Password Management Solutions for Collabor ative Environment

Size: px
Start display at page:

Download "Password Management Solutions for Collabor ative Environment"

Transcription

1 Masaryk University Faculty of Informatics Bachelor Thesis Password Management Solutions for Collabor ative Environment Klára Pavelková Brno, Spring 2014

2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: Mgr. Pavel Tuček

3 Acknowledgement I would like to express my deepest gratitude to my advisor Mgr. Pavel Tuček for his continuous support and strong encouragement throughout this project. Despite the fact that it was necessary to overcome several obstacles he was the person who kindly motivated me to achieve the completion. In addition, without his patient assistance I would not have been able to perform so many lengthy business calls which were completely new for me. A special thank goes to my colleagues Mgr. Luděk Finstrle and RNDr. Marek Kumpošt, Ph.D., who found time to help me with formulating the initial list of requirements without which the project could not have begun. Last but not the least I would like to thank my sister Radka for precious language advice and my beloved Tom who had a lot of patience with me during the toughest times of this project.

4 Abstract Theoretical part of the thesis analyzes motivation for deploying password management software in infrastructure of an organization and the security aspects regarding both cloud-based and on-premises software. In the practical part a survey of enterprise password managers is realized, suitable products are selected and proof of concept is implemented. According to the results a recommendation of a particular product is offered.

5 Key Words Password Manager, Cloud-based, On-premises, Security, Proof of Concept

6 Table of Contents 1 Introduction 1 2 Password Management Software Passwords and Their Ancient Records Passwords in Context of Access Control Identification, Authentication, Authorization and Accountability Motivaton for Deploying Password Management Software Pros and Cons of Password Management Software 9 3 Security Cloud Computing and Information Security Cloud-based Password Management Software On-premises Password Management Software 13 4 Optimal Features 14 5 Enterprise-Requested Features Essential Requirements Optional Requirements 18 6 Survey of Enterprise Password Management Software on the Market Cloud-based Software On-premises Software Availability of Trial Versions Rejected Software for the Proof of Concept Purposes Rejected Because of No Trial Version Availability Rejected Because of Not Meeting the Enterprise Requirements Software Selected for Testing 32 7 Proof of Concept Test Environment Password Manager Pro Requirements, Installation and Configuration Resource and Password Management Backup of Database Secret Server Requirements, Installation and Configuration Resource and Password Management 38

7 7.3.3 Backup of Database Enterprise Random Password Manager Requirements, Installation and Configuration Resource and Password Management Backup of Database Conclusion of Testing and Recommendation Conclusion 42 Bibliography 44 Appendix 48 Legal Issue 48 7

8 1 Introduction Using a password for the purpose of authenticating to a certain service is a daily practice of a user. Together with an increasing number of various services which require authentication the need of remembering all the passwords is growing as well. This process could result in a rather disturbing phenomenon passwords could be reused or written down and stored at insecure places which could endanger the security of user s confidential information stored within a service. In order to offer a solution to problems connected with the usage of a large number of passwords, a password management software is available on the market. There are various forms of the software some of them are for personal purposes whereas the others are designed to store and protect shared privileged information within an organization. This thesis deals specifically with an enterprise password management software which is typically used by system administrators. This thesis is divided into two major parts theoretical and practical. In the theoretical part the password management software is introduced, a brief insight into the past of passwords is made and passwords are set in context of access control, an explanation of basic terms is also included. An overall motivation of administrators for deploying and using such software and a section dedicated to its strengths and weaknesses follows. There are two approaches of password managers cloud-based and on-premises. Each of them is discussed from the security point of view in the next chapter together with focusing on the security aspects of cloud computing in general. The final section of the theoretical part briefly outlines what approach should be taken into account when searching for an optimal password management software features. The original output of the practical part of this thesis should have been a proposal of password management software for the purposes of NetSuite Inc. as there is a strong need for deploying such software in its global infrastructure. However, the motivation had to be slightly changed during the process because of legal-related problems that suddenly occurred. Therefore, the practical part deals with general aspects of available password managers instead of being 1

9 related to NetSuite. The only exception is the first practical chapter related to enterprise-requested features, because these features were initially consulted with participating specialists from NetSuite. The survey of software available on the market follows, a few products are selected and further analyzed. The end part of the last chapter summarizes practical experience from the deployment in testing environment and outlines personal recommendations of the author based on the proof of concept results. 2

10 2 Enterprise Password Management Software A password manager (further in the text as PM) is a software used for storing various passwords and optionally other confidential data (e.g. PIN codes, credit card numbers, SSH keys 1 etc.) in an encrypted database. Such database is stored either on provider s servers or within purchaser s infrastructure. It is protected by a master password and accessible after having been provided. The PM helps to keep passwords up-to-date, well organized and frees a user from the responsibility of remembering all of them. In general, there are two approaches of PM, the first one is to use PM for personal purposes, the second one is to deploy shared PM within a company. This thesis deals exclusively with the second approach enterprise password management software whose main aim is to manage shared privileged information of an organization. In this chapter it is briefly explained what the role of passwords in ancient times was in order to understand their importance within history of mankind. The definition of passwords in context of access control is given together with the explanation of basic terms associated with access control. The motivation for deploying a PM within a company is offers and its advantages and disadvantages are mentioned. 2.1 Passwords and Their Ancient Records A password could be defined as a string which enables a user to enter some service or resource and perform specific operations within it. Each password has to be strictly used in combination with credentials which belong exclusively to the user. As passwords are so widely used across information systems, it is important to keep them secret and constantly develop better techniques to protect their confidentiality for the purpose of protecting privileged data. 1 [1] The SSH protocol supports the use of public/private key pairs in order to perform authentication based on public key cryptography. 3

