Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
|
|
- Gloria Parsons
- 8 years ago
- Views:
Transcription
1 Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function, has been allocated powers within a technology infrastructure, which are significantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and network administrator(s) who are responsible for keeping the system available; it may also comprise application, security, or database administrators. Specific privileges include the ability to create a file in a directory, or to read or delete a file, access a device, or have read or write permission to a socket for communicating over the Web. Privileged users play a crucial and sensitive role in the organisation. Having privileged access to various IT resources in order to their job, they can access private and sensitive data within the organisation, create new user profiles as well as add to or amend the powers and access rights of existing users. Such high level access means that any mistakes they make can have serious consequences, and if they abuse their rights for personal reasons, the results of their actions can be very serious indeed. Do organisations understand the power and control that is in the hands of these privileged users? Regulatory authority and other compliance inspections have revealed that in many cases organisations of all sizes have little real understanding of the work carried out by systems administrators and other members of the privileged user community. They typically underestimate and overlook the risks they may run if the activities of administrators / privileged users are not controlled in the manner expected by the organisation s security strategy. Also, there are many examples of hackers targeting privileged accounts and successfully gaining access to critical business applications and data. Privileged accounts are one of the primary targets for hackers as it gives them the keys to the kingdom! This recent CA research The benefits for IT managers of controlling and monitoring their own activities highlights how organisations underestimate the importance of privileged user management. For example, the ISO series of standards for IT management that is adopted by about 40% of the respondents to the survey explicitly states that the allocation and use of privileges shall be restricted and controlled. However, despite wide spread claims to have adopted the standard, many business admit to bad practices with regard to privileged user management that are in direct contraventions of it. The CA research reveals a number of bad practices, such as the sharing of privileged user accounts. This points to wider bad practice such as the use a default privileged account users names and even passwords. Elsewhere, the research reveals that almost 41% of respondents admitted that their organisations shared administrator accounts between users for operating system access a figure which rose to over 50% for network administrators.
2 What rules, standards and regulations are there to protect organisations from malicious or inadvertent PUM? Organisations today are faced with addressing an ever-growing list of compliance initiatives. The most well-known are Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), the European Union Data Protection Directive 95/46, the Japanese Personal Information Protection Act (JPIPA), and additional regulations and guidelines. Additionally, initiatives such as the Payment Card Industry Data Security Standard (PCI DSS) have considerable impact on any company that handles credit cards. PCI DSS establishes standard requirements protecting cardholder information. It applies to all entities that store, process or transmits cardholder data, such as retail merchants, payment processors and banks. Among the requirements for PCI DSS compliance is rigorous access control. To comply, organisations must reduce administrative privileges through secure privilege delegation on Windows and Active Directory, alert on failed administrator/user access and AD/Group Policy object changes, and publish their data control policies. The ISO27001 security standard also advocates that the allocation and use of privileges should be restricted and controlled. For example, the access privileges associated with each system product, e.g. operating system, database management system and each application (and the users to which they need to be allocated) should be identified. Privileges should be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy. And an authorisation process and a record of all privileges allocated should be maintained. It also demands that the development and use of system routines should be promoted to avoid the need to grant privileges to users; and that privileges should be assigned to a different user ID from those used for normal business use. In Italy, the Garante (personal data protection watchdog) has issued a series of measures that organisations need to adopt in the management of system administrators and other privileged users. New rules are coming into force which call on all private companies and public bodies to ensure that their work is monitored. For example, systems must be introduced to log access by systems administrators to IT systems and electronic archives; the activity of the systems administrator must be monitored at least annually to ensure it fully complies with all organisational, technical and security provisions; and corporate security plans must include the name of each systems administrator and their assigned duties. Corporate executives are pushing their organisations to comply with these regulations or face personal liability and the threat of criminal and/or civil penalties. They are being pressured to improve access security for Windows, UNIX, and Linux systems by legislation, internal and external auditing requirements, and general security concerns. Yet it is a feature of these operating systems that administrators require access at a level that would allow them to view and change critical data without being audited. In the context of information security, almost all of this legislation comes down to the principle of least privilege. This requires that in a particular abstraction layer of a computing environment, every module whether it is a process, a user or a program must be able to access only such information and resources that are necessary to its legitimate purpose. When applied to users, the terms least user access or leastprivileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible.
