„IT Infrastructure without Administrator Role Accounts is ... · Privileged Access Management...
Transcript of „IT Infrastructure without Administrator Role Accounts is ... · Privileged Access Management...
CONFIDENTIALSlide 1
„IT Infrastructure without Administrator Role Accounts, is it possible?
Alejandro Soret MadolellProduct Manager PEDM
Pawel RybczykBusiness Developer CEE/CIS
FA
CONFIDENTIALSlide 2
The WALLIX offer
WALLIX Admin Center
SaaS management console for WALLIX solutions
• Cybersecurity by design• Manage configurations• Back up and restore• License key management
DISCOVERYMap and explore your network
to unveil hidden privileged accounts
PEDMLeast Privilege protection to
secure critical endpoints
SESSION MANAGEREnsure real-time oversight of
critical resources
PASSWORD MANAGERMaintain the highest standards
of password protection
ACCESS MANAGERGrant & control secure access
for external connections
WALL4iOT• Bastion4iOT• ISC (Alleantia)
AAPM MFA
WALLIX for Industry 4.0
CONFIDENTIALSlide 3
PAM
CONFIDENTIALSlide 4
CONFIDENTIALSlide 5
Privileged users
Third party
contractors
Auditors, Risk and
Compliance officers
Bastion Key Architecture
Targets
Robots
Vault
BASTION
Session Manager
Password Manager
CONFIDENTIALSlide 6
PEDM
CONFIDENTIALSlide 7
CONFIDENTIALSlide 8
Privilege Elevation and Delegation Management (PEDM)
WALLIX PEDM
CONFIDENTIALSlide 9
3
2
1
4
4 good reasons to implement a PEDM solution
Security breaches are a plague
▪ 327 attacks every minute
▪ $400.000 billion cost from 2016 attacks
▪ More than 150 billion attacks on 2017
▪ Attacks to Critical Infrastructures has been multiplied by 20 in 4 years
Privileged accounts are involved on most of cyber attacksAbout 92% of malware affecting the systems require privilege elevation to infect and propagate to network systems.
By removing high level privileges most of malware are removed as well.
Old security solutions are now obsolete
New attacks have indicated that old traditional defense systems are not effective because they have to know the threats beforehand.
Their effectivity rate is (only) about 60%.
Vulnerabilities derived from the use of privileged accounts
▪ 91% of the vulnerabilities of Microsoft Office
▪ 96% of the vulnerabilities of Microsoft Windows OS
▪ 100% of remote code injection vulnerabilities
▪ 100% of the vulnerabilities of Microsoft Internet Explorer
CONFIDENTIALSlide 10
A good solution recommended by leading agencies…
Principle of Least Privilege - POLP
▪ Gartner Top 10 Security Projects for 2018. “Organizations should remove administrative rights from all users.”
▪ The USA’ Computer Emergency Readiness Team (CERT) best practice guidelines recommend to “Use extra caution with system administrators and technical or privileged users.“
Which goal is to
… However could impact businesses’ productivity
▪ IT team burden, Ticket overflow
▪ Employees reduced efficiency and increased frustration
Productivity
Security
Sources: https://www.gartner.com/smarterwithgartner/gartner-top-10-security-projects-for-2018/
Fight against
malware
CONFIDENTIALSlide 11
250 bis, rue du Faubourg Saint-Honoré
75008 Paris, France
+33 1 53 42 12 81
WALLIX, a Limited Liability Company with share capital of €50,000, having its registered office at 250 bis, rue du Faubourg Saint Honoré,
75008 – PARIS - FRANCE, registered at the Registry of Trade and Companies of Paris under number B 450 401 153 – FR67 450 401 153
WALLIX BASTION
PRODUCT OVERVIEW
V7 – SEPTEMBER 2019
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 2 / 20
Table of Content
I INTRODUCTION ........................................................................................................... 3
I.1 OBJECT .............................................................................................................................. 3
I.2 SCOPE AND EXPIRY .............................................................................................................. 3
I.3 RELATED DOCUMENTS ......................................................................................................... 3
I.4 REVISION HISTORY .............................................................................................................. 4
I.5 ABBREVIATIONS ................................................................................................................... 4
II BASTION POSITIONING AND VALUE PROPOSAL ........................................................ 5
II.1 WHY PROTECTING PRIVILEGED ACCESS? ................................................................................. 5
II.2 REGULATIONS ..................................................................................................................... 6
II.3 WHICH BUSINESS SECTORS REQUIRE A PAM SOLUTION? ............................................................ 6
II.4 POSITIONING ....................................................................................................................... 7
II.5 ABOUT WALLIX .................................................................................................................... 8
II.6 AWARDS............................................................................................................................. 8
II.7 CERTIFICATIONS .................................................................................................................. 9
III BASTION IN A NUTSHELL ......................................................................................... 10
III.1 OVERVIEW ........................................................................................................................ 10
III.2 SECURING INFORMATION SYSTEMS ....................................................................................... 12
III.3 CONFIGURED FOR COMPLIANCE ........................................................................................... 12
III.4 TECHNICAL BENEFITS OF THE BASTION.................................................................................. 12
IV BASTION MODULES .................................................................................................. 14
IV.1 SESSION MANAGER ............................................................................................................ 14
IV.2 PASSWORD MANAGER ........................................................................................................ 15
IV.3 ACCESS MANAGER ............................................................................................................ 15
IV.4 BESTSAFE PEDM ............................................................................................................. 16
IV.5 WALLIX ADMIN CENTER ...................................................................................................... 17
IV.6 DEPLOYMENT OPTIONS ....................................................................................................... 17
IV.7 INTEROPERABILITY ............................................................................................................. 18
V CASE STUDIES ......................................................................................................... 19
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 3 / 20
I INTRODUCTION
I.1 OBJECT
WALLIX is a cybersecurity software publisher and Europe’s leading player in Privileged Access
Management (PAM).
Privileged access is used to run equipment, applications, and data of IT infrastructures, including enabling access to equipment keys, applications, and of enterprise information systems data. As a result, these
are primary targets of most cyber-attacks that lead to the theft of sensitive and strategic data, fraud, and
the sabotage of corporate information systems.
Used by more than 700 customers and recipient of multiple awards, the WALLIX Bastion enables its
customers to manage, control, supervise and track privileged access, which are critical in responding to threats to their IT infrastructure. It guarantees both accountability of connections and accountability of
actions.
This document describes the Bastion, covering V7 release. It is not designed to present all Bastion’
functions and features. For details of how to use a specific functionality, please contact [email protected]
I.2 SCOPE AND EXPIRY
This document is released on a quarterly basis, and readers should obtain the latest version prior to use.
This document version has no expiration date. However, updated version may be released.
I.3 RELATED DOCUMENTS
TYPE TITLE
Whitepaper Privileged Access Management for Healthcare
Whitepaper HITECH-HIPP: PAM to reach Healthcare Security Compliance
Case Study Saint-Quentin hospital chooses for WALLIX Bastion
Whitepaper PCI and PA DSS compliance Assurance with the WALLIX Bastion
Whitepaper SWIFT Security Controls: the role of Privileged Access Management
Whitepaper Privileged Access Management for Financial Services
Whitepaper Securing Industry 4.0
Infographic Industry Regulations Compliance
Whitepaper Privileged Access Management for Energy and Infrastructure Companies
Whitepaper Digitally Transforming Governments: Protecting privileged access in the public sector
Case Study Gulf Air chooses WALLIX Bastion
Whitepaper Understanding the Need for Privileged Access Management in the Retail industry
Whitepaper The Benefits of PAM for Telecommunications Companies and Cloud Service Providers
Case Study Claranet chooses WALLIX Bastion
Overview WALLIX BestSafe Product Overview
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 4 / 20
I.4 REVISION HISTORY
VERSION OBJECT OF THE REVISION
2019 MAY Creation
2019 JUNE Updates: interoperability section, Bastion Technical benefits section
2019 SEPTEMBER Updates: addition of BestSafe PEDM, various little modifications
I.5 ABBREVIATIONS
ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (France)
AWS Amazon Web Services
CLOUD Act Clarifying Lawful Overseas Use of Data Act
CSPN Certification de Sécurité de Premier Niveau (issued by ANSSI)
DSP Digital Service Providers
ERPM Enterprise Random Password Manager
ESO Essential Services Operators
FSTEK Federal Service for Technical and Export Control (Russia)
GCP Google Cloud Platform
IAM Identity and Access Management
ICS Industrial Control Systems
IGA Identity Governance and Administration
IoT Internet of Things
IS Information Systems
MFA Multi-Factor Authentication
OCR Optical Character Recognition
PAM Privileged Access Management
PEDM Privileged Elevation and Delegation Management
PoLP Principle of Least Privilege
RDP Remote Desktop Protocol
SCADA Supervisory Control And Data Acquisition
SIEM Security Information and Event Management
SSH Secure Shell
SSO Single Sign On
TCO Total Cost of Ownership
VO Vital Operator
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 5 / 20
II BASTION POSITIONING AND VALUE PROPOSAL
II.1 WHY PROTECTING PRIVILEGED ACCESS?
Privileged access permissions are necessary entry points for users1 to be able to manage the components
that make IT infrastructure, such as servers, routers, firewalls, applications, databases and other functionalities, all of which having privileged access granting users the highest access rights. Used by
administrators in performing their tasks, privileged access permissions permit them to do anything,
including shutting down the system or extracting sensitive information from databases or devices.
Privileged access accounts are the primary targets of cyberattacks. Hackers start by trying to
take control of a privileged account and use that to then get into the information system to increase their permissions and open further doors to access more functionalities and devices. Their goal is to access
sensitive information and/or take control of devices, applications, databases, and the entire information
system that they are trying to attack.
Information piracy has very often been traced to weak security on privileged accounts, such as the
Snowden case in June 2013, the theft of financial information of 143 million Equifax clients in the United States2, and the hacking of 57 million Uber accounts in November 2017.
A Forrester3 study reports that some 80% of cyberattacks succeed by, at some time or other, hacking a
privileged account. Privileged accounts are IT security nerve centers, and the protection, control and
tracking of privileged access are key factors in any cybersecurity strategy.