11 In order to be aware of the importance of using passwords, keeping them strong and unbreakable and using them in a proper way it could be helpful to find out their role in the past times. As the following shows, the usage of password in order to keep some secret confidential has a long history. It was reported that such application of passwords was already used in Ancient Egypt. According to the Encyclopedia of Ancient Egypt [2], from which the following quotations are taken, there was depicted a mortuary text called Am Duat on the walls in the tomb of Egyptian king, TUTHMOSIS III ( B.C.E.) in the VALLEY OF THE KINGS in THEBES. The purpose of this text was to instruct the deceased how to overcome the dangers of the afterlife, by enabling them to assume the form of several mythical creatures, and to give them passwords necessary for admittance to certain stages of the Underworld. The spells (i.e. magic words written on the walls) also allowed the deceased to proclaim themselves as bearing the identity of many gods. Passwords should help the deceased to be recited in the afterlife. As the above note shows, passwords have been inseparably connected with privileged information for ages. While in Ancient Egypt their potential was reported to be utilized after king s death, in 21 st century they are an inevitable part of everyday lives of prosperous nations. As the quote says, in order to reach the afterlife (which was the target), it was important to know the spells and passwords protected information locked in the tomb. This knowledge also allowed the deceased to change their identity according to current needs. In today s terms it could be compared to identification and authentication to a particular service that is somehow valuable for us, which is further explained in section 2.3. As confidential information has always been important for people, its importance is nowadays even increasing due to the swift development of information technologies. 4

12 2.2 Passwords in Context of Access Control Ross Anderson claims in his book called Security Engineering [3] that passwords are still the foundation on which much of computer security rests, as they are the main mechanism used to authenticate human users to computer systems. In order to understand the meaning and the purpose of passwords fully it is important to explain some basic terms inseparably connected with passwords. The fundamental one and superior to others is the term access control as passwords are typically used to access computer systems. Following explanations and definitions (as well as in the next chapter 2.3) are taken from CISSP (Certified Information System Security Professional) publication written by Shon Harris [4]. Access control is a broad term that covers several different types of mechanisms that enforce access control features on computer systems, networks and information. In connection with the previous definition he also explains access control features as a set of security elements which moderate how systems and users interact and communicate with other systems and resources. Such features protect the systems and resources from unauthorized access (...). In terms of password management software these security features are essential in order to protect confidential information stored within the software. Before proceeding to definitions of other terms connected with access control it could be helpful to clarify the term access itself again by words of Harris: Access is the flow of information between a subject and an object. A subject is an active entity that requests access to an object or the data within an object. a subject can be a user, program, or process that accesses an object to accomplish a task. ( ) An object is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory or field contained in a table within a database. All the above mentioned terms access, access control, subject and object will be explained and dealt with in the following parts of this thesis. 5

13 2.3 Identification, Authentication, Authorization and Accountability The following descriptions are taken from the publication of Harris [4]. A user cannot access any resource in case he does not prove he is who he claims to be, has not required credentials to enter the resource and has not necessary privileges or rights to perform requested actions. Reversely once the user fulfils all of these necessities, he can access and use the resource. The requirements which a user must complete in his way to access the resource are divided into three different steps. Identification. Identification describes a method of ensuring that a subject (a user, program or process) is the entity it claims to be. a user name or an account number could serve as the proof. Authentication. In order to be properly authenticated, the subject must provide another piece of credentials which could be a password, pass phrase, PIN, cryptographic key, some anatomical characteristics or token (something a user exclusively owns). These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. More information about authentication is given in chapter 5.1 and 5.2 in context of requested features of PMs. Authorization. Once the subject is identified and provides their credentials, the system needs to check whether this subject has given particular privileges and rights to perform requested actions. For that purpose it uses access control matrix (for the definition see chapter 5.1 Essential Features). If it is determined by the system that the subject is allowed to access the resource, the subject is authorized. All the mentioned steps must be performed in order to allow a subject to access an object. Nevertheless, there must be another significant attribute held while a subject acts within an object, which is accountability. The subject has to be accountable for every action it takes within a system or a resource. The only way to ensure accountability is if the subject is uniquely identified and the subject s actions are recorded. Such recording could be done for instance within a PM system by its own auditing functionality, which is discussed in chapter 5.1 as one of the core features of a PM. 6

14 2.4 Motivation for Deploying Password Management Software Passwords are confidential information protecting sensitive data, information systems and networks and therefore they are also vulnerable to both external and internal threats. A significant number of different passwords is being used every day by employees and systems administrators. This thesis deals exclusively with the usage of PM by enterprise system administrators. There is a simple reason for that: undoubtedly, employees do use a large number of passwords during their everyday work, but on the other hand, administrators need to keep incomparably more passwords to access and manage various service accounts than ordinary employees. Passwords have to be well-organized and quickly accessible. Deploying a PM would be beneficial to the purposes of administrators. Unfortunately, these are typically privileged administrator accounts which are targeted with attacks. According to the 2014 Data Breach Investigation Report [5], during 2013 there were reported 8% of overall breaches and 18% incidents caused by insider misuse, which makes the insider misuse the 5 th cause of breaches and 3 rd cause of incidents out of 10 groups in total, as seen below on the figure Figure 2.4.1: Frequency of incident classification patterns [13]. The first graph represents 2013 breaches, the second one 2013 incidents. 7

15 As further statistics say, 88% of all insider misuse are privilege abuse, as seen on the figure This high number is commented in the report by the following words: Not unexpectedly, privilege abuse taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts tops the list. We realize that encompasses a very broad range of activities, but the overall theme and lesson differ little: most insider misuse occurs within the boundaries of trust necessary to perform normal duties. That s what makes it so difficult to prevent. These statistics and quotes prove that generally, there is not a sufficient level of password management within companies and privileged accounts should be protected better than they are in the present. Figure 2.4.1: Top 10 threat action varieties within Insider Misuse [5]. The PM could also help to guarantee the continuity of stored passwords. A typical phenomenon of employment is that people from time to time leave and new employees come to replace them. In such cases passwords could represent serious problems. Those used by previous employees have to be changed completely in order to keep internal data safe. It could be helpful to use an auditable password store so that it would be easy to find out which ones need a change. Ideally, the stored passwords could be refreshed automatically. Such functionality of a PM could improve the security of customers. 8

