BeyondTrust PowerBroker Password Safe

Transcription

1 BeyondTrust PowerBroker Password Safe A Frost & Sullivan Product Review

2 frost.com BEYONDTRUST POWERBROKER PASSWORD SAFE From small businesses to enterprises, the security of information, applications, and assets is a paramount concern. Innumerable attack strategies can steal or deny services. Securing the infrastructure against inappropriate use cannot only obstruct IT operations, but also reduce productivity for users if they are unable to access accounts needed to perform their jobs. Guarding against inappropriate access and enabling operational effectiveness while ensuring compliance is a difficult balancing act without appropriate tools. The Verizon 2013 Data Breach report notes that if single-factor passwords were eliminated, nearly 80% of attempted hacks would need to adapt or die. Password theft and loose password protocols leave companies vulnerable to insider attacks or to external attacks that leverage insider credentials. However, passwords remain the most ubiquitous way to gain access, requiring password management that is versatile, nimble, and secure. For operational efficiency, password processes should be highly automated so IT departments can focus on keeping networks and applications online securely and continuously. BEYONDTRUST PLATFORM BeyondInsight Console BeyondTrust PowerBroker Password Safe now integrates with the vendor s advanced risk management platform, BeyondInsight. As one module within BeyondTrust s Privileged Account Management solutions, PowerBroker Password Safe focuses on internal risk managing, securing and auditing of privileged accounts to enable access required to perform jobs safely while meeting compliance requirements, and without obstructing the productivity of IT or business users. Password Safe customers can also gain visibility over the risk associated with managed assets through the single console. The optional Vulnerability Management module focuses on external risks, proactively identifying exposures, analyzing business impact, and optimizing remediation plans. The power of the BeyondTrust approach is the combination available in BeyondInsight, providing the vulnerability and threat context while managing passwords controlled by Powerbroker Password Safe. Alerting in today s security-conscious IT environments typically creates an overabundance of data and alerts, as was also highlighted in the Verizon data breach report. Having too much data without context is not effective in identifying vulnerabilities or breaches. BeyondInsight solves this problem by providing the ability to view, sort and filter historical data for both privileged access and vulnerabilities. Analytics and reports for compliance, benchmarks, and a variety of what-if scenarios can be created for any set of hardware, devices or server groups managed by PowerBroker Password Safe. AGENTLESS, WEB-BROWSER APPLICATION Lightweight Software PowerBroker Password Safe is an agentless, Web-based password manager delivered in a secure, hardened appliance format with no reliance on Java. There are two other approaches to password management offered by other vendors in the space: 1. Password management systems that are loaded as a software application are inflexible. For organizations that have many locations, or that work with sub-contractors, the password vaults from separate locations have to be securely linked. Additionally, software as an appliance can become obsolete, but BeyondTrust handles updates through maintenance. 2

3 BeyondTrust PowerBroker Password Safe 2. Agentless password management systems that use JavaScript have large overheads. The process to establish connectivity between two servers using JavaScript is laborious. The receiving server has to rewrite and upload the request, listen, establish a secure shell (SSH) port, and then re-encrypt the passwords and user ID. ADMINISTRATION Role-Based Access Control (RBAC) to Resources The first and fundamental purpose of a password management system is to provide end users with the appropriate access to specific applications, data, and networks. The best way to accomplish this is to establish RBAC. Groups can be synchronized with Active Directory (AD) in Password Safe. Each group in Password Safe can give different users different permissions to groups of resources. For example, the SQL admin group in AD might have requestor role access to the SQL Server group of managed accounts. When a user is removed from a group, role-based access to the managed account group is removed, such as when a user leaves the company. ACCOUNT/PASSWORD MANAGEMENT Password Management One of the biggest security breaches a company can incur is lapses in password lifecycles. In Password Safe, a company can ensure that all passwords are regularly changed according to policy interval and complexity requirements. At each interval, a random password is generated and the account updated. Service Account Management Each individual account requires special treatment. A company wishes to have all service accounts changed on a pre-defined schedule and have the services kept in sync. The service account is configured for auto-management in Password Safe. When a service account password is changed (manually or automatically), the logon credentials are updated on any Windows service dependent on the account. System/Account Auto Discovery A happy headache that businesses endure is expansion. When new equipment is purchased, the company wishes to ensure that all systems are brought under management and any new systems are brought into compliance without manual intervention. A network scan is configured on Password Safe. A smart rule is created to automatically add the system to Password Safe. Accounts on discovered systems can automatically be managed and made available to users via policy. ACCOUNT/PASSWORD ACCESS Std. Password Requestor/Approval Scenario Importing from Active Directory based on roles can be used for access controls, or custom permissions and exceptions can be used to access an account; either way, approval can be required before access. The user logs into Password Safe and requests access to the account. A request notification is sent to the approver. The approver logs into Password Safe and approves or denies the request. The user is notified by of approval (if appropriate) and the user accesses the password. 3