The need of a PAM solution is sustained by numerous technological factors, the most important being:
▪ the increasing digitalization of corporate functions, which magnifies the business impact
of cyberattacks. The dematerialization of processes makes companies critically dependent on the proper operation of their IT infrastructure. In manufacturing, with the automation of production
chains that use computerized and connected equipment, a cyberattack can shut down a company’s core business. Indeed, production machines are also equipped with privileged access
and may become targets for cyberattack. For example, in a 2017 study of cybercrime, Accenture estimates that the average cost of cybercrime4 around the world had climbed to US$11.7 million
per company in 2017, 23% up on 2016 (survey of seven European countries, including France). ▪ the development of cloud-based IT infrastructures and the interconnection of networks
being accessed by increasing numbers of mobile devices and other equipment. The networks of businesses and other organizations no longer have physical limits; increasing volumes of data are
being stored in the cloud and data exchange is proliferating. Cisco predicts that Cloud Data Centers will account for 94% of global data processing capacity by 2021, versus 6% for traditional Data Centers5. As a result, the attack surface of IT infrastructures is growing.
▪ the trend to IT outsourcing, connected with the fact that companies lack the expertise or
budgets for rolling out, managing and operating IT solutions themselves or make a strategic choice to entrust their IT to specialized third-party firms. Such companies outsource the
management of all or part of their requirements to external providers (such as services operators) whose privileged access must be managed, controlled and supervised.
▪ the advent of the Internet of Things (IoT), which increases by several orders of magnitude
the number of devices connected to the infrastructures. According to a Gartner study, there were 8.4 billion connected things in 2017, 3.1 billion of them in corporations. The new connected
devices are, however, still very vulnerable to attack. The need to manage them will create further
requirements for privileged access which will therefore have to be protected by PAM solutions.
PAM solutions can meet these problems, but businesses and organizations are still too weakly equipped.
1 Users with privileged access can interact with systems to obtain sensitive information, which presents the risk of theft, compromise
or accident or even the destruction of the information system. In that respect, the accounts of system and network administrators, database managers, and cloud administrators are privileged permissions that present the highest risk level 2 Equifax just became the first company to have its outlook downgraded by Moody’s for a cyber-attack https://www.cnbc.com/2019/05/22/moodys-downgrades-equifax-outlook-to-negative-cites-cybersecurity.html 3 Source: Forrester, The Forrester Wave: Privileged Identity Management Q3 2016
4 Source: Accenture, The Cost of Cybercrime in 2017, 2017 5 Source: Cisco, Cisco Global Cloud Index Forecast 2016-2021, 2017
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 6 / 20
II.2 REGULATIONS
The proliferation of large-scale attacks and the resulting risks are driving governments and regulators to frame new legislation in Europe, America, Asia Pacific, Middle East and Africa, mainly to protect personal
and confidential data. Thus, regulations are the logical result of increased cybersecurity risks.
However, European and USA regulations are drawing lines that are each other in opposite:
▪ In Europe, GDPR and NIS regulations impose strict rules to companies in the treatment of the
data to ensure its privacy. ▪ In the United States of America, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act)
requires U.S.-based technology companies to provide requested data to US federal agencies
regardless of whether the data are stored in the US or on non-US soil, without the owner of the
data being informed, nor its country of residence, nor the country where the data are stored.
In addition, several regulations require players in certain sectors and/or countries to put in place PAM
solutions:
Europe USA Asia
▪ NIS Directive
▪ GDPR
▪ France: LPM, HDS, PGSSI
▪ Germany: IT Security Act, Federal Data
Protection Act
▪ UK: Computer Misuse Act
▪ DSP2
▪ Eidas
▪ CLOUD Act
▪ Computer Fraud & Abuse Act
▪ Electronic Com. Privacy Act ▪ NIST SP
▪ NERC/CIP ▪ US NRC
▪ HIPAA
▪ S-OX ▪ 23 NYCRR 500
▪ PCI-DSS ▪ Gramm-Leach Bliley Act
▪ State specific regulations
▪ China: National Security Law,
CINISPMR
▪ Japan: UCAL, APPI ▪ South Korea: APICI, ICNA, PIPA
▪ India: IT Act, Privacy Rules ▪ Singapore: CMCA, PDPA
▪ Australia: Telcos Act, Privacy Act
The global cybersecurity market is directly benefiting from the momentum of such regulations. For example, to comply with the GDPR, companies are required to protect the personal data of persons who
interact with their IT infrastructure (employees, customers, etc.). Liability for any leak of personal data may be imputed to the company that is the victim of this attack. To avoid such a situation, companies
must invest in data protection solutions and access management solutions such as WALLIX Bastion.
II.3 WHICH BUSINESS SECTORS REQUIRE A PAM SOLUTION?
All business sectors require a PAM solution. Among them, here below is a selection of which.
Healthcare
Healthcare institutions operate against a backdrop of constant change, and their ability
to modify their practices and procedures at the drop of a hat determines their success. Now that paper is passé, healthcare information systems must adapt to the digital and
mobile era. Patient protection extends beyond ensuring their health – it also includes
securing their medical records, which hold valuable information and must be protected
from theft, data leaks, and service disruptions.
The protection of private data is driving continuous improvement in healthcare information systems. In today’s environment, trust chains need to be created to smooth the process of seeking healthcare. With
organizations flocking to the cloud, data security risks take on a whole new dimension. The challenges
involved in securing healthcare data have a direct effect on the chain of hosting service providers or IT
services (e.g. magnetic resonance imaging systems, scanners, or radiographic solutions).
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 7 / 20
Industry
All the advantages of digitization have not been without some drawbacks. In the industrial sector specifically, productivity and availability issues have multiplied. As
industrial control systems (ICS) increasingly rely on information systems to perform
production, scheduling, and remote access operations, interconnecting ICS systems has
taken a toll on security.
Risks that were once only encountered on information systems have now crossed over and begun to contaminate industrial systems. Included among these risks are the various vulnerabilities associated with
access to supervisory control and data acquisition (SCADA) systems as well as the actions performed on them. In particular, privileged user access exposes these systems to sizable vulnerabilities with the
potential to strike a direct blow to the availability and operation of industrial systems.
Bank & Insurance
Ensuring the security of banking data, especially the potential implications when it falls
into the wrong hands, is a permanent and pressing concern for the financial sector. Highly coveted personal data and the potential payout it represents to cybercriminals make the
financial sector a prime target. Given the sheer number of service providers involved in
each step of a banking transaction, the processes required to guarantee the security of banking data are further complicated. This complication clouds the accountability of
banking systems and magnifies the scale of the threat.
Along with the new security challenges that the digital transition brings about — think applications, online
payment, mobile access, and cloud-hosted services that need to be secured — banks and insurance firms must always demonstrate due diligence. They need to implement innovative and specialized tools that
can guarantee the confidentiality, integrity, and traceability of their clients’ personal data.
Cloud & Telcos
Cloud computing has irreversibly revolutionized how and how much data can be stored
by virtualizing data hosting within private, public, and hybrid cloud environments. However, digital service providers (DSPs) and their clients cannot fully harness the
benefits of this transformation unless they adapt their security measures to these new
environments. It may seem easy, but virtualizing data is hard work. DSPs must protect and manage the migration of their systems to the cloud while also ensuring a seamless process for their
clients’ data and mission-critical applications regardless of business sector (finance, human resources,
healthcare, etc.).
To ensure that they are providing a service that adds real value to their end users, DSPs must ensure this
transition is smooth. They must ensure their compliance with all the regulations governing various sectors, offer reliable third-party application maintenance, and guarantee the encryption of crucial data as well as
the traceability of actions performed on their systems.
II.4 POSITIONING
The technological sector of cybersecurity encompasses numerous categories and sub-categories of
product and solution. The PAM and the Bastion feed into the Protect category and Access Control sub-
category.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 8 / 20
II.5 ABOUT WALLIX
Founded in 2003, WALLIX is the French leader in IT security software solutions for managing network security and critical IT infrastructures. WALLIX is a European company located in France, the United
Kingdom and the United States. More than 700 companies and organizations now place their trust in
WALLIX for their IT security solutions around the world.
WALLIX works with the IT departments of customers ranging from mid-sized companies to large groups
and public organizations to provide innovative solutions that meet the challenges of tracing all operations and managing identities and access rights. Our solutions are engineered to fit seamlessly into the
customer’s IT system and ensure compliance with the latest IT security standards.
With a strategy based on innovation, agility and the capability to respond to emerging market needs, WALLIX offers a suite of open-ended solutions tailored to meet the specific needs of its customers.
Because companies rightly expect an efficient and swift response, WALLIX favors solutions that do not involve installing specific agents on hardware and which are easily integrated into the client's information
system.
WALLIX's products allow users to adapt to and comply with ISO27001, PCI, SOX, PSN etc. on information
and data security and guarantee the integrity of their IT system, while tracing all operations on their
system.
WALLIX distributes its solutions through a network of partners, who are fully trained and certified and
have comprehensive knowledge of our solutions.
WALLIX has developed the Bastion, a solution that is easily integrated as part of customers' IT systems
and which provides them with “who did what, when, where and how” information on user actions, in real
time or logs.
WALLIX has developed DataPeps, the end-to-end encryption technology, which enables to secure client’
data in any application: data stored are encrypted without access to decryption keys. Even successful
cyber-attacks won’t be able to access client’ data.
In 2019 WALLIX has acquired Simarks and Trustelem to extend its portfolio to PEDM and IDaaS markets.
More information is available on www.wallix.com/en
II.6 AWARDS
The Bastion solution has received multiple awards, including:
▪ named 2016 Best Buy by America’s leading cybersecurity magazine SC Media1, which annually
evaluates the products in the sector;
▪ the 2016 prize for the best “identity and access management” solution at the prestigious
Computing Security Awards event. Computing Security Awards are organized by a panel of industry experts, with winners in each category determined by Computing Security magazine
reader votes. At that ceremony, the panel said it was “impressed by the easy-to-deploy architecture of the WALLIX Bastion solution, and by its latest major release in early 2016 (....).”
The rich functionality of the Bastion solution led the independent Analyst organization KuppingerCole to
rank the Company as a “technology leader”, i.e., a leading supplier of PAM solutions on two grounds:
product and innovation.