16 2.5 Pros and Cons of Password Management Software As everything has its arguments pro and con, so has a PM. Before proceeding to complications which such software could bring, I would like to present its advantages. Among the most significant ones is a need to remember and protect just one master password to gain access to the PM. The others are stored in a database typically in an encrypted form and used by the software itself. Administrators could appreciate having one centralized repository where passwords for service accounts would be securely stored and operations with them would be restricted by predefined security politics. Cloud-based PMs could be accessible from various computer devices and thus enable administrators to react swiftly to i.e. emergency case. Administrators could also welcome various additional features which could help them with their role of managing service accounts, e.g. auditing and reports, remote login and password reset, automatic login to target systems and applications or disaster recovery. PMs might also have some weaknesses which could make them less trustworthy and it is always recommended to search for potential vulnerabilities within those systems, research the companies behind the products and consider evaluations by security experts than to trust vendors. A complex disadvantage is that companies rely on a third party while using a PM. Once a security of the provider is somehow compromised, it makes the data of its clients insecure as well. Therefore it is important to know how these systems save the data because all the passwords are in one place and covered just by the master password which therefore has to be extra protected, strong and changed regularly. The master password itself could be as well a disadvantage. Typically, it cannot be recovered and compromising it could lead to stored data leakage which could be destructive for the entity using such PM. Another challenging area is making a backup of stored data. In general, managing the PM s backups requires at least the same level of security as managing the original data itself. 9

17 3 Security In this chapter the security aspects of cloud computing in general are outlined in order to identify the questions which need to be addressed when considering a cloud-based application deployment. Further, main differences between cloudbased and on-premises software are listed together with advantages of each approach and its security-related problems. It is not possible to determine and prove that one approach is better than the other. In both cases there are several arguments for and against. The point is that before deciding to prefer one of them over the other it is necessary to take into account various factors that differ in both conceptions, e.g. IT infrastructure, initial software and support investment or implementation time. Anyway, it is necessary for the service, whether it is outsourced or running on-premises, to meet security standards of the purchaser. Afterwards when the facts are weighed, it could be decided which approach would suit better to specific needs of the purchasing company. 3.1 Cloud Computing and Information Security Cloud computing is a current issue. The following definition is taken from the Communications of the ACM (Association for Computing Machinery) magazine [6]. Cloud computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the data centres that provide those services. ( ) The data centre hardware and software is what we will call a cloud. There are many different ways how to describe cloud computing. Bruce Schneier said it in other words [7]: Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. ( ) Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background. There are many new aspects which cloud computing brought to the field of information technology. Some of them are outlined in the magazine of the ACM [6], e.g. infinite computing resources which are now available on demand. This is an advantage because cloud computing users do not need to plan far ahead for 10

18 provisioning. Companies can increase hardware resources only when there is an increase in their needs, which gives them more flexibility. In addition, outsourcing companies hold their professionals of the matter. It could be advantageous for the companies to make use of those outsourced specialists than to employ their own ones. The last but not least advantage is that cloud computing enables users to pay for computing resources they use on a short-term basis, according to their needs again. As an example I can mention paid processors by the hour and storage by the day. This could lead to e.g. noticeable infrastructure and power savings for the deploying company. On the other hand, there is a security issue. As Schneier expressed [7], IT security is mainly about trust. He claims that there is no other way then to trust hardware, operating system and software vendors, CPU manufacturers and Internet service providers. Any one of these can undermine your security: crash your systems, corrupt data, allow an attacker to get access to systems. Cloud computing is not an exception. It moves the trust boundary even one step further, because now there is as well a need to trust software vendors. Once a company wants to utilize some service which is offered by another outsourced company, it is necessary to provide it with 1 st party s own data. In any way if the service is either free of charge or paid there is a strong need of trusting the provider whereas the purchaser must be aware that there is a lack of full control over the data and processes. It is apparent that the future of computing is in outsourcing, therefore it is good to stress that it is not just about the security of an outsourcer, but also reliability, availability and continuity is what matters. According to Schneier s note it is even worse that data stored online has less privacy protection both in practice and under the law. While stored secrets are moving towards the cloud, it seems that strong passwords protecting them are the only things to rely on. 11

19 3.2 Cloud-based Password Management Software As cloud-based PMs are examples of outsourced services, they have the same advantages and security problems for companies which deploy them as those described in previous section. As providers of PMs have their own experts it could be more cost-effective to make use of them than to hire some new. The providers have their own computing resources as well as terms of payment. Some examples of licensing are managing fixed number of systems per year or obtaining a specific number of system administrators per year. Some of them have support fees included whereas others demand separate payment. From the security point of view, such services must guarantee reliability to be their fundamental feature as they are used for managing privileged information which is stored in the cloud. It is essential for the provider to supply transparent system with clear documentation, prove its dependability and offer adequate support. The goal is to gain complete overview of each PM s security features in order to understand how it works and where a potential problem might occur. E.g. privileged data is stored on provider s servers, therefore conditions of storing must comply with security standards of the purchasing company. Such services are accessible through a web browser, the connection must be encrypted all the data have to be sent through the Internet via HTTPS protocol. For more references about HTTPS it is recommended to follow the Request for Comments document regarding HTTP over TLS [8]. As with any cloud-based services, there are some risks that could be faced, therefore maximum effort to avoid them should be made. Some of them are depicted by Schneier [7] and helpful recommendations are available on the Cloud Computing Channel of InfoWorld web page [9]. One of the risks is the provider s bankruptcy. This could lead to entire data loss which is unacceptable for the stored passwords. Therefore it is recommended to run a health check before signing on with a PM provider such as check its revenue, profitability or number of customers and with their feedback. It could as well pay off to back up the data stored in the cloud as the only way to reach them is through the vendors own APIs (more information about API is given in section 5.2). Therefore PM providers should offer stored information backup, but obviously in an encrypted form. Another potential risk is that the provider could be sold to another company. The data loss or unwanted transfer should be previously avoided in the terms and conditions of the service. The same applies for e.g. sudden rapid increase in pricing and blocking the data. 12