3 How does the typical organisation currently tackle the issue of PUM? According to the CA security research, around 24% of organisations have some form of manual control in place for overseeing the actions of and controlling the access of privileged users. Despite the availability of more sophisticated systems and the clear case for them, only around 22 have actually deployed a full PUM system. However, the high number of organisations (47%) that say they have plans (albeit often delayed ones) suggests a high awareness of the benefits. Organisations that rely on manual processes have to create and manage redundant user files in multiple systems to allow access. They hand out the root passwords to each person that needs privileged access and then cannot make changes to the password for fear of locking people out. Sometimes when problems occur, the systems administrator is under suspicion and they have no way to prove that they were not the one who caused the problem. Some organisations have a basic check out, check-in system that allows them to track who had the unlimited access and when, but it does not control or reliably track what the user does with the full super-user account. The disadvantages of these approaches are clear. A reliance on manual processes for monitoring and controlling privileged users is time-consuming, excessively expensive, unreliable and prone to error. Ultimately it results in a very real threat to the organisational security that the manual PUM processes were originally introduced to overcome. What options are there to help companies prevent incidents and ensure PUM compliance? Clearly, it is in the interest of individual IT managers, the IT department as whole and the overall business to have measures in place to control and monitor privileged users. An ideal starting point is to ensure that all default privileged user accounts are identified and closed down. However, this can be a huge task, given the scale of operating systems, networking devices, security systems, databases, business applications and other IT infrastructure components. It would be slow and impractical to rely on manual processes to manage these and making sure they follow corporate policy and audit requirements. Here, PUM automation software can be deployed which understands the wide range of systems that businesses use and enforces the necessary policies to ensure compliance with corporate standards. With the default accounts under control it is then necessary to grant privileged user rights in specific areas to those who require it. Some businesses attempt to perform this necessary security task manually; issuing one off passwords and mailing them around in spreadsheets or storing them in sealed envelopes in a safe, allowing access for a given period of time, before changing the password back again. This has the obvious flaw that some higher level privileged user would still have all the access rights that good practice PUM tries to avoid, as well as being non-scalable and cumbersome. Organisations can also consider deploying a system that can search for and lock out default accounts. Such a system could also be used to assign privileged access to certain systems to individuals whose actions are monitored whilst they are working. It could also be used to manage the assignment of one time passwords on particularly sensitive systems. However, solving the issue of shared administrator accounts is only part of the problem.
4 What does an organisation need to consider in order to address their PUM challenges? The first step must be to look at privileged user management as a major business and risk management issue not as parochial IT subject. The issue of PUM should be owned by the business and high level executives who are educated in the issue. By understanding at a strategic level the risks inherent in privileged users having access to sensitive data, organizations can more quickly overcome the funding obstacles inherent in such a cause. Second, the optimal way to control, monitor, and measure privileged users is to deploy tools that fully automate the management of privileged user accounts, the assignment of privileged user access, and enable the full monitoring of their activities. Fine-grained access control should be an integral feature of the PUM solution. Besides offering greater control, integrity and transparency within an organisation, this control also addresses the requirement to cater for the principle of least privilege which helps satisfy many of the compliance and best practice requirements. Regulations require finegrained controls and cross-platform consistency to ensure the separation of duties for example. Additionally, in the event of a compromise, the ability to research the incident forensically is also required. This way an auditor will not only know who checked out a password and when, but will also be able to identify what the privileged user did with the password. Third, it is also important to consider a PUM solution that helps the organisation move along a maturity model and one that adapts to the changing needs of the business. The solution needs the flexibility to be deployed quickly to support basic privileged user passwords. Simultaneously, to follow the principle of least privilege and more effectively meet compliance requirements, the same tool needs to provide fine-grained access control and auditing across disparate resources. How can CA Access Control answer the PUM problem? CA Access Control provides organisations powerful control over privileged users. CA Access Control is the only solution that is capable of controlling privileged users and providing temporary privileged access across servers, applications and devices all from a single, central management console. Key features include: Policy-based access control. Access is prohibited or allowed based on security policies or rules. Fine grained access control. Granular control of what a user can or cannot do, includes file level access controls. Policy Management. Centralised, highly scalable policy management and access controls can be applied uniformly across UNIX (AIX, HP, and Sun), z-linux, Linux (Redhat), and Microsoft systems or individually tailored for each platform. Secure Audit. Secures audit files to ensure they cannot be deleted or modified by administrators or super users; reports that track who did what. Robust Reporting (out-of-the-box and custom). CA Access Control provides 60+ types of reports for compliance submission including segregation of duty reports, privileged user access, password policy, etc.