1 “For its unique approach to the entire privileged account management problem, we make Wallix our Best Buy”
https://www.scmagazine.com/wallix-adminbastion-suite/review/7083/.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 9 / 20
II.7 CERTIFICATIONS
As part of this quality-based approach, WALLIX has been audited since 2013 by the French Network and
Information Security Agency (ANSSI) and obtained its First Level Security Certification (CSPN).
The Bastion is also certified in Russia since March 2015 (FSTEK product certification).
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 10 / 20
III BASTION IN A NUTSHELL
III.1 OVERVIEW
The Bastion solution enables IT departments to protect privileged access by managing how privileged accounts operate. Instead of connecting directly to the machine to be configured, a depositary
administrator of a privileged account must go through Bastion which takes charge of performing the necessary verifications of that administrator’s rights. It then authorizes – or not – the administrator’s
connection to the machine and records the session.
The Bastion solution thus sits between the resources to be protected and the persons who have access to these resources, like a proxy security gatekeeper. In this way, it secures access to organizations’ critical
machines (central servers, routers, firewalls, etc.) and plays this role for all enterprise resources such as business applications, industrial machinery control chains, and databases that contain sensitive
information (personal data, manufacturing secrets, etc.).
The Bastion solution also ensures the traceability of administrators’ sessions by offering the ability to
review privileged sessions for audit purposes, troubleshooting, or identifying responsibilities for malicious events, for example. The product has a real-time alert system to flag users breaching corporate security
policy.
The Bastion solution consists of the following four main functional modules:
▪ Session Manager, a module for controlling privileged access, without knowing resources’
passwords, for viewing and recording privileged sessions, thanks to Wallix patented ephemeral session probe mechanism;
▪ Password Manager, a module for implementing a password rotation policy governing administrators’ access to IT resources (which enables system security to be strengthened with
respect to password modification and manipulation, and to prevent the risk of password leaks);
▪ Access Manager, a web administration console for supervising and auditing all actions by administrators and recorded by the Session Manager. This console also makes it possible to
aggregate the data recorded by multiple instances of Bastion in the case of “large” infrastructures. ▪ BestSafe PEDM, an agent-based solution allowing IT department to control administrator
operations and to block the launch of specific processes that are not necessary to achieve their
tasks
▪ Wallix Admin Center, a centralized Bastions’ administration portal.
Session Manager and Password Manager rely on a highly secure password vault based on AES 256 (256-
bit Advanced Encryption Standard) technology.
The Bastion solution protects privileged account access to cloud-based infrastructures hosted by the major public cloud service providers (AWS, GCP and Azure) with a version of the product available specifically
for these environments (in the form of a dedicated Virtual Machine).
Also, the combination of multiple instances of Bastion in cloud mode and in on-premises mode enables protection of access to hybrid infrastructures with an overall view of the information coming from the
various instances of the product deployed in the infrastructure and permits the administrator to manage
these instances in a simple and consolidated way.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 11 / 20
The Bastion offers an easy-to-use and easy-to-learn user experience, thanks to its intuitive graphical user
interface.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 12 / 20
III.2 SECURING INFORMATION SYSTEMS
The Bastion solution reduces the risk of technical error and counters malicious acts on IT
infrastructures. With Bastion:
▪ it is no longer possible to access critical infrastructure servers without undergoing strict access
control; this control applies to internal and external users; ▪ the supervisor can see in real-time what privileged account users are doing and can filter sessions
to prevent errors and attacks; ▪ the supervisor can replay admin sessions on video or in text format for command lines; in the
event of a server incident, it becomes easier and quicker to identify the origin of the malfunction;
▪ it is easy for the supervisor to produce proof of an action and pursue malicious perpetrators, as all connections to the web interfaces of equipment or applications are logged. An integrated
search engine can be used to quickly find the events corresponding to an incident; ▪ it is not necessary for administrators to know the passwords of the systems to which they have
access rights; thus, equipment password management is not impacted by administrator staff
changes.
The Bastion solution secures the information system by protecting confidential information against
data leaks and against various threats such as industrial espionage:
▪ external or internal administrators have access only to the authorized systems and not to the files
and data that they contain; ▪ every access to critical servers containing sensitive data is time-stamped and the actions are
recorded, so they can serve as proof and be used for post-mortem analyses;
▪ a system of alerts informs the supervisors of any unauthorized event or any attempt to access
confidential and/or sensitive data (such as a prohibited download).
III.3 CONFIGURED FOR COMPLIANCE
The traceability function of the Bastion software suite enables user sessions to be viewed in real time
and their activity to be recorded for audit or compliance purposes, particularly in view of the NIS Directive.
The privilege access control function of the Bastion software suite filters these activities to avoid abuses or human error and prevent data leaks, allowing businesses and organizations to meet their requirements
under the GDPR.
The Bastion software suite is certified by ANSSI. This makes it the PAM solution of choice for Vital
Operators (VOs) in France and places it in an ideal position to address the requirements of Essential
Services Operators (ESOs) in Europe, who are required to use certified solutions to comply with the NIS Directive. The Bastion therefore enables ESOs, and VOs, to meet the new compliance requirements
imposed by the GDPR and the NIS Directive.
In addition, the Bastion enables companies and organizations:
▪ to comply with applicable legislative, regulatory or professional frameworks (ISO 27001 recommendations, Basel rules, Sarbanes-Oxley Act, Arjel gaming rules, audit rules for computer-
based accounting, regulations governing the hosting of health data, etc.);
▪ to monitor on a daily basis the actions of external service providers via a tracking tool and to react more quickly in the event of an incident;
▪ to be more credible when applying for professional certification to, for example, host health data. ▪ With WALLIX’s PAM solutions, content becomes inaccessible to users who access servers,
applications and databases for management or administrative tasks.
III.4 TECHNICAL BENEFITS OF THE BASTION
A usual PAM solution includes two main modules: a Session Management module and a Password
Management module. Session Manager is the most technologically complex component as fine-tuning it requires excellent technical knowledge and in-depth understanding of the protocols for connecting to
resources such as RDP and SSH. WALLIX is one of only two market players to have specialized, since
2008, in Session Management, most other players having opted to focus on Password Management first.
WALLIX’s expertise enables it to market advanced functionalities such as:
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 13 / 20
▪ proxy-based and agent-free architecture: the Bastion solution requires no rollout agents1
onto user workstations, nor on servers to protect. Thanks to its architecture, it is non-intrusive
and transparent for administrators and users (it integrates seamlessly into existing tools and does not require to changes any of them), rolls out into information systems easily and fast, and costs
less to implement and maintain than solutions that necessitate that an agent be installed onto
every resource to be protected;
▪ automatic rollout of ephemeral session probes: a functionality based on a WALLIX patent issued in 2017. It allows an efficient traceability of performed actions on targets without the pain
of managing updates, rollout and compatibility of agents like in an agent-based PAM architecture. Last, the WALLIX probe being ephemeral, it disappears when the session is closed, thus is not in
an always-on intrusive mode;
▪ among its various functionalities, the Bastion ephemeral session probe: - does not rely on OCR for logging the opened/active windows;
- offers the possibility to block outbound TCP connections from RDP target system to block any attempts to penetrate the infrastructure out of target system;
- allows to deny the opening of some processes during RDP session. ▪ flexibility of management rules: for example, the WALLIX Bastion solution can be configured
to prohibit privileged login obtained through an intermediate resource;
▪ transparent mode which permits Bastion to be rolled out and used without affecting users’ existing access configurations (IP addresses of target resources, for example) and thus make
Bastion virtually transparent for them; ▪ protocol transcoding which permits Bastion to adjust to any method for accessing targeted
machines and resources while requiring a single method to access Bastion (SSH, for example) for
administrators; ▪ protocol control which allows to enable/disable some of the protocol features;
▪ simplicity: shared account, simple named account or strengthen named account, Bastion
enables these 3 modes with a low run cost.
1 An agent is a software component that forms part of a PAM software solution and has to be installed on every piece of equipment
that the solution secures. Agent-free solutions do away with the often burdensome and expensive need for IT departments to roll
out and maintain agents
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 14 / 20
IV BASTION MODULES
IV.1 SESSION MANAGER
Session Manager handles access to privileged accounts by permitting the enterprise to define security access levels. Users connect to their individual single account that gives them access to all the data they
need, thereby mitigating the risk of error and malicious actions while maximizing their productivity.
Session Manager records sessions graphically, capturing keystrokes as well as the applications used,
thanks to Wallix patented ephemeral session probe mechanism. It monitors and tracks the
activities of users who have logged in and shows which administrator accounts logged in when and for
how long, and to which resources (machine, application, data).
Session Manager permits user sessions to be viewed in real-time to analyze their content. The system generates alerts of incidents or human error. A search engine can be used to find proof of an incident or
for audit purposes.
Session Manager also provides the capability to prove that the rules governing privileged account access comply with applicable industry standards and regulations. This is extremely useful for corporations as
well as for users regularly accessing sensitive data (IT departments, IS security officers, security executives, risk executives, etc.) who can thereby prove their actions to their employer, company, or
customers.
Session Manager offers the following main functionalities:
▪ manage and control (govern) privileged accounts: by directly accessing resources via
native clients (putty, winscp, openssh, etc.) using connection rules; ▪ approbation workflow governance: refuse, authorize, or even conditionally authorize based
on duration or timeframe, through high-end access-authorization workflows;
▪ view sessions in real-time: watch Remote Desktop Protocol (RDP) sessions, Secure Shell (SSH) sessions, and application sessions; operate “4-eyes supervision” (two remote users for the
same session: one working, the other supervising) with ability to terminate any suspicious or inappropriate sessions;
▪ alerts: post alerts, and shut down remote sessions based on numerous criteria including whitelisting/blacklisting, optical character recognition (OCR), widget events, and analysis of
keyboard patterns;
▪ reporting and audit: identify perpetrators of actions, track logins, generate statistical reports of activity and audit logs, replay user sessions and generate session scripts and metadata; reports
can be created around filters such as the user names, device types, date, etc. a generated in CSV format for inclusion in other tools such as dashboards, etc.