20 The worst case of all could be that the provider experiences some kind of attack either internal or external. The purchasing company s data loss and breach threat could be devastating. There is no general advice on that, just to check for the provider s reliability. As is written in the Cloud Computing Channel, The best bet is to keep an eye on your vendor s balance sheet and to keep your local backups current. 3.3 On-premises Password Management Software On-premises software is also known as shrink wrap. The following definition is taken from Techopedia.com dictionary [10]: On-premises software is a type of software delivery model that is installed and operated from a customer s in-house server and computing infrastructure. It utilizes an organization s native computing resources and requires only a licensed or purchased copy of software from an independent software vendor. It could be considered as an opposite to cloud-based software described above. This service transfers the overall responsibility to the customer, which includes its security, availability and management of the software. This kind of software requires in-house server hardware and IT support, investment in licenses (in case of open source software, there are licenses as well, but not charged) and perhaps also longer period of integration because necessary skill-set for managing such software must be first gained. Therefore it could demand larger investment and longer deployment time than cloudbased services. Nevertheless it could pay-off because the purchasing company does not have to rely on the vendor from the security point of view. There are many advantages on this fact: purchasers have full control over the system data and processes, privileged information is stored internally which avoids potential problems described in connection with cloud-based software. On the other hand, it is necessary to gain information about all the features of on-premises PMs. For instance, such software could send some routine statistics about its usage back to the provider, it must be known which data exactly is transmitted, how is it stored and potentially how could this feature be disabled. There is also a general difference between cloud and on-premises data store: a PM running on internal infrastructure would be accessible also without the Internet connection whereas cloud-based will not. This could be an advantage in case of connection loss. 13

21 4 Optimal Features There is a wide range of software designed to store and protect privileged shared information available on the market. As in case of any other software, it could be sometimes quite difficult to choose the most appropriate one. Therefore ahead of making any choice, it is reasonable to consider functionality which should be offered by an optimal password management software. As is described further in the following chapter, there is a long list of features which a PM software could have. Some of them are fundamental, whereas the others are additional or less important from the overall functionality point of view. Nevertheless, also the additional ones could make work of an administrator considerably easier. Therefore a particular PM could be regarded as an optimal software in case it offers both the essential and the optional features which are listed in the next chapter. 14

22 5 Enterprise-Requested Features A first necessary task of the practical part of this project was to create a list of requirements which the PM should fulfil. In order to propose a software that would exactly meet the requirements of an enterprise company it was necessary to consult them with IT and Security department, in this case with those of NetSuite Inc. The requirements were divided into two groups according to their importance essential and optional. This chapter lists the requirements belonging to each of the groups together with their definitions and explanations of their importance within an enterprise. 5.1 Essential Requirements The system had to meet certain criteria in order to be eligible for further testing. The criteria were given by the following list of features which were initially consulted with IT and Security specialists of NetSuite Inc. 1. ACL (Access Control List) management for each entry. The following description of ACL is taken from Matt Bishop s publication dealing with computer security [11]. An obvious variant of the access control matrix is to store each column with the object it represents. Thus, each object has associated with it a set of pairs, with each pair containing a subject and a set of rights. The named subject can access the associated object using any of those rights. 2. AD (Active Directory) integration. As described in a publication Active Directory [12]: Active Directory (AD) is Microsoft s network operating system (NOS). ( ) Active Directory enables administrators to manage enterprise-wide information efficiently from a central repository that can be globally distributed. The structure of the information stored could be simply matched to the organizational structure of a company. In order to benefit fully from a functionality of PM, it is essential to integrate it with AD which is 15

23 already being used. Specifically, already existing users, groups and their authorization rights might be integrated. It would be also valuable to have a possibility of linking password policy to passwords stored within the AD. 3. Audit. In order to clearly analyze which actions took place within a system and who performed them [11] it is effective to require auditing as one of its core functionalities. Specifically, in the case of PM it is important to have password retrieval and entry manipulation auditable so that it is easily detectable who operated within the system and when. For more reference it is recommended to follow a book called Audit informačního systému (Information System Audit) [13]. 4. Categories. In order to maintain clear arrangement of stored information it would be useful to require a functionality which enables to sort it to particular categories. For that purpose e.g. tags, fields or windows containing a description or metadata would be helpful. 5. Search. This feature is closely connected with the previous one Categories. Once there would be a possibility to sort the stored information out it would be easy as well to search within it. That would contribute a lot to maintain a good overview of stored information and help to keep it well organized. 6. Toggle show of passwords. Within a PM, passwords should be hidden by default or replaced by special characters e.g. stars. Such feature would help to increase the security of passwords by means of preventing unauthorized users from spotting them randomly. 7. Strong encryption. It is necessary for a password store to be well encrypted. The consultation with Security department representative of NetSuite led into an agreement that it would be beneficial to require AES level of encryption of the password storage. AES (Advanced Encryption Standard) [3] 1 An answer to question: Why most people use 256 bit encryption instead of 128 bit? was given by Thomas Pornin, a cryptographer [14]: 256-bit key cracking through exhaustive search is totally out of reach of Mankind. And it takes quite a lot of wishful thinking to even envision a 128-bit key cracking. ( ) To sum up: even if you use all the dollars in the World (including the dollars which do not exist, such as accumulated debts) and fry the whole planet in the process, you can barely do 1/1000 th of an exhaustive key search on 128-bit keys. So this will not happen. And a 256-bit key search is about 340 billions of billions of billions of billions times harder than a 128-bit key search, so don t even think about it. 16

