Total Privileged Access Management Suite V2.2

Transcription

1 Reference Code: TA001783SEC Publication Date: November 2009 Author: Alan Rodger, Karthik Balakrishnan, and Somak Roy TECHNOLOGY AUDIT Total Privileged Access Management Suite V2.2 e-dmz Security OVUM BUTLER GROUP VIEW ABSTRACT e-dmz Security s Total Privileged Access Management (TPAM) Suite combines four privileged access management solutions on a single platform, each addressing an aspect of the issues around privileged access management using shared credentials. Many infrastructure devices, and some applications, have built-in, inflexible account names and passwords to support in-depth management tasks, but when these cannot be managed satisfactorily from the perspectives of compliance and accountability organisations rightly have security, risk, and regulatory compliance concerns. TPAM Suite provides password storage and policylimited release, and enforces password updates, all in a way that establishes an inarguable connection between an individual privileged user and a particular log-on event. It provides similar capabilities for application-to-application access request scenarios, and can also record (and later play back visually) all user sessions, and even restrict the commands executed on the target system. This is an impressive solution compared to others in its market space, especially as it provides a unified approach to the many aspects of requirements, and supports such a broad range of technologies that are likely to cause headaches in this regard. Any company that realises the need to enhance accountability when dealing with privileged account access, especially in industries affected by compliance challenges, would do well to evaluate TPAM Suite. KEY FINDINGS Addresses many privileged access requirements within one platform. Integrates audit trail with users existing corporate identity. Captures all user activity including full session recording Covers a broad range of technologies, platforms, and device types. High security across storage, management, and communication of credentials. Role definitions control access, and approval workflows can be incorporated. The appliances support strong authentication of user access. The suite lacks a centralised management console OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 1

2 LOOK AHEAD e-dmz Security has shared its development plans, which include numerous features we consider valuable. These include items such as a central management console and active session monitoring to augment current session recording features. FUNCTIONALITY The leading Identity & Access Management (IAM) solutions have focused primarily on a broad range of enterprise requirements relating to access mainly to applications (in-house or Web-based) and to systems. This approach often ignores a discrete and very important area of requirements, namely the access to systems and applications using privileged passwords that are often shared or badly secured. The root of the problem is that data centres have many infrastructure devices such as firewalls, routers, and storage that are built with hard-wired user names such as Administrator, Root, db2admin, or System to allow management of the device, or troubleshooting in the event of problems. Many applications, too, are shipped with administrator passwords, which give access to important underlying functions such as configuration or integration capabilities, as also are operating system products such as root directory access within UNIX and Linux. Sometimes organisations face further problems due to legacy code in which the administrator passwords are hard-coded into operational code, in order to facilitate application-to-application, or application-to-system integration. Whether passwords in an organisation are hard-coded, shared, or otherwise inappropriately secured, the result is increased risk. Although management processes may control how, when, and to whom passwords are divulged, operations staff that work on the devices or applications could and often do build up knowledge of these administrator passwords over time, because in many cases they cannot be changed. However honest organisations think their employees are, potential compromise from such passwords constitutes a risk that should be understood, and in some industries must be reported as part of compliance obligations. Additionally, shared or widely known passwords cause it to be impossible for an audit trail to link every action with a single individual a foundational requirement for compliance obligations such as SOX, PCI, HIPAA, GLBA, and Basel II. Product Analysis e-dmz Security s Total Privileged Access Management (TPAM) suite addresses a wide range of challenges related to system or application access with privileged credentials (see Figure 1). There are four solution modules, grouping key capabilities as follows: Privileged Password Management, which supports password release to authorised users, and the changing of passwords based on rules. It can enforce releases of passwords on request, allowing one password release at a time to access a particular resource, and to a single requestor (nobody else can access the target system at the same time, and nobody can access the target system at that time using a different password). This establishes a non-repudiable audit trail linking a single individual to definite knowledge of the privileged password for a resource, during a particular time period. To increase security, password change can be enforced subsequent to a released password being used on the target system, or periodic change can be enforced, with any of these options being based on configurable rules. OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 2

3 Application Password Management, which enables applications (rather than users) to access privileged credentials, and undertake application-to-application and application-to-system authentication. A Command Line Interface (CLI) and APIs are available for application integration, enabling calls to TPAM capabilities to replace the insecure and inflexible practice of using hardcoded passwords to authenticate applications to each other, and between applications to systems. Privileged Session Management, which acts as a session gateway, or a proxy between the requestor and the target system, recording all the actions undertaken with TPAM by users and managers, and facilitating video-like playback of actions for audit purposes. Privileged Command Management, which augments the functionality of Privileged Session Management by restricting the commands that can be executed on the target system. TPAM Suite is deployed as an appliance. For its first few years, e-dmz Security provided both Privileged Password Management and Application Password Management, bundled on a device that it marketed as Password Auto Repository (PAR). Privileged Session Management, and Privileged Command Management, were first launched on a separate appliance type (eguardpost), before the launch of TPAM suite in May 2009 saw the elimination of differences between the two appliances. Correspondingly, customers of either appliance type can operate the whole range of capabilities within TPAM Suite, activating the individual modules via appropriate licensing, according to requirements. Figure 1: TPAM Suite Source: e-dmz Security O V U M B U T L E R G R O U P OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 3