▪ behavioral analysis and business intelligence: utilize the session manager to quickly detect
suspicious behavior to identify and prevent malicious activities; integrate this information into a
variety of SIEM systems for automatic decision making and/or alert reporting;
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 15 / 20
IV.2 PASSWORD MANAGER
Password Manager secures passwords and SSH keys in an ANSSI-certified vault (AES 256 encryption algorithm) and manages administrator
password rotation within the infrastructure. It also implements application
password management, to permit applications that must connect to critical resources to do so securely and without using unencrypted versions of the
passwords of these target resources in their source code (unfortunately all too often the case in application development environments). Thanks to
this new functionality, WALLIX addresses the enterprise application
developer (DevOps and DevSecOps) market.
Password Manager offers the following main functionalities:
▪ vault: secure passwords and SSH keys in a certified vault and
utilize our open architecture to integrate with other vaults. ▪ governance and security: schedule the rotation and
cancellation of passwords and SSH keys, ensure password complexity with customer defined
rules; ▪ advanced workflow secret: set up a configurable, granular security policy per check-in/check-
out workflow; ▪ interoperability: an Application Programming Interface (API) permits developers to build and
make available a library of password management plugins that support industry-standard
hardware (Microsoft, Linux/Unix) but also a variety of more specialized systems (Juniper SRX, Palo Alto PA-500, Fortinet FortiGate, etc.);
▪ Application-to-Application Password Management: ensure secure application connections to critical resources by controlling passwords and SSH authentication keys to the target resources
while preserving automation power. Hardcoded passwords and identification configuration files
are totally dispensed with.
IV.3 ACCESS MANAGER
Access Manager is a web platform that permits an environment running multiple instances of Bastion, each controlling a part of the infrastructure. This module permits the use of privileged accounts, and
control from a single point, of an entire multi-instance Bastion infrastructure for privileged user, approver
and auditor profiles.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 16 / 20
Access Manager offers the following main functionalities:
▪ administration and organization: communicate with multiple Bastion targets via an encrypted https channel. The portal is customizable (design, file classification, etc.) and permits file transfers
between the workstation and the target Windows resource;
▪ authentication: in addition to standard “directory” authentications, Access Manager supports Security Assertion Markup Language (SAML) 2.0 so it can integrate easily into all infrastructures
that have identity federation mechanisms; ▪ multi-tenant architecture & scalability: breach-proof instances of multi-tenant architecture.
In cases where a resource is accessible by more than one instance of Bastion, Access Manager allows you to define clusters of active Bastions;
▪ audit and compliance: to supplement Bastion, Access Manager has its own audit functionalities
providing an unalterable audit trail of all the sessions it has authorized. The audit log has a multi-criteria search engine that facilitates searches in scripts and session metadata. Sessions can be
replayed in full.
IV.4 BESTSAFE PEDM
BestSafe PEDM offers a very effective solution for privilege management that allows organizations to
drastically reduce the risk of security breaches on Windows systems without impacting productivity. It uses a unique, patented privilege management technology allowing companies to
implement the Principle of Least Privilege in addition to the existing Bastion functionalities.
It increases system security by reducing administrator’ rights to the bare minimum needed to address
their tasks.
In addition, enriched metadata can be gathered, thanks to the BestSafe PEDM agent controlled by the
session probe, thus enhancing the traceability functionality of the Bastion.
BestSafe PEDM offers the following main functionalities on Windows-based devices:
▪ Reduce the administrator’s rights to the strict minimum: If a certain process, application,
or administrative task needs special privileges, BestSafe will only grant them to the corresponding
process (whitelist) in a completely transparent manner for the user, who will continue to work with minimum permissions. However, if there’s any reason to keep certain accounts as
administrator, BestSafe can reduce the privileges (gray list) to applications with Internet access (email clients, browsers, etc.) that are potentially dangerous and could compromise the system,
denying them access to their resources (registry, system folders, etc.), but without blocking their execution.
▪ Effective anti-ransomware solution: BestSafe can detect in real time when a given process
intends to perform an encryption operation before it is carried out. When detecting an operation of this kind, BestSafe can suspend the process and perform the actions established in the
corresponding rule. ▪ Real-time monitoring of applications: With the ability to control encryption operations also
comes the ability to control any other operating system function. The possibilities include, but
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 17 / 20
are not limited to, monitoring access to disk, to the registry, to the network, and actions like
creating new processes or local user accounts. The possibilities are endless. ▪ Control access to resources by application: BestSafe enables blocking of all outgoing
connections of a certain application regardless of the user's credentials.
IV.5 WALLIX ADMIN CENTER
Bastion Admin Center is a centralized Bastions’ administration portal.
It dramatically helps the Bastion administrators in their day to day activities by offering the ability, thru a simple web
browser client, to create and manage target accounts on
clusters of Bastions, along with their authorizations in a
simple and efficient manner.
Bastion Admin Center offers the following main
functionalities:
▪ Save & Store Bastion configuration:
import existing CSV configuration files (hostname,
username, port, account, etc.) and manage delta; save existing configuration securely: everything is
done on a Zero Knowledge system based (RSA encryption is done locally before any configuration
file is sent to the server, so the data is secured)
▪ Push & Manage Bastion configuration: deploy or replicate any existing configuration to
different Bastions
The Bastion Admin Center is a service operated by WALLIX.
IV.6 DEPLOYMENT OPTIONS
The Bastion can be deployed in several modes accordingly to customer environment and willingness: on
public major cloud platforms, in virtualization mode or on-premise are available to best fit the need. For customers not willing to manage the Bastion infrastructure, our managed services offer a variety of
hosting possibilities.
The Bastion can be deployed in master/slave configuration offering high availability of the solution.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 18 / 20
IV.7 INTEROPERABILITY
The Bastion’ REST API web service allows administrators to control the main functions of the Bastion,
such as the provisioning of user accounts, target accounts or authorizations in a seamless manner.
The goal is to allow information synchronization between a central repository containing this information
(e.g. IAM or CMDB type solution) and a WALLIX infrastructure, leading to a drastic reduction of the total
cost of ownership of the Bastion solution.
In addition, WALLIX is developing technological partnerships and alliances with key actors of the
cybersecurity sector to ensure the Bastion interoperability in a best-of-breed environment.
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 19 / 20
V CASE STUDIES
The Bastion solution has been adopted by large accounts and mid-size companies
The Company believes it has an excellent image among large and mid-size companies. Of WALLIX’s
portfolio of customers, 15 are represented in the CAC 40, and 11 in the SBF 120.
PSA Group’s internal security policy requires that actions with strong privileges be
tracked to be able to detect potential threats. The main risks identified are identity theft
or permissions theft. Additionally, in its banking activities, PSA Group is subject to the standards of the Basel II Agreement and is audited annually. Initially installed in 2011
as an experiment, WALLIX Bastion is now fully deployed in an industrial environment and perfectly integrated with PSA’s existing business solutions such as Identity Access Management for rights and
equipment management (Configuration Management Database / CMBD).
PSA Group’s security expert has recognized the versatility of the tool and its ability to maintain service
quality in all circumstances: in normal operating mode as well as in disaster recovery mode. On the
strength of this success, in early 2017 PSA migrated to the latest, more powerful version of the solution which features faster response time and set up a project to roll it out on several thousand Windows
servers.
“We continue to deploy Bastion as we have demonstrated that the solution is reliable, that the integration is seamless, and that it meets all our tracking and automation requirements.”
Thierry Hec – PSA Group Security Expert
Claranet’s Security and Compliance Division, led by its Chief IS Security Officer,
ensures that security standards and best practices are followed in the operation of and changes to the information system and platforms hosted for its customers, to ensure the integrity,
availability and protection of data.
Claranet initially used WALLIX services as part of its e-Health offering in order to obtain health data hosting certification (Hébergeur de Données de Santé / HDS) from the French shared health information
systems agency (Agence des Systèmes d’Information Partagés de Santé / ASIP) which requires a system for tracking access to platforms via a single interface that centralizes all access. The installation of this
system in 2012 enabled it to set up and run a large-scale project for a major municipal hospital (Centre
Hospitalier Intercommunal de Créteil), the first-ever outsourcing of all the information of a hospital by a healthcare data hosting provider. All access traffic to the platform by the hospital’s administrators is now
tracked.
“Bastion has become the standard in the e-health market. It’s a sign of trust that reassures customers.”
Emmanuel Novice – Director, e-Health Services, Claranet
For some years, the growing threat of cybercrime associated with the digitalization of work methods (e.g.: advent of tablets, mobile phones) and the use of external
service providers led CASDEN’s Information Systems (IS) Security team to rethink its IS strategy and governance. Its first action was to put in place a privileged access management
solution.
CASDEN (Banque Populaire group) naturally turned to WALLIX Bastion. For CASDEN’s relatively small operations team and an infrastructure running several types of operating systems, Bastion’s ease of
installation, efficient deployment methodology and fast support response proved to be an ideal cost control and time control solution. Technical integration proceeded in 2012 with no problems. Hundreds
of Linux servers are now administered by Bastion and dozens of users are involved.
“It’s about raising awareness among users, administrators and service providers rather than repressing them. Without trust, you can’t do business.”
Benoit Fuzeau – Head of IS Security, CASDEN – Banque Populaire
Wallix Bastion - Product Overview V7 – SEPTEMBER 2019 20 / 20
SIAAP is the wastewater treatment consortium for the Paris region (Syndicat Interdépartemental d’Assainissement des eaux de l’Agglomération Parisienne). It is
not classified as a Vital Operator (VO) but strives to follow the rules issued by
ANSSI. As some of its sites are classified Seveso “High Threshold”, infrastructure security, and in
particular the control of access to water treatment equipment, is a major challenge for SIAAP.
The management of VPN access for external service providers and the introduction of rules for machinery and equipment were becoming a heavy workload for IT teams. Access to SCADA supervision had to be
secured for certain agents, particularly when on standby. As they would log in via RDP on a workstation situated between the IT firewalls and industrial firewalls, there had to be better visibility. SIAAP ultimately
wanted to implement a solution that was fast to deploy and easy to administer. WALLIX Bastion was
rolled out at SIAAP in 2016 to meet these requirements.
“Thanks to its functionalities for access control and tracking of administrative operations, Bastion has enabled us to substantially strengthen the security of our infrastructures and equipment.”
Stéphane Corblin – Head of Network and Security Architecture at SIAAP
Gulf Air owns 11 manufacturing plants at shop floor level and faced some complex,
default workflows, errors and malfunction which often required remote maintenance and the help of external support engineers for various machines. In addition, Gulf Air needed
to comply with multiple regulations such as PCI-DSS and ISO 27001.