24 is a symmetric-key block cipher algorithm which acts on 128-bit blocks. This algorithm also known as Rijndael can use a cipher key of 128, 192 or 256 bits in length. As mentioned in the book Security Engineering: a Guide to Building Dependable Distributed Systems, Although there is no proof of security whether in the sense of pseudorandomness, or in the weaker sense of an absence of shortcut attacks there is now a high level of confidence that Rijndael is secure for all practical purposes. 8. SSL (Secure Sockets Layer) protocol on the interface. This protocol works at the transport layer and protects web-based traffic [4]. It is designed to provide privacy over the Internet between two entities which communicate with each other the client and the server [15]. It is considered to be the most widely used protocol [3]. SSL was developed to support encryption and authentication in both directions, so that both http requests and responses could be protected against both eavesdropping and manipulation. This feature could ensure privacy. 9. Database lockdown. The data store cannot be accessible without a strong password and particular access restrictions have to be applied. No remote connection should be allowed. These rules would prevent a potential data leakage. 10. Master password. This is one of the common features of enterprise PM software. It could be described as a string of characters used in order to authenticate a user to some service. It is essential to maintain its confidentiality since the master password s role is to enable the access to other PMs functionality and protect other data stored within the application. Its role is to encrypt the database as well. It is usual that there is no way to recover lost master password. 11. Auto logout. In terms of web-based application there should be automatic logout function which would prevent unauthorized users to reach sensitive information stored. 12. RBAC (Role Based Access Control) support. As described in Anderson s publication [3], this policy model provides a general framework for mandatory access control. Access decisions depend on functions which are currently performed by users within a company. Transactions that may be performed by holders of a given role are specified, then mechanisms for granting membership of a role (including delegation). ( ) It can deal with integrity issues as well as confidentiality, by allowing role membership (and thus access rights) to be revised when certain programs are invoked. It is expected that an enterprise 17

25 PM software should support this model. A possibility to set access rights according to various roles of employees within a company in order to keep its structure is essential. 13. Password sharing and expiration. While logging to 3 rd party site password sharing feature allows users to share one password in encrypted form, i.e. without any need to expose it. Password expiration feature provides assurance that passwords generated within a PM are up to date. 14. Break-glass administrator account. Break-glass is an additional feature of an access control model which enables the model to be more flexible in case of emergency or disaster and helps to prevent system stagnation as it enables an administrator to access the system. Such account could work as a backdoor to keep the system working in case of acute problems. 15. One-Time passwords (OTP). As introduced in the CISSP publication [4], OTP has its synonym a dynamic password just because it could be used for authentication purposes only once, because afterwards it is no longer valid. This type of authentication mechanism is used in environments that require a higher level of security than static passwords provide. An enterprise company is definitely this case of such environment. The following further description has been taken from the security-related web page TechTarget.com [16]. OTP is a numeric or alphanumeric string of characters which is automatically generated. OTPs may replace authentication login information or may be used in addition to it, to add another layer of security. This is exactly the functionality required by involved parties. 5.2 Optional Requirements The following features were not compulsory for PMs available on the market. On the other hand, meeting them was considered by involved parties as advantageous. 1. Reports. This requirement is connected with Audit. Once a system has an auditing feature incorporated, it is favourable to have also an opportunity to report results of the audit e.g. password retrieval. Reporting would help administrators to retain access and operations overview. 18

26 2. Password search, history and age. This set of secondary features would help to organize passwords stored within a PM and enable an administrator to search within it quickly. It would be also beneficial to have a password age indicator which would inform a user that it is already necessary to change his passwords. Another option could be to set the software so that it would automatically demand changing stored passwords from a user. Advantages of these features would be clear arrangement of passwords, ability to search in history and presence. Primarily, the last named attribute could be considered one of the most important attributes from the security point of view. As Matt Bishop [11] points out: Guessing of passwords requires that access to the complement, the complementation functions, and the authentication functions be obtained. If none of these have changed by the time the password is guessed, then the attacker can use the password to access the system. 3. API (Application Programming Interface) integration. API [17] is a set of standards and instructions or methods. Using these methods a programmer can access a web-based software application or a web tool or simply to manage software applications. API integration could be helpful for PM maintenance. 4. Password policy. As is mentioned on the web page of the SANS Institute [18], a policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. Such definition could be used as well for explaining the term password policy. It is a document or a statement containing a set of rules assembled for the purpose of enhancing computer security within a company. Such rules are designed in order to encourage users to employ passwords which are strong and use them in a proper way. By following a particular password policy it is expected to reach a high level of information security and prevent system vulnerability. It would be considered as advantageous to have a chance to set up and enforce multiple password policies within the PM software it would support the flexibility of the system. 5. Password generator and strength meter. As obvious, PMs have a master password feature integrated as a common functionality (section 5.1). a PM administrator has to create with this password, but on the other hand there is no need to deal with all the other passwords stored within a database. For that case it would be very useful to have a password generator integrated together with its strength meter. The characteristics of the generator should be customizable by an administrator. 19

27 6. Block Sync and No Sync attribute. In case synchronization of data stored within PM is allowed, it is important to be assured that this feature could be blocked for those users that do not have access to such data. Selected passwords should be also marked as non-exportable, i.e. one-time passwords (section 5.1). These features would contribute to the protection of confidential information within the system, and passwords definitely belong among the most confidential items. 7. Database backup and synchronization. There should be a possibility to have the database containing stored data backed up. In case of a distributed storage of information the database should have synchronization feature integrated. This would be effective because stored data would be always up-to-date and saved for possible emergency case. 8. Two-factor authentication (TFA, T-FA or 2FA). A definition is given in a book which deals with an issue of securing ASP.NET Web API applications [19]. The author describes that in general, (...) there are three types of credentials through which a user can be authenticated: knowledge factor (what a user knows), ownership factor (what a user owns), and inherence factor (what a user is). When you have an authentication mechanism that leverages a combination of two of these factors, it is called two-factor authentication (...). The reason for requiring TFA is apparently the security of authentication. The web page TechTarget.com (section 5.1) claims that despite the fact that there is a large number of vulnerabilities nowadays present in many TFA implementations, it is always better to use it when offered than not at all [20]. 9. notifications. PM could be set up so that it would send s to an administrator in case something within the information store changed. It could be e.g. a change of passwords, settings or access rights. This feature would contribute to keeping general knowledge of actions taken within the PM and to enabling flexible reactions to such changes if needed. 10. SIEM (Security Information and Event Management) systems integration. Shon Harris [4] mentions that these are nowadays very frequently implemented systems by various organizations. These products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities. He as well points out that it is both mind-numbing and close to impossible to be successful in reviewing logs manually while looking for a suspicious activity. So many packets and network communication data sets 20

