuity & CRM high performance with a secure App local cache Weblogic Strong application authentication Unique solution for Java HR Application Servers with no code App changes Legacy Avoid hard coding connection strings – no code changes & Online overhead Booking System IIS / .NET 5
  6. 6. AIM: Example of Integrating with 3rd Party ApplicationsQualysGuard automates vulnerability management and policy compliance With Cyber-Ark automate trusted scans using credentials that are stored and managed by the PIM Suite  Coverage of security scans is more in-depth, providing a complete view of IT security and compliance  Privileged credentials are securely protected and periodically changed based on enterprise policy  Overall, company data is better protected 6
  7. 7. Application Identity Manager In Action1. Secure and Reset Application Credentials kR59$ufg y7qeF$1 gviNa9% lm7yT5w X5$aq+p2. Applications pull credentials – Using secure local cache Central Policy Vault3. Password Reset UserName = GetUserName() Manager Password = GetPassword() Host = GetHost() ConnectDatabase(Host, UserName = “app” UserName, Password) App1 Password = “y7qeF$1” Host = “” System User Pass ConnectDatabase(Host, secure cache UserName, Password) Oracle appId1 OracleApp1 Cyber-Ark DB/2 backup1 DB2backup1 SAP edi_user2 SAP123 Application Password Windows service1 WinService1 Provider•Supported Platforms: –Windows, Linux, Solaris, AIX•Programming languages: –Java, C/C++, VB, .NET, command-line Database Servers/ Network Resources•Application Servers: Servers running –Transparent solution for: WebLogic, Applications and Scripts WebSphere, JBOSS, Tomcat
  8. 8. ‘Push’ Mode AIM “Push” Current State y7qeF$1 X5$aq+p lm7yT5w y7qeF$1 gviNa9% X5$aq+p mode Central Policy Vault Manager System User Pass Oracle appId1 OracleApp1 DB/2 backup1 DB2backup1 SAP edi_user2 SAP123 Windows service1 WinService1 Applications/Products using• Supported Platforms: embedded credentials –Windows Services –Windows Scheduled Tasks Database Servers/ –IIS Application Pools Network Resources –Windows Registry –F5 BigIP –….
  9. 9. On-Demand Privileges Manager: Tightening Unix Security When Who What Where WhatControl superuser Monitor & audit with access reports and text recording Manage who can run On-demand elevation for which commands privileged commands 9
  10. 10. Continuous Monitoring & Protection Across the Datacenter Privileged Session Management Suite Isolate PSM for Servers Control PSM for Databases PSM for Virtualization Monitor 10
  11. 11. Value of Privileged Session Management Isolate • Prevent cyber attacks by isolating desktops from sensitive target machines Control • Create accountability and control over privileged session access with policies, workflows and privileged single sign on Monitor • Deliver continuous monitoring and compliance with session recording with zero footprint on target machines 11
  12. 12. Isolating Sensitive Assets – Preventing Targeted Attacks How can I reduce the risk of malware infecting target systems? With PSM Servers1. John receives an emailwith targeted malware Malware spread Privileged Session Manager is blocked Databases 3. Session is run on an isolated secure proxy, not on desktop.Data on target systems is protected and sabotage is eliminated Virtual Machines 12
  13. 13. More Control over Privileged Sessions Control who can connect to a privileged session and for how long Enable privileged single sign on without exposing credential (e.g. external contractors) Enforce approval workflows Implement strong authentication 13
  14. 14. Privileged Session Management for Servers 6 1 4 Windows PVWA Windows 2 Servers IT personnel Unix Linux PSM Unix /Linux 3 5 Servers1. Logon through PVWA2. Connect Routers &3. Fetch credential from Vault Switches4. Connect using native protocols ….5. Store session recording in tamper- Vault proof vault6. View session recording 14
  15. 15. Privileged Session Management for Databases Independent Oracle Users Group (IOUG) 2010 Survey: 75% of DBAs say their organizations can’t monitor themWhat are my highly What sensitive privileged DBAs Privileged DBA Users business data are doing on the they viewing andProduction Servers? changing? SIEM can’t really “Turning on auditing capture read operations kills performance!” (“select …”) 15
  16. 16. Database Activity Monitoring SolutionsApplication, Business Users DAM Appliances DAM Console Privileged DBA Every database interaction is monitored Cumbersome to deploy; very expensive for enterprise-wide protection Not really designed to stop DBAs; only partially monitors them No solution for controlling access to database host OS 16
  17. 17. PSM for Databases: Focusing on the Privileged DBAs DAM OptionalApplication & Business Users 17 Privileged DBA User PSM Control and monitor only the privileged DBAs where most of the risk lies Zero footprint on databases means quicker deployment with no performance overhead Protecting and monitoring OS 17
  18. 18. PSM for VirtualizationThe technology that enables the cloud Image C Image B Image A VM/Hypervisor  Manager Virtual Server Hypervisor are highly privileged with wider system access – exponential risk! With wider system access, the hypervisor is more prone to targeted attacks Traditional IT Servers 18
  19. 19. An Innovative Approach to Virtualization Security Hypervisor Management Console (vCenter) PSM for  PIM App Virtualization Hypervisor  Manager Hypervisor Image C Image B Image A Auditor Vault Guest Machines
  20. 20. Securing the Virtual Environment with a Central Command & Control Point Single policy, single audit for privileged account management in virtualized environments Privileged Identity Management Privileged Session Management No footprint on hypervisors Control access to hypervisors,  Monitor VM admin & guest  vCenter & guest machines machine activities with DVR  Personalize access and track  recording usage Enforce session access & approval  Enforce security policies for  workflows credential management Strong authentication to  Enforce change management  hypervisor approval procedures Privileged single sign on 20
  21. 21. Summary: Privileged Identity & Session Management A comprehensive platform for isolating and preemptively protecting your datacenter – whether on premise or in the cloud Discover all privileged accounts across datacenter Manage and secure every credential Enforce policies for usage Record and monitor privileged activities React and comply 21
  22. 22. THANK YOU! 22
  24. 24. Schedule & Format Reports
  25. 25. Schedule & Format Reports
  26. 26. Schedule & Format Reports
  27. 27. Schedule & Format Reports
  28. 28. PSM for Privileged Remote Access Internet Corporate Network Windows Servers HTTPS UNIX ServersExternal Vendors PIM App Firewall Routers and Switches Vault Auditors
  29. 29. PSM for Distributed, Cross-Network Access CPM/PSM HTTPS HTTPS CPM/PSM CPM/PSM Vault IT Personnel AuditorProd Network OPS Network Dev Network
  30. 30. Common Requirements for PIM SolutionsExternal Vendors IT Personnel Business Applications Audit Shared/Privileged Security Hard coded/ embedded Accounts Policy Enforcement application accounts Workflows Provisioning Business Continuity Enterprise IT Environment