Having deployed the Bastion in redundant mode in their premises, all remote maintenance
experts’ access to critical machines via WALLIX Access Manager. Gulf Air can now claim for 99,99%
uptime guarantee across 11 manufacturing sites, for 180 remote connections, and 650 critical shop floor
machines as well as a drastic reduction of the internal workloads.
“WALLIX helped in providing real time resource management, reporting and monitoring capabilities for IT administrators, improving the overall efficiency of Gulf Air’s IT function. Also, Privileged Access Management is instrumental for Gulf Air in complying with the required international and industry standards. We’re currently certified against the ISO 27001 standard and maintain compliance with PCI-DSS.”
Dr Jassim Haji, IT Director, Gulf AIr
The Saint Quentin hospital is a complex organization hosting several extremely sensible and high-tech equipment’s such as magnetic resonance imaging systems, scanners, or
radiographic solutions. These equipment’s require regular checks to ensure their availability and accuracy. Thus, multiple external providers connect remotely to specific
apps, IT and biomedical solutions on a weekly basis. The challenge is therefore to guarantee access to remote administrators performing maintenance operations at any time without jeopardizing the security
policy of the hospital.
The Bastion and its monitoring and recording function has been deployed in this hospital complex with precise access rights assigned to privileged users. The hospital complex is now meeting its regulatory
requirements.
"It is extremely reassuring for us and proof of our trust as we have more than a hundred external service providers logging on to our network.”
Jean-Baptiste Gard, CISO
WALLIX, a Limited Liability Company with share capital of €50,000, having its registered office at 250 bis, rue du Faubourg Saint Honoré,
75008 – PARIS - FRANCE, registered at the Registry of Trade and Companies of Paris under number B 450 401 153 – FR67 450 401 153
WALLIX BESTSAFE
PRODUCT OVERVIEW
V1 – SEPTEMBER 2019
B E S T S A F E
Wallix BestSafe - Product Overview V1 - AUGUST 2019 2 / 17
Table of Content
I INTRODUCTION ........................................................................................................... 3
I.1 OBJECT .............................................................................................................................. 3
I.2 SCOPE AND EXPIRY .............................................................................................................. 3
I.3 RELATED DOCUMENTS ......................................................................................................... 3
I.4 REVISION HISTORY .............................................................................................................. 3
I.5 ABBREVIATIONS ................................................................................................................... 3
II BESTSAFE POSITIONING AND VALUE PROPOSITION ................................................. 4
II.1 WHAT IS POLP? ................................................................................................................. 4
II.2 BENEFITS OF USING THE PRINCIPLE OF LEAST PRIVILEGE .......................................................... 4
II.3 THE DRAWBACKS FROM POLP ............................................................................................... 5
II.4 REGULATIONS ..................................................................................................................... 5
II.5 WHAT IS PEDM? ................................................................................................................. 6
II.6 WHICH BUSINESS SECTORS REQUIRE A PEDM SOLUTION? ......................................................... 6
II.7 POSITIONING ....................................................................................................................... 7
II.8 ABOUT WALLIX .................................................................................................................... 8
II.9 AWARDS............................................................................................................................. 8
III BESTSAFE IN A NUTSHELL ......................................................................................... 8
III.1 OVERVIEW ........................................................................................................................ 10
III.2 KEY FEATURES.................................................................................................................. 11
III.3 BENEFITS ......................................................................................................................... 12
III.4 BUSINESS BENEFITS.............................................................. ERROR! BOOKMARK NOT DEFINED.
III.5 TECHNICAL CONSIDERATIONS .............................................................................................. 13
III.6 TECHNICAL BENEFITS ......................................................................................................... 16
IV KEY USAGES SCENARII ............................................................................................ 17
Wallix BestSafe - Product Overview V1 - AUGUST 2019 3 / 17
I INTRODUCTION
I.1 OBJECT
WALLIX is a cybersecurity software publisher and Europe’s leading player focused to protecting the most
vulnerable element: the human behavior.
Although there are a wide variety of solutions for perimetral security, the reality is that malware is still reaching the end-user and the impact on the company’s assets is growing every day. Our Privileged
Elevation and Delegation Management technology combined with our Bastion, allows us to offer a suite
of solutions to completely help protect users and companies from any type of malware, either existing or to come, allowing to implement the Principle of Least Privilege (PoLP) on Microsoft Windows
environments.
This document describes BestSafe, covering V3 release. It is not designed to present all BestSafe’
functions and features. For details of how to use a specific functionality, please contact [email protected]
I.2 SCOPE AND EXPIRY
This document is released on a quarterly basis, and readers should obtain the latest version prior to use.
This document version has no expiration date. However, updated version may be released.
I.3 RELATED DOCUMENTS
TYPE TITLE
Presentation BestSafe in a Nutshell
Documentation BestSafe Admin Guide
I.4 REVISION HISTORY
VERSION OBJECT OF THE REVISION
2019 AUGUST Creation
I.5 ABBREVIATIONS
ANSSI Agence Nationale de la Sécurité des Systèmes d’Information (France)
CLOUD Act Clarifying Lawful Overseas Use of Data Act
DSP Digital Service Providers
E2EE End-to-End Encryption
ESO Essential Services Operators
GCP Google Cloud Platform
IAM Identity and Access Management
IdaaS Identity as a Service
IGA Identity Governance and Administration
IoT Internet of Things
IS Information Systems
MMC Microsoft Management Console
PAM Privileged Access Management
Wallix BestSafe - Product Overview V1 - AUGUST 2019 4 / 17
PEDM Privileged Elevation and Delegation Management
PoLP Principle of Least Privilege
SIEM Security Information and Event Management
SSH Secure Shell
SSO Single Sign On
TCO Total Cost of Ownership
VO Vital Operator
II BESTSAFE POSITIONING AND VALUE PROPOSITION
II.1 WHAT IS POLP?
The Principle Of Least Privilege (POLP), an important concept in computer security, is the practice of
limiting access rights for users to the bare minimum permissions they need to perform their work. Under
POLP, users are granted permission to read, write or execute only the files or resources they need to do
their jobs: in other words, the least necessary privileges.
For example, an HR staffer may need read and write access to the enterprise payroll database, but that same employee would have no need to access the enterprise client database; at the same time, an
employee in the sales department would need access to the client database, but would be denied access
to the payroll database.
Ensuring that employees are assigned the correct privileges prevents giving employees access to systems
they don't need while also preventing malicious workers from accessing systems or data outside of their job functions. In addition, if an employee's credentials are compromised, the thief can only gain that
employee's privileges.
However, the principle of least privilege isn't just about taking away privileges from users who don't need
them. It is also about monitoring and managing access for those who do need access such as software
developers.
Security teams should use privileged access management tools to audit their development environments
to prevent privilege creep, the gradual accumulation of access rights beyond what developers need to do their jobs. Teams should also monitor when and how developers use their accounts so security
information and event management tools can immediately identify irregular activity.
II.2 BENEFITS OF USING THE PRINCIPLE OF LEAST PRIVILEGE
In 2016, Forrester Research estimated that 80% of security breaches involve privileged credentials.
Threat actors can obtain privileged credentials and then use the access granted by those credentials to move laterally through an enterprise environment, access critical applications and systems, and maintain
persistent access to the environment. However, enforcing least privilege reduces an organization's
security risk and minimizes the potential disruption to the business from a security incident or data breach.
Employing POLP provides numerous benefits to organizations, starting with reducing an organization's
attack surface. Restricting privileges for people, applications and processes also reduces the pathways
and entrances into enterprise networks.
The principle of least privilege is also important for reducing malware infection and propagation. Applying POLP means decreasing the risk that hackers will be able to steal passwords or install malicious
code that could be delivered via the web or email attachments. POLP can also help reduce the proliferation
of malware because when malware infects a system strengthened by the principle of least privilege, it is
often possible to contain the infection to the system where it first entered.
POLP also can help with data classification, which enables companies to know what data they have,
where it resides and who has access to it, in the event of unauthorized access.
Finally, applying the principle of least privilege can help restrict hacker access. Because users will only
have access to what they need, anyone who compromises user accounts will only have access to limited
resources.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 5 / 17
In summary:
▪ Stronger security: Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. Since the
Snowden leaks, the NSA has employed the principle of least privilege to revoke higher-level
powers from 90% of its employees. ▪ Minimized attack surface: Hackers gained access to 70 million customer accounts from
TARGET company through the TARGET1 through credentials that were stolen from a third-party
contractor who had permission to upload executables. By failing to follow the principle of least privilege, TARGET company had created a very broad attack surface.
▪ Limited malware propagation: Malware that infects a system bolstered by the principle of least privilege is often contained to the small section where it entered first.
▪ Higher stability: Beyond security, the principle of least privilege also bolsters system stability
by limiting the effects of changes to the zone in which they’re made. ▪ Improved audit readiness: The scope of an audit can be reduced dramatically when the
system being audited is built on the principle of least privilege. What’s more, many common
regulations call for POLP implementation as a compliance requirement.
II.3 THE DRAWBACKS FROM POLP
When organizations have tried to implement PoLP in the past, the general practice was to go overboard to ensure that privilege abuse wasn’t possible. Unfortunately, this led to many organizations turning
everything off, including local administrator accounts, even making many of their important employee’s simple standard users. Standard users in most environments can’t even perform basic functions, such as
connecting to WiFi or installing a printer (or even change the clock time!).
This extreme least privilege position started to impact productivity and the general functioning of the business. Help desk calls would increase and the IT team would become overwhelmed with
problems that could have been easily avoided if a more
rational approach to the PoLP was taken.
Many organizations addressed this problem by making all
their users local administrators, creating the exact reverse problem of an abundance of over-privileged users. In
many ways, striking that balance is still a major issue for many businesses. It’s an important one to get
right as hackers often look for these local administrator
accounts to gain access to the system.
II.4 REGULATIONS
The proliferation of large-scale attacks and the resulting risks are driving governments and regulators to frame new legislation in Europe, America, Asia Pacific, Middle East and Africa, mainly to protect personal
and confidential data. Thus, regulations are the logical result of increased cybersecurity risks.