28 are passing along a network; humans cannot collect all the data in real or near to real time, analyse them, identify current attacks and react it is just too overwhelming. Another problem related to logs is that there are many different types of systems on a network and each one collects logs in a different proprietary format. Therefore a sort of centralization and standardization is needed. This problem could SIEM technology solve easily. According to Gartner [21], it provides: Security information management (SIM) log management and compliance reporting, analysis of log data Security event management (SEM) real-time monitoring, incident management for security-related events from networks, security devices, systems, and applications The main reasons to require SIEM systems integration within an enterprise company is to improve threat management as well as incident response capabilities. There is all together a larger number of advantages in using SIEM, such as user activity monitoring, application activity and data access monitoring or anomaly detection. All these features would be beneficial to have deployed within a large company. The reason is security again. Having a good overview about what happens within the system due to logs, reporting and detailed analysis together with monitoring as a part of SEM would help in defending a company against external (or either internal) threats. 21

29 6 Survey of Enterprise Password Management Software on the Market A first necessary task of a practical part of the project was to create a list of requirements which the PM should fulfil. In order to propose a software that would exactly meet the requirements of an enterprise company it was necessary to consult them with IT and Security department, in this case with those of NetSuite Inc. The requirements were divided into two groups according to their importance essential and optional. This chapter lists the requirements belonging to each of the groups together with their definitions and explanations of their importance within an enterprise. Another stage of this project was dedicated to searching for various PMs across the market and accumulating available information about each of them. Individual PMs are based on almost comparable core features, but differ in additional features, licensing and purchase conditions. After the market research a set of offered features was compared to already given list of requirements (chapter 5) and those managers which met the requirements were recommended for the Proof of Concept (chapter 7). Initially, PMs are divided again as in chapter 3 into two main groups according to their deployment. In the first group there are outsourced ones cloud-based PMs, and those running on-premises fall into the second group. An important part of this chapter are two tables included at the end of the section 6.3. The tables contain all the PMs taken into account together with the list of requested features. They show how each of the PMs fulfils the essential and the optional features. Those cells that are left empty mean that it was not possible to extract information about the particular feature from the PM s web page or from documentation (if available). 22

30 6.1 Cloud-based Software The two following managers are outsourced cloud-based services. They are both commercial software. 1. Last Pass Enterprise LastPass Corporate [22]. This PM claims to combine robust password vaulting with cloud single sign-on capabilities. It comes with a separate management console. Its part is also a Web client where an administrator can view contents of this vault. As one of the exceptional PMs, LastPass can run on Windows, Linux and Mac OS host side. 2. Passpack Paspack Inc. [23]. Authors of this PM claim that collaboration is its core function. Therefore it is designed so that it can be used either by single users or by larger IT departments. In the second case, Passpack would serve as a shared central password repository available for both small and large companies. This is one example of software which is flexible thanks to its cloud basis. Passpack works with the latest versions of Google Chrome, Opera, Firefox, Safari and Internet Explorer 7+. Pricing is set as follows: regular fee is per month together with another five conditions, which are the number of passwords stored, the number of shared users, groups, note size and disposable logins. 6.2 On-premises Software All of the following PMs are commercial products excluding one of them WebPasswordSafe which is open-source software. 1. Secret Server Thycotic Inc. [24]. Secret Server is a web-based PM available in two editions Enterprise and Enterprise Plus offering additional features. Its design is based on a web application built on ASP.NET 1 website and an integration with Microsoft SQL Server 2 which works as a database back end. This PM has noticeably extensive functionality and licensing is set per named user with support included. 1 ASP.NET is a free web framework that is used for building web sites, services and applications [25]. 2 MS SQL Server [26] is a database system running on Structured Query Language [27]. 23

31 2. PowerBroker Password Safe BeyondTrust Inc. [28]. The provider introduces this PM as an automated password and session manager which offers access control and auditing for privileged accounts and local administrative accounts. One of its key features is also complete support for operating systems, accounts, applications and devices plus a custom connector builder for all systems that support Telnet or SSH connections. 3. Password Manager Pro Manage Engine (Zoho Corporation Pvt. Ltd.) [29]. Password Manager Pro is a centralized password vault offered in a compact web-based package. In contrary with other PM system, this one can run both on Windows and Linux host side. In addition, it is available also as a free edition which allows having 1 administrator and manage up to 10 resources with unlimited validity. Licensing of other registered versions is based on number of administrators and type of edition. One of the options is Standard Edition, the other is Premium Edition, which offers extra features such as remote password synchronization or reports. 4. Enterprise Password Vault (EPV) Cyber-Ark Software, Ltd. [30]. EPV is a part of Cyber-Ark s Privileged Account Security Solution [31]. The provider claims it helps to secure, manage and track usage of privileged credentials both ways on-premise and in the cloud. The product is built on the Cyber- Ark Shared Technology Platform [32] which allows customers to deploy a single infrastructure and expand the solution to meet expanding business requirements. Cyber-Ark has a different approach than other companies: every request of either more information or purchase options must be performed via their partners. There is a contact list of those partners on the company s web page. 5. Enterprise Random Password Manager (ERPM) Lieberman Software Corp. [33]. Lieberman Software s main idea is to strengthen privileged accounts and shared administrative access to local servers both Windows and Linux. In addition to Windows and Linux service accounts, ERPM can handle passwords on various other service accounts, e.g. IIS 1 accounts, SQL Server and Oracle database 2 accounts etc., both physical and virtual servers. Lieberman software does not insist on AES-256 level of encryption, but offers AES-128 as well. 1 IIS (Internet Information Services) for Windows Server is a Web server for hosting tasks on the Web [34]. 2 Oracle database is an object-relational database management system [35]. 24

