Defense in Depth: Implementing a Layered Privileged Password Security Strategy
-
Upload
beyondtrust -
Category
Software
-
view
96 -
download
3
Transcript of Defense in Depth: Implementing a Layered Privileged Password Security Strategy
![Page 1: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/1.jpg)
Defense in Depth:
Implementing a Layered Privileged
Password Security Strategy
Nick Cavalancia Techvangelism
![Page 2: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/2.jpg)
You already believe in layers
• A visitor to your building
• Access to a file
• Remote Connectivity
![Page 3: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/3.jpg)
What are you doing today?
• Password vault?
• Spreadsheet?
• Accountability?
How are you protecting privileged passwords?
![Page 4: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/4.jpg)
Layering security over priv. passwords
******
![Page 5: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/5.jpg)
Do you need all those layers?
• In short, no.
• Privileged accounts aren’t all alike
• Layered strategy can’t be either
![Page 6: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/6.jpg)
Consider the password risk
• Resource access?
• External threat damage?
• Internal threat damage?
![Page 7: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/7.jpg)
Establishing defense in depth
• Layers are a part of IT security
• Think layered password protection
• Determine the layer/password mix
• Identifying password risk
![Page 8: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/8.jpg)
PowerBroker Password Safe
v6.0
Martin Cannard – Product Manager
![Page 9: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/9.jpg)
PAM – A collection of best practices
AD Bridge AD Bridge Privilege
Delegation
Privilege
Delegation
Session
Management
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
![Page 10: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/10.jpg)
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
![Page 11: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/11.jpg)
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance HTTPS RDP / SSH
RDP / SSH
Password
Safe Proxy Proxy Proxy Proxy
Privileged Session Management
![Page 12: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/12.jpg)
Differentiator:
Adaptive Workflow Control
![Page 13: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/13.jpg)
Adaptive Workflow Control
• Day
• Date
• Time
• Who
• What
• Where
![Page 14: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/14.jpg)
Differentiator:
Controlling Application Access
![Page 15: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/15.jpg)
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
![Page 16: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/16.jpg)
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
![Page 17: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/17.jpg)
Differentiator:
Reporting & Analytics
![Page 18: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/18.jpg)
Actionable Reporting
![Page 19: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/19.jpg)
Advanced Threat Analytics
![Page 20: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/20.jpg)
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
![Page 21: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/21.jpg)
Market Validation
• Leader: Forrester PIM Wave, Q3 2016
− Top-ranked Current Offering (product) among all 10
vendors reviewed
− “BeyondTrust excels with its privileged session
management capabilities.”
− “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
• Leadership
− Gartner: “BeyondTrust is a representative vendor for all
five key PAM solution categories.”
− OVUM: “BeyondTrust […] provides an integrated, one-
stop approach to PAM… one of only a small band of
PAM providers offering end-to-end coverage.”
− SC Magazine: “Recommended product.”
− … and more from IDC, KuppingerCole, TechNavio, 451Research,
Frost & Sullivan and Forrester
![Page 22: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/22.jpg)
DEMO
![Page 23: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/23.jpg)
Poll
![Page 24: Defense in Depth: Implementing a Layered Privileged Password Security Strategy](https://reader033.fdocuments.in/reader033/viewer/2022051502/587268eb1a28ab31498b5429/html5/thumbnails/24.jpg)
Q&A
Thank you for attending!