4 frost.com Break-Glass Scenario Due to unforeseen circumstances, a user may need a password when there are potentially no approvers available. The user logs into Password Safe and requests access to a break-glass account. Access is immediately given, and an alert is generated stating access was given without dual control. Command Line Interface/Application Programming Interface (CPI/API) Access The problem with hard-coded passwords is that they can be lifted in a keystroke malware attack. A company can migrate away from the use of hard-coded passwords from applications and scripts. An external program is given access to a managed Password Safe account. A CLI (or API) call is scripted in place of a hard-coded password either directly or through wrapper script. When the script is executed, the password is retrieved dynamically from the Password Safe appliance. SESSION (PROXY) ACCESS TO ACCOUNTS Std. Remote Desktop Protocol (RDP) Requestor/Approval Scenario PowerBroker Password Safe provides a graphical user interface (GUI) to handle requests and approvals without divulging the password to the account. In this scenario, the user logs into Password Safe and requests access to the account. The request is sent for approval. The approver logs into Password Safe and approves or denies the request. The user is notified by of approval (if appropriate). The user clicks the RDP session button and is automatically logged into an RDP session through Microsoft Terminal Services Client (MSTSC), and the session is recorded. Std. Secure Shell (SSH) Requestor/Approval Scenario SSH is a public-key cryptographic protocol designed to link a server and a client together. Password Safe can generate a password request to authenticate the connection and decrypt the cypher text. For example, if a user needs access to a SSH session without knowing the password of the account, the user logs into Password Safe and requests access to the account. The request notification is sent to the approver. The approver logs into Password Safe and approves or denies the request. The user is notified by of approval (if appropriate). The user clicks the SSH session button and is automatically logged into an SSH session through PuTTY (or similar). Recorded Session Review A company is able to review a previously recorded SSH or RDP session. A user with Information Security Administrator (ISA) permissions logs into Password Safe and a list of previously recorded sessions that the user is authorized to view is available for selection. Upon selection of a session and user, playback controls enable viewing. CONCLUSION Endorsement BeyondTrust PowerBroker Password Safe is a solid tool for the secure procurement and dissemination of passwords. The ability to run network scans helps an IT department reconfigure the password vault as needed. Lightweight software helps with the transitions between servers and clients, and smartrules allow groups of assets to be profiled, accessed and analyzed for compliance and threat assessment. Account and password access, as well as password management procedures, mitigate the chance of man-in-the-middle attacks. Frost & Sullivan endorses PowerBroker Password Safe. 4

5 Auckland Bahrain Bangkok Beijing Bengaluru Buenos Aires Cape Town Chennai Colombo Delhi/NCR Detroit Dubai Frankfurt Houston Iskander Malaysia/Johor Bahru Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Miami Milan Mumbai Moscow Oxford Paris Pune Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Silicon Valley 331 E. Evelyn Ave., Suite 100 Mountain View, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400 San Antonio, TX Tel Fax London 4 Grosvenor Gardens London SW1W 0DH Tel +44 (0) Fax +44 (0) GoFrost [email protected] Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave., Suite 100 Mountain View, CA 94041