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Securing Data at Rest ViSolve IT Security Team

Securing Data at Rest ViSolve IT Security Team Securing Data at Rest ViSolve IT Security Team 1 Table of Contents 1 Introduction... 3 2 Why Data at Rest needs to be secure?... 4 3 Securing Data... 4 3.1 Encryption - Access Control Approach... 5 3.1.1

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet Technical Data Sheet DirX Identity V8.5 Secure and flexible Password Management DirX Identity provides a comprehensive password management solution for enterprises and organizations. It delivers self-service

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device CHOOSING THE RIGHT PORTABLE SECURITY DEVICE A guideline to help your organization chose the Best Secure USB device Introduction USB devices are widely used and convenient because of their small size, huge

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Security Whitepaper. NetTec NSI Philosophy. Best Practices Security Whitepaper NetTec NSI provides a leading SaaS-based managed services platform that to efficiently backup, monitor, and troubleshoot desktops, servers and other endpoints for businesses. Our comprehensive

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

A brief on Two-Factor Authentication

A brief on Two-Factor Authentication Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide

More information

The Security Behind Sticky Password

The Security Behind Sticky Password The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and

More information

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011

More information

DOCUMENT MANAGEMENT SOFTWARE: SAAS VS. INTERNAL DEPLOYMENT

DOCUMENT MANAGEMENT SOFTWARE: SAAS VS. INTERNAL DEPLOYMENT 2009 Cabinet NG, Inc Table of Contents Introduction... 3 Financial... 3 Deployment... 5 Integration... 5 Security... 6 IT Philosophy... 7 Summary... 8 More Information... 8 CNG White Paper Page 2 Introduction

More information

Security Architecture Whitepaper

Security Architecture Whitepaper Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer

More information

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015) Table of Contents What is Connect?... 2 Physical Access Controls... 2 User Access Controls... 3 Systems Architecture... 4 Application Development... 5 Business Continuity Management... 5 Other Operational

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Making Database Security an IT Security Priority

Making Database Security an IT Security Priority Sponsored by Oracle Making Database Security an IT Security Priority A SANS Whitepaper November 2009 Written by Tanya Baccam Security Strategy Overview Why a Database Security Strategy? Making Databases

More information

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

CyberSource Payment Security. with PCI DSS Tokenization Guidelines CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance

More information

Table of Contents. Page 2/13

Table of Contents. Page 2/13 Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities

More information

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM Chandramohan Muniraman, Meledath Damodaran, Amanda Ryan University of Houston-Victoria Abstract As in any information management system security

More information

Acano solution. Security Considerations. August 2015 76-1026-01-E

Acano solution. Security Considerations. August 2015 76-1026-01-E Acano solution Security Considerations August 2015 76-1026-01-E Contents Contents 1 Introduction... 3 2 Acano Secure Development Lifecycle... 3 3 Acano Security Points... 4 Acano solution: Security Consideration

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

RemotelyAnywhere. Security Considerations

RemotelyAnywhere. Security Considerations RemotelyAnywhere Security Considerations Table of Contents Introduction... 3 Microsoft Windows... 3 Default Configuration... 3 Unused Services... 3 Incoming Connections... 4 Default Port Numbers... 4 IP

More information

Usage of OPNET IT tool to Simulate and Test the Security of Cloud under varying Firewall conditions

Usage of OPNET IT tool to Simulate and Test the Security of Cloud under varying Firewall conditions Usage of OPNET IT tool to Simulate and Test the Security of Cloud under varying Firewall conditions GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas

More information

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet Technical Data Sheet DirX Identity V8.4 Secure and flexible Password Management DirX Identity provides a comprehensive password management solution for enterprises and organizations. It delivers self-service

More information

Alliance Key Manager Solution Brief

Alliance Key Manager Solution Brief Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major

More information

Secret Server Qualys Integration Guide

Secret Server Qualys Integration Guide Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server

More information

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Identity & Access Management in the Cloud: Fewer passwords, more productivity WHITE PAPER Strategic Marketing Services Identity & Access Management in the Cloud: Fewer passwords, more productivity Cloud services are a natural for small and midsize businesses, with their ability

More information

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration Websense Data Security Suite and Cyber-Ark Inter-Business Vault The Power of Integration Websense Data Security Suite Websense Data Security Suite is a leading solution to prevent information leaks; be

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities Identity and Access Management Integration with PowerBroker Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 4 BeyondTrust

More information

Web Plus Security Features and Recommendations

Web Plus Security Features and Recommendations Web Plus Security Features and Recommendations (Based on Web Plus Version 3.x) Centers for Disease Control and Prevention National Center for Chronic Disease Prevention and Health Promotion Division of

More information

Authentication As A Service. Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017?

Authentication As A Service. Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017? Authentication As A Service Why new Cloud based Authentication solutions will be adopted by about 50% of the companies by 2017? Jason Hart CISSP CISM VP Cloud Solutions What a great world Today's World

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

MySQL Security: Best Practices

MySQL Security: Best Practices MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes

More information

Drawbacks to Traditional Approaches When Securing Cloud Environments

Drawbacks to Traditional Approaches When Securing Cloud Environments WHITE PAPER Drawbacks to Traditional Approaches When Securing Cloud Environments Drawbacks to Traditional Approaches When Securing Cloud Environments Exec Summary Exec Summary Securing the VMware vsphere

More information

Data Protection: From PKI to Virtualization & Cloud

Data Protection: From PKI to Virtualization & Cloud Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc. Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security

More information

Password Management Evaluation Guide for Businesses

Password Management Evaluation Guide for Businesses Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

SECURITY DOCUMENT. BetterTranslationTechnology

SECURITY DOCUMENT. BetterTranslationTechnology SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of

More information

TOP SECRETS OF CLOUD SECURITY

TOP SECRETS OF CLOUD SECURITY TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3