However, European and USA regulations are drawing lines that are each other in opposite:
▪ In Europe, GDPR and NIS regulations impose strict rules to companies in the treatment of the
data to ensure its privacy. ▪ In the United States of America, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act)
requires U.S.-based technology companies to provide requested data to US federal agencies regardless of whether the data are stored in the US or on non-US soil, without the owner of the
data being informed, nor its country of residence, nor the country where the data are stored.
In addition, several regulations require players in certain sectors and/or countries to put in place PAM
solutions:
Europe USA Asia
1 https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Wallix BestSafe - Product Overview V1 - AUGUST 2019 6 / 17
▪ NIS Directive
▪ GDPR ▪ France: LPM, HDS,
PGSSI
▪ Germany: IT Security Act, Federal Data
Protection Act ▪ UK: Computer Misuse
Act
▪ CLOUD Act
▪ Computer Fraud & Abuse Act ▪ Electronic Com. Privacy Act
▪ NIST SP
▪ NERC/CIP ▪ US NRC
▪ HIPAA ▪ S-OX
▪ 23 NYCRR 500 ▪ PCI-DSS
▪ Gramm-Leach Bliley Act
▪ State specific regulations
▪ China: National Security Law,
CINISPMR ▪ Japan: UCAL, APPI
▪ South Korea: APICI, ICNA, PIPA
▪ India: IT Act, Privacy Rules ▪ Singapore: CMCA, PDPA
▪ Australia: Telcos Act, Privacy Act
The global cybersecurity market is directly benefiting from the momentum of such regulations. For example, to comply with the GDPR, companies are required to protect the personal data of persons who
interact with their IT infrastructure (employees, customers, etc.). Liability for any leak of personal data
may be imputed to the company that is the victim of this attack. To avoid such a situation, companies must invest in data protection solutions such as WALLIX PEDM in complement to existing cybersecurity
systems like end-to-end data Protection, Privileged Access Management and Identity Access Management.
II.5 WHAT IS PEDM?
PEDM, Privilege Elevation and Delegation Management is the solution which implements
PoLP, Principle of Least Privilege. A PEDM tool controls the escalation of privileged accounts. Such a tool enables to elevate and delegate privileged tasks to non-admin users that require temporarily access
to target systems. After the privilege tasks are completed, access rights are revoked.
II.6 WHICH BUSINESS SECTORS NEED A PEDM SOLUTION?
All business sectors need PEDM solutions. Among them, here below is a selection of which.
Healthcare
Healthcare institutions operate against a backdrop of constant change, and their ability to
modify their practices and procedures at the drop of a hat determines their success. Now that paper is passé, healthcare information systems must adapt to the digital and mobile
era. Patient protection extends beyond ensuring their health – it also includes securing
their medical records, which hold valuable information and must be protected from theft,
data leaks, and service disruptions.
The protection of private data and of the end point hosting these data is driving continuous improvement in healthcare information systems. In today’s environment, trust chains need to be created to smooth the
process of seeking healthcare. With organizations flocking to the cloud, data security risks take on a whole new dimension. The challenges involved in securing healthcare data have a direct effect on the chain of
hosting service providers or IT services (e.g. magnetic resonance imaging systems, scanners, or
radiographic solutions).
Bank & Insurance
Ensuring the security of banking end point, especially the potential implications when it falls into the wrong hands, is a permanent and pressing concern for the financial sector.
Highly coveted personal data and the potential payout it represents to cybercriminals
make the financial sector a prime target. Given the sheer number of service providers involved in each step of a banking transaction, the processes required to guarantee the
security of banking end points are further complicated. This complication clouds the accountability of
banking systems and magnifies the scale of the threat.
Along with the new security challenges that the digital transition brings about — think applications, online
payment, mobile access, and cloud-hosted services that need to be secured — banks and insurance firms must always demonstrate due diligence. They need to implement innovative and specialized tools that
Wallix BestSafe - Product Overview V1 - AUGUST 2019 7 / 17
can guarantee the confidentiality, integrity, and traceability of their clients’ personal data and of their
employees’ end point.
Cloud & Telcos
Cloud computing has irreversibly revolutionized how and how much data can be stored
by virtualizing data hosting within private, public, and hybrid cloud environments. However, digital service providers (DSPs) and their clients cannot fully harness the
benefits of this transformation unless they adapt their security measures to these new environments. It may seem easy, but virtualizing data is hard work. DSPs must protect and manage the
migration of their systems to the cloud while also ensuring a seamless process for their clients’ data and
mission-critical applications regardless of business sector (finance, human resources, healthcare, etc.).
To ensure that they are providing a service that adds real value to their end users, DSPs must ensure this
transition is smooth. They must ensure their compliance with all the regulations governing various sectors, offer reliable third-party application maintenance, and guarantee the encryption of crucial data and end
point as well as the traceability of actions performed on their systems.
WALLIX BestSafe can address these problems, but businesses and organizations are still
too weakly equipped.
II.7 POSITIONING
The technological sector of cybersecurity encompasses numerous categories and sub-categories of
product and solution. BestSafe feeds into the Protect category and Access Control sub-category.
The current WALLIX Bastion portfolio encompasses Session manager, Password Manager, Access
Manager, BestSafe and WALLIX Admin Center.
In addition, it must be noted that WALLIX BestSafe can also be deployed on desktops or laptops to protect
regular employees’ end points.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 8 / 17
II.8 ABOUT WALLIX
Founded in 2003, WALLIX is the French leader in IT security software solutions for managing network security and critical IT infrastructures. WALLIX is a European company located in France, the United
Kingdom and the United States. More than 700 companies and organizations now place their trust in
WALLIX for their IT security solutions around the world.
WALLIX works with the IT departments of customers ranging from mid-sized companies to large groups
and public organizations to provide innovative solutions that meet the challenges of tracing all operations and managing identities and access rights. Our solutions are engineered to fit seamlessly into the
customer’s IT system and ensure compliance with the latest IT security standards.
With a strategy based on innovation, agility and the capability to respond to emerging market needs,
WALLIX offers a suite of open-ended solutions tailored to meet the specific needs of its customers.
WALLIX distributes its solutions through a network of partners, who are fully trained and certified and
have comprehensive knowledge of our solutions.
WALLIX has developed DataPeps, the end-to-end encryption technology, which enables to secure client’ data in any application: data stored are encrypted without access to decryption keys. Even successful
cyber-attacks won’t be able to access client’ data.
WALLIX has acquired in 2019 Simarks and Trustelem to extend its portfolio to PEDM and IDaaS market.
More information is available on www.wallix.com/en
II.9 AWARDS
The BestSafe solution has received multiple awards, including:
First prize for the most innovative product in terms of cybersecurity (June
2017): the magazine "Red Seguridad" presented the prizes corresponding to the 11th edition of the ICT Security Trophies to companies, institutions and
professionals that stood out for their work in this field. In this edition, BestSafe was awarded the first prize in the "Most Innovative Product, Service or System"
category within the scope of cybersecurity.
First finalist in the 11th edition of the EntrepreneurXXI Awards in the Community of Madrid promoted by Caixabank (March 2018). The
EntrepreneurXXI Awards are an initiative promoted by “la Caixa” which aims to identify, recognise and accompany young companies with greater growth
potential. These Awards are co-granted with the Ministry of Economy, Industry
and Competitiveness through Empresa Nacional de Innovación, S.A. (ENISA) in Spain and Banco BPI in Portugal and have the support of more than 130 leading
entities involved in supporting the development of innovative companies.
III BESTSAFE IN A NUTSHELL
BestSafe eliminates the need to use accounts with elevated permissions thanks to its privilege
management and process control never seen before, achieving unparalleled security in all endpoints.
▪ Eliminate administrator rights to standard user, get a highly secure network.
▪ White list for corporate applications, gray list for dangerous applications, blacklist for malware.
▪ At last, an effective solution against ransomware. ▪ Avoid having the same local password on all computers.
▪ Deny access of an application to local or remote folders. ▪ Centralized management and fully integrated with Active Directory.
▪ Visibility and analysis allow you to make sound decisions.
BestSafe can be deployed to address two contexts:
Wallix BestSafe - Product Overview V1 - AUGUST 2019 9 / 17
▪ Implementation of least privilege principle to Windows-based infrastructure type of targets
usually addressed by the WALLIX Bastion: servers, databases, heavy clients, etc. In such context, BestSafe is the PEDM module of WALLIX Bastion.
▪ Implementation of least privilege principle to Windows-based computers, laptops, groups of
computers or laptops. In such context, BestSafe addresses end points.
III.1 BESTSAFE AS THE PEDM MODULE OF WALLIX BASTION
III.2 BESTSAFE FOR END POINTS
Wallix BestSafe - Product Overview V1 - AUGUST 2019 10 / 17
III.3 OVERVIEW
BestSafe offers a very effective solution for privilege management that allows organizations to reduce drastically the risk of security breaches on Windows systems without impacting
productivity.
At the same time, it guarantees meeting company’s compliance guidelines. The BestSafe administration
tool is a rule-based tool that does not need a great dedication by the IT staff. With a simple and unique
rule, you can, for example, avoid the execution of
“ransomware” on any computer on your network close
to 100% of reliability.
BestSafe is a tool focused on privilege management for any Microsoft Windows operating system version and edition running on any workstation, desktop,
laptop or server running on any physical, portable or virtualized hardware.
The main goal of BestSafe is to allow administrators to assign a process the security context it has to be
executed with, no matter which user credentials it was created with. However, BestSafe also offers
complete support for traditional per user privilege management.
We use a unique privilege management patented technology allowing companies to implement the
Principle of Least Privilege and offering a real possibility to have zero administrators without affecting
productivity.
This approach allows users to work with their endpoints under their “standard user” account while
performing administration tasks, like running applications that need elevated privileges (perhaps to change power settings, add hardware, etc.), only when it is needed and when IT has granted them
permissions to do so. BestSafe gives IT and Security departments full control on whom, when and how
these actions are performed.
Very often companies try to implement PoLP (Principle of Least Privilege). POLP is the practice of limiting
the access a user has to the minimum level that’s required for normal functioning. Applied to employees,
PoLP translates to “give people the lowest level of rights they can have and still do their job”.
When organizations try to implement PoLP, it collides with other initiatives that have got more priority and impact on financial and economic terms, making it almost impossible to apply PoLP at an organization-
wide level.