4 Figure 1 illustrates on the left-hand side requestors, who initiate the requirement to know, use, or change a password. That password is operationally used in the target systems, applications, and devices depicted on the figure s right-hand side. The process of authenticating requestors for passwords and sessions can use third-party authentication systems and workflow applications (often where approvals are involved). Authorisation lists can be maintained within TPAM Suite, allowing only known requestors (both applications and individuals) to seek access. User authentication for access to TPAM Suite is via password or Active Directory, with optionally second-factor authentication via tokens. RSA Security s SecurID, Secure Computing s Safe-Word, Active Directory, LDAP are supported, as well as authentication based on Remote Authentication Dial-In User Service (RADIUS). The appliances use highly secure means of storing credentials and communicating with requestors and target applications. All inbound requests, as well as those that request access to obtain or change passwords, or to access critical resources, pass through an embedded CyberGuard SG640 firewall. Only authenticated connections via port 443 (for users) and port 22 (used by APIs and Command Line Interfaces (CLIs)) are allowed, ensuring that no other traffic enters the network. TPAM Suite user interfaces are secured by using an HTTPS channel. Communications with enterprise systems use Secure Shell (SSH) Version 2 protocol. Credentials, and the appliances hard disks, are encrypted using the AES256 algorithm, and when the highavailability option shares credential information a Digital Signature Standard (DSS) key-authenticated SSH tunnel is used. TPAM Suite provides extensive reporting and auditing capabilities, and maintains logs with details of all user activities. Reporting can be interactive or static, and facilities are available for export to Excel spreadsheet or in.csv, format. Examples of out-of-the-box reporting include details of new users, systems, and accounts; sequential details of all password changes (along with reasons for the changes made); and periodic comparison of passwords held on remote systems with those held in the TPAM Suite repository to ensure ongoing integrity. TPAM Suite supports a broad range of target platforms and devices including platforms such as HP-UX and AIX, IBM AS400, Windows, Linux, and mainframes; leading databases products from Sybase, Oracle, and Microsoft; many directory products and other elements of security infrastructure such as firewalls; a number of leading manufacturers network devices; and many enterprise applications. The IBM DB2 database is supported on all platforms except mainframe, and uses common operating system credential services on environments such as Windows and UNIX. On mainframe systems DB2 has its own credential management, and support for this environment is on e-dmz s roadmap. Although differences between usage of the PAR and eguardpost appliance types have narrowed greatly, we should point out that they are currently managed via separate consoles, and that this might give rise to inefficiency issues within large-scale deployments across a mix of the appliance types by long-standing customers. However, new customers would not encounter this problem. Product Operation Privileged Password Management This module is responsible for the storage, release, and change of passwords, all taking place within an extremely secure, policy-bound, resilient environment. All passwords (and the local hard disk) are encrypted using the AES256 algorithm, and a secure, encrypted backup file is created on a daily basis. OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 4