More information

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

REGULATIONS FOR THE SECURITY OF INTERNET BANKING REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY

More information

BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance

BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance GUARDING YOUR BUSINESS BalaBit IT Security Insight Singaporean Internet Banking and Technology Risk Management Guidelines Compliance www.balabit.com In 2008, the Monetary Authority of Singapore (MAS),

More information

Dynamic Query Updation for User Authentication in cloud Environment

Dynamic Query Updation for User Authentication in cloud Environment Dynamic Query Updation for User Authentication in cloud Environment Gaurav Shrivastava 1, Dr. S. Prabakaran 2 1 Research Scholar, Department of Computer Science, SRM University, Kattankulathur, Tamilnadu,

More information

SECUREAUTH IDP AND OFFICE 365

SECUREAUTH IDP AND OFFICE 365 WHITEPAPER SECUREAUTH IDP AND OFFICE 365 STRONG AUTHENTICATION AND SINGLE SIGN-ON FOR THE CLOUD-BASED OFFICE SUITE EXECUTIVE OVERVIEW As more and more enterprises move to the cloud, it makes sense that

More information

Software as a Service (SaaS) Requirements

Software as a Service (SaaS) Requirements Introduction Software as a Service (SaaS) Requirements Software as a Service (SaaS) is a software service model where an application is hosted as a service provided to customers across the Internet. By

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

activecho Driving Secure Enterprise File Sharing and Syncing

activecho Driving Secure Enterprise File Sharing and Syncing activecho Driving Secure Enterprise File Sharing and Syncing activecho Overview In today s enterprise workplace, employees are increasingly demanding mobile and collaborative solutions in order to get

More information

RSA SecurID Software Token 1.0 for Android Administrator s Guide

RSA SecurID Software Token 1.0 for Android Administrator s Guide RSA SecurID Software Token 1.0 for Android Administrator s Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA,

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Leveraging SAML for Federated Single Sign-on:

Leveraging SAML for Federated Single Sign-on: Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.

More information

Securing Corporate Email on Personal Mobile Devices

Securing Corporate Email on Personal Mobile Devices Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...

More information

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4 Contents Is Rumpus Secure? 2 Use Care When Creating User Accounts 2 Managing Passwords 3 Watch Out For Aliases 4 Deploy A Firewall 5 Minimize Running Applications And Processes 5 Manage Physical Access

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION

More information

Chapter 10. Cloud Security Mechanisms

Chapter 10. Cloud Security Mechanisms Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based

More information

owncloud Architecture Overview

owncloud Architecture Overview owncloud Architecture Overview Time to get control back Employees are using cloud-based services to share sensitive company data with vendors, customers, partners and each other. They are syncing data

More information

Google Identity Services for work

Google Identity Services for work INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new

More information

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0 Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features

More information

Sync Security and Privacy Brief

Sync Security and Privacy Brief Introduction Security and privacy are two of the leading issues for users when transferring important files. Keeping data on-premises makes business and IT leaders feel more secure, but comes with technical

More information

EasiShare Whitepaper - Empowering Your Mobile Workforce

EasiShare Whitepaper - Empowering Your Mobile Workforce Accessing files on mobile devices and sharing them with external parties presents serious security risks for companies. However, most current solutions are either too cumbersome or not secure enough for

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University Module II. Internet Security Chapter 7 Intrusion Detection Web Security: Theory & Applications School of Software, Sun Yat-sen University Outline 7.1 Threats to Computer System 7.2 Process of Intrusions

More information

NCSU SSO. Case Study

NCSU SSO. Case Study NCSU SSO Case Study 2 2 NCSU Project Requirements and Goals NCSU Operating Environment Provide support for a number Apps and Programs Different vendors have their authentication databases End users must

More information

Phoenix backs up servers using Windows and Linux operating systems. Here is a list of Windows servers that Phoenix supports:

Phoenix backs up servers using Windows and Linux operating systems. Here is a list of Windows servers that Phoenix supports: Druva About Phoenix What is Phoenix? Druva Phoenix is a cloud based backup and archival solution aimed primarily at remote office servers. Since Phoenix is cloud-targeted backup, there is no elaborate

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Fujitsu s Approach to Cloud-related Information Security

Fujitsu s Approach to Cloud-related Information Security Fujitsu s Approach to Cloud-related Information Security Masayuki Okuhara Takuya Suzuki Tetsuo Shiozaki Makoto Hattori Cloud computing opens up a variety of possibilities but at the same time it raises

More information

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]

More information

Convenience and security

Convenience and security Convenience and security ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work and home environments.

More information

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing

More information

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description Dropbox for Business Secure file sharing, collaboration and cloud storage G-Cloud Service Description Table of contents Introduction to Dropbox for Business 3 Security 7 Infrastructure 7 Getting Started

More information

Securing Remote Vendor Access with Privileged Account Security

Securing Remote Vendor Access with Privileged Account Security Securing Remote Vendor Access with Privileged Account Security Table of Contents Introduction to privileged remote third-party access 3 Do you know who your remote vendors are? 3 The risk: unmanaged credentials

More information

Improving Online Security with Strong, Personalized User Authentication

Improving Online Security with Strong, Personalized User Authentication Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware

More information

Secure Your Cloud and Outsourced Business with Privileged Identity Management

Secure Your Cloud and Outsourced Business with Privileged Identity Management Secure Your Cloud and Outsourced Business with Privileged Identity Management Table of Contents Executive Summary... 3 Understanding Privilege... 3 Do All Service Providers Get It?... 5 Managing Privilege

More information

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card

More information

Technical Proposition. Security

Technical Proposition. Security Technical Proposition ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net info@adamsoftware.net Why Read this Technical Proposition?

More information

Dashlane Security Whitepaper

Dashlane Security Whitepaper Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Device-Centric Authentication and WebCrypto

Device-Centric Authentication and WebCrypto Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the

More information

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive. SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

More information

HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES

HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES The Office of the Government Chief Information Officer of The Government of the Hong Kong Special Administrative Region issued its IT Security

More information

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

Vendor Questionnaire

Vendor Questionnaire Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information