Organizations have to make a decision based on financial terms, security risks, employee productivity and
overall operational effectiveness as a result of PoLP’s application. Most organizations make the hard
decision to allow users to work with their desktops, laptops or workstations under an administrator account. That decision puts the company in a very risky situation by being unprotected against any form
of malware and allowing users to make an inappropriate use of their corporate desktops. Even when the
users are making a good judgement, malware is still there as a threat.
IT loses control on whom, when and how to deploy any corporate or non-corporate software on the
company’s workstation and rely only on the antivirus to protect endpoints against any form of malware,
advanced threat or targeted attacks.
There may be times when an organization prioritizes IT Security and doesn’t want to assume any security risks. In those cases, organizations find themselves with traditional software deployment tools that don’t
make use of any privilege management technology and prevents them from applying PoLP. That’s because the traditional software deployment approach collides with the operating system’s security
settings, and applying PoLP would lead to a big impact on user productivity and IT operational
effectiveness.
Traditional Privilege Management tools are focused on limiting the time an account may have
administration rights and manage when, where, and who can use that account. However, once the account is granted administrator rights and the employee uses it to log on to the machine, every process
thereon will also have administrator rights.
With BestSafe companies can go further and, besides assigning privileges at a user level, it
can assign privileges at a process level.
BestSafe can apply rules based on any combination of the following filters:
Wallix BestSafe - Product Overview V1 - AUGUST 2019 11 / 17
▪ Computer, group of computers
▪ User or group of users ▪ Computers located under any Organizational Unit
▪ Computers located under any container
▪ Computers belonging to any Subnet ▪ Computers belonging to any Site
▪ Every computer contained in an Active Directory domain ▪ Windows Desktop version (from Windows XP to Windows 10)
▪ Windows Server version (from Windows 2003 to Windows 2019)
▪ Windows edition (32 or 64 bit).
Additionally, BestSafe provides the following other services:
▪ Local Administrator Password management ▪ Local group membership management
▪ Cryptographic operation control
▪ Restrict file modifications at NTFS level
III.4 KEY FEATURES
Real possibility of having zero administrators
Right after the deployment of BestSafe, organization can begin to get rid of privileged accounts. If a
certain process, application, or administrative task needs special privileges, BestSafe will only grant them to the corresponding process (whitelist) in a completely transparent manner for the end user, who will
continue to work with minimum permissions. However, if there’s any reason to keep certain accounts as
administrator, BestSafe can reduce the privileges (gray list) to applications with Internet access (email clients, browsers, etc.) that are potentially dangerous and could compromise the system, denying them
access to their resources (registry, system folders, etc.), but without blocking their execution.
The possibilities of BestSafe do not end there. The ability to control the security context offers a series of
functionalities to protect applications that go far beyond the traditional concepts existing until now.
Effective anti-ransomware solution
BestSafe is able to detect in real time when a certain process intends to perform an encryption operation
before it is carried out. When detecting an operation of these characteristics, BestSafe suspends the process and performs the actions established in the corresponding rule, which can be generic or based
on thresholds decided by the administrator (e.g., a high amount of encryption operations in very little time can never be done by a human being). Also, they can be decided by a Smart SOC or an artificial
intelligence who can kill the process or allow it to resume. In addition, BestSafe offers the possibility of
storing every key used to encrypt to be able to decrypt later.
The results obtained with this technology have a percentage of effectiveness close to 100%, much higher
than the mechanisms of other technologies such as probes, baits, etc.
Real-time monitoring of applications
With the ability to control encryption operations also comes the ability to control any other operating
system function. The possibilities include, but are not limited to, monitoring access to disk, to the registry, to the network, and actions like creating new processes or local user accounts. The possibilities are
endless.
Administrators will no longer have the same password
In organizations with a high number of computers it is very common and advisable to enable different local administrator accounts to perform administrative or support tasks. Being a large number of machines
the password for these accounts is, in many cases, the same for all of them, thus generating a huge
security breach usually exploited by insiders.
BestSafe solves this problem in a very simple way and guarantees that the password of these accounts
is unique per computer, account, and day, based on a seed that the administrator establishes. If the password is compromised, it will be valid only on that computer and only during that day, and any attempt
to change the password will be registered. In addition, you can predict the password that you will have
in future days and without the need to connect to the network.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 12 / 17
Control access to resources by application
BestSafe allows blocking all outgoing connections of a certain application regardless of the user's credentials. In addition, BestSafe allows blocking access to protected local folders or generating specific
firewall rules for each application to block potentially dangerous applications access to shared documents.
Centralized management at no additional cost
The Enterprise Edition of BestSafe (refer to section III.6.1) is fully integrated into Microsoft Active
Directory and takes advantage of all its features to offer a high level of centralized management, high availability and fault tolerance. In addition, the use of Active Directory means BestSafe does not require
additional infrastructure (DB servers, web servers, etc.).
The administration tool is based on MMC (Microsoft Management Console) so the learning curve is
extremely fast. The configuration can be applied, either directly to a specific computer or a set of
computers through Active Directory elements that can contain them (such as organizational units, groups, containers, etc.), applying all the characteristics of inheritance and hierarchy that Active Directory has to
offer.
Once the configuration is established, the computers at the endpoints, through a light agent, will
download the corresponding configuration. This configuration is stored in cache and is applied even
without connectivity to the network. The update interval is defined by the BestSafe administrator.
III.5 BENEFITS
Most anti-malware solutions currently on the market, known mainly as antivirus, use signature-based heuristic analysis to identify possible malware. When a certain virus ends up in the hands of a
manufacturer, it is analyzed by professional researchers and/or by dynamic analysis systems. If it is
classified as malware, it generates a signature that is added to its database and that is later used by the corresponding antivirus software to constantly analyze the files of the system in search of matches. The
problem, apart from the great consumption of resources, is that there is a period of time until a malware
is identified as malicious in which the end user and its data are completely unprotected and exposed.
The fastest return on investment
The implementation of traditional privilege management solutions usually take months to achieve the proper configuration. However, the implementation of BestSafe is so extremely simple and its
management environment so familiar, that a full implementation can be done in a few hours thanks to its brilliant integration with Active Directory. But not only that. Our high level of experience allows us to
offer a series of templates permanently available and among which you can choose to adapt them to
most organizations, making it even easier to deploy.
Security from day one
Security experts and the leading consultants in the sector agree that the first step to comply with the best security practices is the suppression of as many administrator privileges as possible, along with the
supervision of corporate applications, preventing the execution of all the rest. With BestSafe, this goal is extremely easy to achieve since, in addition to security at the application level and to facilitate a phased
implementation, BestSafe also offers the possibility of maintaining privilege management at the user level.
Thanks to the minimal impact that the deployment of BestSafe has on the infrastructure of the organization, you can delete administrative permissions at the same time that a white list of applications
is created, or you can plan on the fly a strategy of reduction of privileges and apply it stepwise. And all
with the flexibility that characterizes our products.
100% scalable solution at zero cost
The unparalleled integration with Active Directory together with a client-server approach (instead of the
most common server-client) allows BestSafe to be as scalable as the organization itself. If a team has
access to the corporate network, it will also have access to the BestSafe configuration.
This approach allows BestSafe to use all of the built-in features and capabilities that replicate Active
Directory objects to every Domain Controller in the domain, eliminating the need of additional database servers and availability approaches. And, if there is no Active Directory connection present on a specific
endpoint, the last configuration fetched will be applied.
Simply powerful, transparent for end users
Wallix BestSafe - Product Overview V1 - AUGUST 2019 13 / 17
The effectiveness on which BestSafe is based is to make the operating system itself the guarantor of
security against intrusions, through the prior reduction of privileges at the application level. BestSafe is not an antivirus that needs to inspect each and every one of the files to determine, as far as possible, the
risk associated with each file. It only acts at the process level and when there is a corresponding rule
established by the administrator. This means that the impact on computer performance is so insignificant
that it is completely unnoticeable in normal use.
In addition to being virtually imperceptible to the end user, BestSafe’s features are as powerful and as flexible as the most demanding IT department can demand. What they will appreciate, both users and
administrators, is a drastic increase in productivity since their work tools will no longer be an impediment in their daily tasks. There will be no more slowdowns, more unpleasant viruses, or queries related to such
incidents, which in turn results in greater productivity in the IT department.
Prevention of attacks, known or unknown
The new approach that we propose with BestSafe is to take advantage of the power of the security
mechanisms of the operating system itself so that it is the one who denies access to intrusions. The great advantage of this strategy is that, with a correct reduction of privileges, it does not matter if the malware
is known or is about to be known, because none of them will make modifications in the system, since
they do not have the necessary privileges to carry out the infection.
With BestSafe, it is very easy to delete administrator privileges in most accounts, including IT personnel,
and from there assign them only to the applications, tasks, or scripts that are necessary, so that each user can carry out their tasks without affecting productivity. The application of the Principle of Least
Privilege provides a highly secure environment mitigating deliberate or accidental threats, both from within and from outside the organization, since the first objective of the vast majority of existing malware
is the escalation of privileges to be able to make the infection in the system and spread throughout the
network.
An efficient work environment
BestSafe was born from the analysis of a problem common to all IT departments of most organizations. Most of this problem comes down to the decision between compromising safety or gaining productivity
in which finding the balance between the two is often too expensive and difficult to implement.
With BestSafe, however, the right tools are provided to reinforce both the productivity and safety of the
end user, reducing the intervention of technical and/or support personnel.
Get regulatory compliance
Leading regulatory compliance consultancies and agencies, such as Forrester and Gartner, agree that
eliminating excessive privileges and white-listing applications is the best strategy for the security of
corporate networks. BestSafe complies with the guidelines defined by these large companies through the management of minimum privileges at the application level and through the elimination of administrators
in all endpoints, including the IT department. In addition, reports and trend analysis demonstrate
compliance with GDPR and derivatives.
III.6 TECHNICAL CONSIDERATIONS
III.6.1 DEPLOYMENT OPTIONS
BestSafe is a comprehensive security and privilege management solution available for all Windows
platforms, desktop or Windows Server. It is supplied in three editions: the Enterprise edition for companies with Active Directory, the Elite edition for SMEs that do not have Active Directory, and the
Home edition for the domestic environment.