5 Privileged User Password Management (PUPM). Provides access to privileged accounts, on a temporary, one-time use basis, or as necessary while providing user accountability of their actions through secure auditing. Support for PUPM is available for servers, applications and devices in a physical or virtual environment. UNIX Authentication Broker (UNAB). Credential checking of UNIX users from Microsoft Active Directory which allows the consolidation of authentication and account information Unified Console. A single Web User Interface consolidates the management of host access control and Privileged User Management. Why is this a unique PUM solution? CA is the only vendor that is including market-leading host access control within a featurerich privileged user management offering, all managed from a single console that provides a single user interface. The solution focuses on three key features: Privileged User Password Management (PUPM): While protecting against external threats remain an area of focus for IT, the need to provide application and device protection against internal threats is becoming more important. Managing and providing access to privileged accounts, even on a temporary, one-time use basis, is necessary all while providing user accountability of their actions in a shared account. UNIX Authentication Broker (UNAB): The use of Microsoft Windows in IT server configurations continues to grow and requires a co-existence with UNIX servers that allows the consolidation of authentication and account information. Unified Console: Common Web User Interface consolidates information and facilitates policy administration from a centralized management interface. What are the benefits of CA Access Control to the C-level executive (including CEO or Chief Risk & Compliance Officer)? Provides a new level of comfort to IT security management allowing an IT team to easily manage and track privileged user activities on the systems that they are responsible for. Introduces a complete solution to all aspects of privileged user management protecting critical servers, applications, and devices across platforms and operating systems, and helps ensure regulatory compliance. Allows IT security management to mandate detailed policy-based controls for privileged user access to system resources, monitor their activity, and control under what circumstances access is allowed. Enables systems administrators to create and consistently enforce the desired level of control, resulting in greater security for the organisation s critical IT resources and data while providing the necessary accountability.
6 What are the benefits of CA Access Control to the VP or Director of Security/CISO? Controls and monitors access to a diverse set of server-based resources, to satisfy internal policies and external compliance regulations. Enables cross-platform creation, deployment, and management of complex, finegrained access controls. Unlike native operating systems that only provide basic controls on a single platform, the solution can deploy granular policies on multiple platforms to provide the security required and the tracking necessary to meet internal and external compliance requirements. Offers an important layer of protection against critical data loss events that can be devastating to a company s reputation and finances. What are the benefits of CA Access Control to the users? Provides a new level of control to the systems administrator to easily manage and track privileged user activities on the systems that they are responsible for. Complete solution to all aspects of PUM, protecting critical servers, applications, and devices across platforms and operating systems, and helps ensure regulatory compliance. Allows systems administrators to create and enforce policy-based controls for privileged user access to system resources, monitor their activity, and control under what circumstances access is allowed. Provides greater accountability and gives the systems administrator increased control of their critical resources.