5 Built-in role-based access control can be integrated with existing corporate identity stores, enabling corporate users to be mapped onto the requestor and approver roles facilitated by TPAM Suite, if necessary. Upon successful authentication, a password can be released to the requestor, or if the user s entitlements require, the dual-control release mechanism is initiated and a message sent to the designated approver. When the user is granted access to a password, the period for which it is visible may be limited, for added security. After use, the module can update the password on the target system in a number of ways, as governed via policy. Options include time-based password control (ensuring that the released password is valid only for two hours, when it is replaced with a new password), and last-use change control (which ensures that the password is replaced with a new one immediately after the old password has been used to access the target system). Periodic password change (weekly, monthly, etc.) is also supported. A primary benefit is that TPAM Suite ensures the password is not released to more than one authorised user at the same time, although configuration options are available to allow concurrent password release for specific accounts if required. Normally, only when the user session expires, and the password is changed, is the next user allowed access. Application Password Management This module manages and controls all access to shared or privileged accounts undertaken within applicationto-application (A2A) or application-to-host (A2H) interactions. The embedded use of hard-coded passwords within code or script can be replaced using the module s CLI and API, which enable the retrieval of passwords via scripts or program calls, and initiation of and password change afterwards. The module ensures that only completely authorised applications or automated processes can retrieve passwords, and TPAM suite can also limit the actions that can be performed. Communication from process to TPAM Suite repository is through SSH via DSS key pairs, and the requesting application uses the password retrieved from TPAM Suite to authenticate itself to the target application/system. Application password management can be further enhanced with cache options to support high-demand requirements of up to 1,000 requests per second. Privileged Session Management This module functions as a session gateway between privileged users and critical resources, and enables organisations to enforce secure access control and session control, as well as conduct very granular audits. Typical scenarios involve access by vendors, consultants, administrators, and application and systems developers when they need access to a live system. The module proxies all sessions between users and resources. Similar to the Privileged Password Management module, users corporate identities can be mapped onto roles, which information the module s policy enforcement considers in determining whether the particular user requires approval before being able to obtain access to the resource. There is no direct connection between remote users and resources, which ensures that the system containing critical resources cannot be compromised even if the system through which the user accesses those resources has suffered a security incident such as malware infection. The proxy helps capture all user actions in detail, including keystroke actions and mouse movement, as well as other input. Every action the user undertakes after gaining access to the target system is monitored and recorded, and user sessions can be viewed later by organisations in a DVD-like playback mode. All recorded sessions are archived and can be easily searched and retrieved based on user, system, and date. The playback facility is sophisticated enough to include the ability to pause, or run up to x16 speed, while viewing sessions. To save disk space, all session recordings are stored in a compressed format, and data is only added while the user is performing any action (if the user is idle the recording pauses). OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 5

6 Privileged Command Management This module enhances Privileged Session Management by enabling organisations to configurably limit users, based on their role, to use only certain commands across UNIX, Linux, and Windows systems. A fully integrated, configurable command editor is provided as the user environment, and the module can terminate connection with the target resource automatically on command completion, if required. Session recording is undertaken by the module, which has the same related facilities as are available within Privileged Session Management. Product Emphasis The newly enhanced TPAM suite focuses on eliminating the problems of inadequate accountability, security around critical access credentials, and compliance challenges that can arise from operating poor processes around privileged user accounts. Its coverage of potential issues and requirements is both broad and indepth, and it has a strong focus on logging, providing granular auditing of sessions run by privileged users, and even session recording that can enable visualisation of the user s actions. Within TPAM Suite, highstrength security is applied to stored information, including a firewall, hard-disk encryption, password encryption, and encrypted user access to TPAM Suite, and onward to the target system. All these features are backed by role-based approval workflows that can be easily configured to map the current or the desired process, and integrate with organisations existing identity stores. DEPLOYMENT Typically, the solution is deployed by qualified IT staff with knowledge of networks and limited system knowledge. The average time for implementation is usually an hour for pilot projects, two days for departmental deployments, and between two and five days for enterprise-wide deployments. Modular deployment has been incorporated as a design requirement enabling, for example, the Privileged Password Management module to be deployed initially, followed by others at a later date. Individual modules can be activated from the appliance by licence key. No additional resource is required once the product is installed. Day-to-day operations, such as policy modifications and incident audit reporting are typically managed by IT security staff. e-dmz Security states that no specific user training is necessary. TPAM suite is available as an on-premise solution, with alternative ownership models from the company s security partners including remote management of on-premise deployments, or total hosting of TPAM Suite. No supporting software is required (all user input is via a browser-based interface), and integration with existing corporate identity stores (which is strongly supported by the solution) is a likely feature of deployment. e-dmz Security provides a single-tier maintenance and support bundle that includes 24x7x365 support, along with updates, and commitment to appliance replacement on the next business day where required. The company has spares depots in the US, Europe, and Asia and can also provide augmented local support through its reseller network. OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 6