▪ BestSafe Enterprise: The Enterprise Edition of BestSafe stands out for its complete integration with Active Directory, providing companies with centralized management without additional
infrastructure costs and fully exploiting its full potential such as fault tolerance, high availability and replication mechanisms. In addition, it offers complete integration with any SIEM solution,
which facilitates the collection of information for further analysis. ▪ BestSafe Elite: The Elite Edition of BestSafe contains all the productivity and security features
offered by the Enterprise Edition but does not use Active Directory to store the configuration.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 14 / 17
Instead, this configuration can be established stand-alone or obtained remotely through web
services and managed centrally.
III.6.2 BESTSAFE REQUIREMENTS
BestSafe stores all its data and configuration on the Active Directory itself, specifically on a container
destined to be used only by BestSafe. The installation of this container is the only step for which you will need a member of the “Domain Admins”. Incidentally, the BestSafe Administration tool will only have
permissions to modify that container. All of this can be done from any desktop; there is no need to access or install any software on the Domain Controllers. Then, every BestSafe Client will read the Active
Directory to fetch the configuration that is relevant to it, and interpret it on the end endpoints.
This approach allows BestSafe to use all of the built-in features and capabilities that replicate Active Directory objects to every Domain Controller in the domain, eliminating the need of additional database
servers and availability approaches. And, if there is no Active Directory connection present on a specific
endpoint, the last configuration fetched will be applied.
BestSafe supports any Active Directory Domain Services starting from Microsoft Windows Server 2003 to
Microsoft Windows Server 2019.
III.6.3 PRIVILEGE RULES
BestSafe’s unique patented technology and most important feature is its ability to modify a process’s security context at the time of its creation, no matter which user has run it. This allows you, the BestSafe
administrator, to decide which processes need to be executed with a specific security context regardless
of the credentials of the user who runs it.
To better understand this innovative approach, think of the traditional, less effective “Run as…” method
when right-clicking on an executable file, or the command-line interface tool called “runas.exe”. These traditional methods require you to identify a user, and will actually run the entire process under that
user’s context, different from the one of the user that is really logged on. This means that every property regarding the identified user’s context will be applied to that new process, including the security context.
This may work in some cases, but there are other important properties that will also be different for that
specific process and cause problems, such as environment variables or mapped drives. And even if they
don’t, the management of privileged users can be tedious or dangerous at the very least.
BestSafe, on the other hand, allows you to modify only the security context of any process that is run on a machine, regardless of the users who run it, while maintaining the rest of their user context. Even if
the process in question is run using the “Run as…” method and identifying a privileged user, BestSafe will prevail on top of anything and apply the corresponding settings. This new approach can be used to, for
example, grant an unprivileged user access to a specific application, or to reduce an administrator’s
privileges to a dangerous one (such as a web browser or an email client). Although they are simple
examples, both can be used to apply POLP, thus considerably increasing security.
Mentioned above are BestSafe’s most powerful features in a nutshell, but BestSafe also has lots of other ones that allow you to further modify the process. All of these modifications are defined on a per-process
basis in what we can call a “privilege rule”.
As you already know, BestSafe uses Active Directory to store its data, including privilege rules. Then, every BestSafe Client will read the Active Directory to fetch the configuration that is relevant to it, and
interpret it on the end endpoints. Every client maintains a cache on the endpoints with their rules and settings in order to keep applying them even when the computer is disconnected from the network. The
data update is made upon reconnecting the computer to the network and every refresh interval specified
in the option “Refresh Interval on clients (minutes)”.
BestSafe also features full integration with Active Directory in order to make use of the object hierarchy
when applying settings to target Computer objects. Rules can be applied to the domain objects User, Group, Computer, Organizational Unit, Domain, Subnet and Site. Active Directory inheritance would allow
you to apply rules to a container, such as an Organizational Unit, and have them applied to Computer
objects inside that container. Although Active Directory inheritance can be broken at any level.
As mentioned earlier, BestSafe’s most important feature consists of modifying a process’s security context
at the time of its creation no matter the security of the user who has executed it. This allows the user to
Wallix BestSafe - Product Overview V1 - AUGUST 2019 15 / 17
run a process with privileges different than his or hers while maintaining the rest of their user context on
that same process. The security assigned to a user by Active Directory becomes almost irrelevant when applying a BestSafe privilege rule. The results can be verified with tools such as “Process Explorer” or
“Process Hacker”.
In a nutshell, this innovative approach can be used to, for example, grant an unprivileged user access to a specific application, or to reduce an administrator’s privileges to a dangerous one (such as a web
browser or an email client), all under the same credentials.
III.6.4 SECURITY RIGHTS
BestSafe also supports traditional privilege management at the user level, one of its additional most
powerful features.
This feature allows you to manage the membership of any user or group (whether it is domain or local)
to be able to grant it to the groups that come built-in with any Windows endpoint. Such membership can also be set a time limit, and even end the Windows session if the user is logged on and this time limit is
reached. This allows the administrator to not be so aware of when or if a membership needs to end,
simplifying his or her work.
This user-level privilege management is done by implementing what we call “Security Rights”. Such
rules are defined using the same BestSafe Administration tool and are taken and interpreted by the BestSafe Client, in a fashion much like any other BestSafe rule. They will be stored in the Active Directory
domain, and they will make use of object hierarchy when applying a target computer’s rules, as well as its parent objects. Every endpoint stores a cache locally with its corresponding Security Rights in order to
keep applying them even when the computer is disconnected from the network. The Security Rights as
well as the configuration will be updated upon reconnecting the computer to the network and every
refresh interval specified in the global configuration.
There are some options and configurations that need some previous planning before they are enabled, because a careless implementation may lead to undesired results. The user-level privilege management
is definitely one of them, because there may already be local group memberships that were created
manually or with some other PAM tool.
If this BestSafe feature is enabled and it finds that there are no security rights created, any membership
created previously in the local built-in “Administrators” group will be considered unauthorized by BestSafe. Therefore, for security reasons, such unauthorized local group memberships will be deleted, and any
users or groups will be automatically removed from it. The BestSafe Client has no group membership rules by default, which means that if it has just been deployed with this option enabled, every previous
local group membership will be immediately removed.
Enabling this option before or after the BestSafe Client deployment can make a big difference depending on the state of your organization at such time. One option is to first create the security rights that match
your organization in BestSafe and then enable this option. An alternative is to first enable the feature, and then gradually deploy the BestSafe Client while tending to the people that used to need those
memberships and may be having trouble now that they don’t. This is entirely for you to plan and decide.
III.6.5 INHERITANCE
BestSafe features full integration with Active Directory in order to make use of the object hierarchy when
applying settings to target Computer objects. Properties can be applied to the domain objects User, Group, Computer, Organizational Unit, Domain, Subnet and Site. Also, BestSafe supports applying
properties to configuration objects, like the objects Site and Subnet.
Active Directory inheritance will allow you to apply properties to, for instance, an Organizational Unit, and
have them applied to Computer objects inside it. Although Active Directory inheritance can be broken at
any level. BestSafe allows you to set properties in the following Active Directory object types:
▪ Computer – Properties set in a “Computer” object will apply to that specific computer only.
▪ Group – Properties set in a “Group” object will apply to all computers that are members of that specific group object. If it has other group objects as members, the properties will apply to them
too.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 16 / 17
▪ Organizational Unit – Properties set in an “Organizational Unit” object will apply to all computer
and group objects contained by that specific organizational unit. If it also contains organizational units, the properties will also apply to them.
▪ Container – Properties set in a “Container” object will apply to all computer and group objects
contained by that specific container object. ▪ Domain - Properties set in a “Domain” object will apply to all computers contained by that specific
domain object, as well as groups and organizational units, for that matter. ▪ Subnet – Properties set in a “Subnet” object will apply to all computers whose IP address belongs
to that specific subnet. The “All Subnets” object represents every subnet, and properties set in this object will apply to all computers whose IP address belongs to any defined subnet.
▪ Site – Properties set in a “Site” object will apply to all computers whose IP subnet belongs to that
specific site. The “All Sites” object represents every site, and properties set in this object will
apply to all computers whose IP subnet belongs to any defined site.
III.7 TECHNICAL BENEFITS
Privilege Management: Based on rules, BestSafe allows you to grant privileges to processes and
applications as well as to users and computers. Besides supporting traditional privilege management at a
user level, BestSafe has the capability to build the security context under which an application must be
executed, no matter the permissions that the account that launches the application has.
Permission Levels: Apply rules at application level for:
▪ Avoid untrusted software to be executed.
▪ Assign restricted permissions.
▪ Assign administrator permissions. ▪ Assign local groups.
▪ Assign Windows privileges.
Password Management: Daily change of any local administrator password on every computer in the
domain. Different for each computer. Password management tool has the capability to obtain the
password without connecting to the network.
Preventing Cybersecurity Attacks: Ability to deny access to both network and local folders that are
been defined as protected. That way, any type of ransomware will not have access to the files on the network nor to protected folders. Ability to control cryptographic operations that are going to be
performed and request authorization before executing.
Don’t let malware spread into your business: Around 95% of critical Microsoft Windows
vulnerabilities would be mitigated by removing admin privileges.
Software Distribution joins Advanced Security: Build your own secure true IT self-service Corporate
Application Catalog. Boost productivity and reduce time, costs and risks.
Privilege Management at user and process level: Implementing Principle of Least Privilege should
not be a headache. Apply privilege management for either, users and applications.
Make your IT personnel as happy as your VIPs: Give your VIPs their requirements without impacting your
IT personnel mood through an easy and secure way.
Flexibility and efficiency: Application deployment can be performed by the end user or it can be
unattended and automatically deployed by using different categories:
▪ On Demand
▪ Mandatory ▪ Uninstallation and/or forbidden
▪ Periodic
▪ Update ▪ Repair
▪ Urgent Deployment
Analysis and Reporting:
▪ Logs: Integration with any SIEM system by sending logs to a TCP or UDP port.
▪ Permissions: monitoring on assignment of users to groups and process execution with elevated permissions.
Wallix BestSafe - Product Overview V1 - AUGUST 2019 17 / 17
▪ Statistics: report use of applications and processes for license control, unauthorized software,
etc.
▪ Reporting: reporting on rule implementation
IV KEY USAGES SCENARII
Here below are some examples of usage scenario of BestSafe technology.