How To Achieve Pca Compliance With Redhat Enterprise Linux
Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationProtection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant
Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant Comply Prove it! Reduce the risk of security breaches by automating the tracking, alerting and reporting
More informationAchieving PCI Compliance for: Privileged Password Management & Remote Vendor Access
edmz Introduces Achieving PCI Compliance for: & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC February 2010 C o p y r ig h t 2 0 1 0 e - D M Z S e c u r i t y, LL C. A l l
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationSecurity Information Lifecycle
Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4
More informationSignificance of Proficient Event Logs Archiving in prevailing over Compliance Worries Whitepaper. 2013 www.lepide.com
Significance of Proficient Event Logs Archiving in prevailing over Compliance Worries Whitepaper 2013 www.lepide.com 1. Introduction Event logs archiving has gained immense significance in the light of
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationOvercoming Active Directory Audit Log Limitations. Written by Randy Franklin Smith President Monterey Technology Group, Inc.
Overcoming Active Directory Audit Log Limitations Written by Randy Franklin Smith President Monterey Technology Group, Inc. White Paper 2009 Quest Software, Inc. ALL RIGHTS RESERVED. This document contains
More informationNetwrix Auditor. Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure
Netwrix Auditor Сomplete visibility into who changed what, when and where and who has access to what across the entire IT infrastructure netwrix.com netwrix.com/social 01 Product Overview Netwrix Auditor
More informationUsing Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
More informationPowerBroker for Windows
PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationSecurity management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.
Security management solutions White paper IBM Tivoli and Consul: Facilitating security audit and March 2007 2 Contents 2 Overview 3 Identify today s challenges in security audit and compliance 3 Discover
More informationPrivilege Gone Wild: The State of Privileged Account Management in 2015
Privilege Gone Wild: The State of Privileged Account Management in 2015 March 2015 1 Table of Contents... 4 Survey Results... 5 1. Risk is Recognized, and Control is Viewed as a Cross-Functional Need...
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationVormetric Encryption Architecture Overview
Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls and Auditing Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732
More informationPCI DSS Compliance: The Importance of Privileged Management. Marco Zhang marco_zhang@dell.com
PCI DSS Compliance: The Importance of Privileged Management Marco Zhang marco_zhang@dell.com What is a privileged account? 2 Lots of privileged accounts Network Devices Databases Servers Mainframes Applications
More informationIT Security & Compliance. On Time. On Budget. On Demand.
IT Security & Compliance On Time. On Budget. On Demand. IT Security & Compliance Delivered as a Service For businesses today, managing IT security risk and meeting compliance requirements is paramount
More informationPrivileged user management
Privileged user management vv It s time to take control Bob Tarzey, Analyst and Director, Quocirca Ltd Introduction The data presented is based on 270 telephone interviews with organisations across Europe
More informationSecret Server Splunk Integration Guide
Secret Server Splunk Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Splunk SIEM Integration and Configuration... 1 The Secret Server Approach to
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationQRadar SIEM 6.3 Datasheet
QRadar SIEM 6.3 Datasheet Overview Q1 Labs flagship solution QRadar SIEM is unrivaled in its ability to provide an organization centralized IT security command and control. The unique capabilities of QRadar
More informationA Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards
A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security
More informationLeveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP
P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o
More informationBANKING SECURITY and COMPLIANCE
BANKING SECURITY and COMPLIANCE Cashing In On Banking Security and Compliance With awareness of data breaches at an all-time high, banking institutions are working hard to implement policies and solutions
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationIBM Tivoli Compliance Insight Manager
Facilitate security audits and monitor privileged users through a robust security compliance dashboard IBM Highlights Efficiently collect, store, investigate and retrieve logs through automated log management
More informationSecurity Trends and Client Approaches
Security Trends and Client Approaches May 2010 Bob Bocchino, CISA ERM Security and Compliance Business Advisor IBU Technology Sales Support Industries Business Unit, Technology Sales Support 1 Mark Dixon
More informationDMZ Gateways: Secret Weapons for Data Security
A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security A L I N O M A S O F T W A R E W H I T E P A P E R DMZ Gateways: Secret Weapons for Data Security EXECUTIVE
More informationTOP 3. Reasons to Give Insiders a Unified Identity
TOP 3 Reasons to Give Insiders a Unified Identity Although much publicity around computer security points to hackers and other outside attacks, insider threats can be particularly insidious and dangerous,
More informationUsing PowerBroker Identity Services to Comply with the PCI DSS Security Standard
White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationHow To Manage A Privileged Account Management
Four Best Practices for Passing Privileged Account Audits October 2014 1 Table of Contents... 4 1. Discover All Privileged Accounts in Your Environment... 4 2. Remove Privileged Access / Implement Least
More informationTECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA. Colruyt ensures data privacy with Identity & Access Management.