7 Three models of the PAR and eguardpost appliances are available to suit different scales of customer needs: The base-level product supports between five and 25 concurrent user sessions, and up to 20,000.target accounts. The intermediate-level appliance incorporates greater resilience (for example, redundant disks) and supports over 30,000 target accounts. The enterprise-level appliance can support over 250,000 target accounts. Alternatively, scalability can be increased with the Distributed Processing Appliance (DPA) appliance. Each additional DPA is capable of supporting 150 more concurrent sessions and provides distributed password check and change options. Auto-failover can be configured between two appliances, and in the event of failure a third appliance can be added with a degree of manual reconfiguration to take over in the failover role. Synchronisation takes place automatically between appliances in such configurations. TPAM Suite also allows users to request, approve, and retrieve passwords through a handheld device such as a BlackBerry or an iphone, a feature which expands the suite s deployment flexibility and usability. PRODUCT STRATEGY While any organisation with regulatory compliance obligations is a potential buyer of the solution, TPAM has traditionally been targeted at mid-sized and large enterprise-class companies in the financial services, healthcare, telecommunications, and manufacturing sectors. Unsurprisingly, the highest demand is in the financial services sector. Demand for the Privileged Session Management and Privileged Command Management features of TPAM Suite is seen as growing due to greater uptake of outsourcing, where companies may require remote access to their managed infrastructure resources. The tendency for more applications to be used in support of revenue-generating or business-critical activities, and the preference for cost-efficient IT support processes, are also giving rise to greater demand for remote access to production resources. TPAM Suite is sold through e-dmz Security s direct sales team, which contributes about 65% of product sales revenues, and also via the company s partner and reseller networks, which generate the remaining 35%. TPAM suite is sold across all major regions both directly and via partners. e-dmz Security s key global business partners include: Preventia (UK); Adines (France); Navixia (Switzerland); Compfort (Poland); NeoSecure (Argentina, Chile, Peru); Starlink (UAE, Saudi Arabia, Kuwait, Dubai, Turkey, Qatar, Bahrain); Aspirant Technologies (Singapore, Hong Kong); nforce (Thailand); Appnomic (India); NewAge (Israel); Array Networks (Korea); and IQsec S.A. de C.V (Mexico). TPAM suite is licensed with a perpetual model, within which PAR appliances are charged on a per-device basis, while eguardpost appliances are charged on the basis of the number of concurrent sessions. According to e-dmz Security, a typical entry-level deployment costs around US$20,000, a mid-size deployment US$75,000, and a large, enterprise-wide deployment is likely to cost US$250,000 or more. In the case of each scale of example deployment, the company attributes 80% of the total to licensing costs, and 20% to services costs. OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 7

8 e-dmz Security usually releases twice-yearly packages of enhancements to TPAM Suite, with the releases incorporating features requested by customers as well as others to build new capabilities The company has shared a detailed roadmap with Ovum and we feel its direction to show a commitment to add further depth to the solution elements, and provide additional means of value realisation for customers. COMPANY PROFILE Founded in 2001, e-dmz Security is headquartered in Wilmington, Delaware, US, and has about 30 employees. Since inception the company has been focused on addressing issues related to Privileged Password Management and remote vendor access and monitoring. e-dmz Security s product portfolio, which is all self-developed, first addressed privileged password management, then privileged session management, and now comprises the PAR and eguardpost appliances, and TPAM suite, which manages and deploys all the appliances capabilities. e-dmz Security is privately owned without venture capital funding and does not report its key financials, although the company states that its revenues increased by 75% in the first half of 2009 compared with the same period in 2008, and that it is profitable. The company has approximately 350 customers in 17 countries, but non-disclosure agreements with many customers prevent their names being published. However, off the record, e-dmz Security has named customers that are very significant and well-known companies in the banking, automotive, and manufacturing sectors. Furthermore it states that four of the top 10 enterprises as ranked by Forbes, and three of the largest five companies in the financial services sector, are among its customers. SUMMARY The Privileged Account Management solutions market place is developing fast, fuelled by organisations need to fully address compliance and general security needs, in this case in a critical area from a risk perspective. While enterprises operate hardware, systems, and applications that incorporate inflexible and insecure privileged access accounts and passwords where there is no choice but to use shared access mechanisms within the population of corporate privileged users, significant accountability, risk, and compliance problems will arise. Ovum sees the primary requirements in this area for sizeable organisations as being broad coverage of their technology estate, provision of a sufficient range of management processes and efficiency aids, and a strong security and compliance focus. With TPAM Suite, e-dmz Security meets these criteria admirably, and offers an in-depth, highly value-adding range of functionality. The company has already acquired an impressive installed base, and we would evaluate this solution as being among the leading products in this emerging market area. OVUM Butler Group. This Technology Audit is a licensed product and is not to be photocopied Page 8

9 Table 1: Contact Details Corporate Headquarters 501 Silverside Road, Suite 143 Wilmington Delaware Tel: +1 (302) Tel: +1 (866) (toll-free from US only) Fax: +1 (302) Source: e-dmz Security O V U M B U T L E R G R O U P Headquarters Shirethorn House, 37/43 Prospect Street, Kingston upon Hull, HU2 8PX, UK Tel: +44 (0) Fax: +44 (0) OVUM Bu Australian Sales Office Level 46, Citigroup Building, 2 Park Street, Sydney, NSW, 2000, Australia Tel: + 61 (02) Fax: + 61 (02) End-user Sales Office (USA) 245 Fifth Avenue, 4th Floor, New York, NY 10016, USA Tel: Fax: For more information on OVUM Butler Group s Subscription Services please contact one of the local offices above. Important Notice This report contains data and information upto-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you. tler Group. This Technology Audit is a licensed product and is not to be photocopied Page 9