TECHNOLOGY BRIEF: PREVENTING UNAUTHORISED ACCESS TO CRITICAL SYSTEMS AND DATA Colruyt ensures data privacy with Identity & Access Management. Table of Contents Executive Summary SECTION 1: CHALLENGE 2
More informationPrivileged Access Life-Cycle Management: How PALM Enables Security, Compliance, and Efficiency for Enterprise IT
I D C V E N D O R S P O T L I G H T Privileged Access Life-Cycle Management: How PALM Enables Security, Compliance, and Efficiency for Enterprise IT September 2009 Adapted from Worldwide Identity and Access
More informationEmail Compliance in 5 Steps
Email Compliance in 5 Steps Introduction For most businesses, email is a vital communication resource. Used to perform essential business functions, many organizations rely on email to send sensitive confidential
More informationAn Oracle White Paper January 2012. Oracle Database Firewall
An Oracle White Paper January 2012 Oracle Database Firewall Introduction... 2 Oracle Database Firewall Overview... 3 Oracle Database Firewall... 3 White List for Positive Security Enforcement... 4 Black
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationAn Oracle White Paper January 2011. Oracle Database Firewall
An Oracle White Paper January 2011 Oracle Database Firewall Introduction... 1 Oracle Database Firewall Overview... 2 Oracle Database Firewall... 2 White List for Positive Security Enforcement... 3 Black
More informationSarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: March 17, 2015 Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical software and services that transform high-volume
More informationHow To Manage Log Management
: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll
More informationVulnerability. Management
Solutions.01 Vulnerability Management.02 Enterprise Security Monitoring.03 Log Analysis & Management.04 Network Access Control.05 Compliance Monitoring Rewterz provides a diverse range of industry centric
More informationSecuring Your Business with Managed File Transfer
Why FTP/SFTP Solutions Are No Longer a Viable Option www.stonebranch.com Executive Summary This white paper sets out to explain the importance of a Managed File Transfer solution implementation within
More informationSecret Server Syslog Integration Guide
Secret Server Syslog Integration Guide Table of Contents Meeting Information Security Compliance Mandates: Secret Server and Syslog Integration... 1 The Secret Server Approach to Privileged Account Management:...
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationFeature. Log Management: A Pragmatic Approach to PCI DSS
Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who
More informationEnforcive / Enterprise Security
TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance
More information7 Tips for Achieving Active Directory Compliance. By Darren Mar-Elia
7 Tips for Achieving Active Directory Compliance By Darren Mar-Elia Contents 7 Tips for Achieving Active Directory Compliance...2 Introduction...2 The Ups and Downs of Native AD Auditing...2 The Ups!...3
More informationNeed to be PCI DSS compliant and reduce the risk of fraud?
Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction
More informationPrivileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery
Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationProtecting Data at Rest with Vormetric Data Security Expert
V O R M E T R I C W H I T E P A P E R Protecting Data at Rest with Vormetric Data Security Expert Deploying Encryption and Access Control to Protect Stored Data Across the Enterprise Enterprise Information
More informationPCI Data Security Standards (DSS)
ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants
More informationAchieving Security through Compliance
Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3
More informationEnsuring Compliance to Sarbanes-Oxley through Privileged Identity & Information Management. White Paper. V Balasubramanian. ZOHO Corp.
Ensuring Compliance to Sarbanes-Oxley through Privileged Identity & Information Management White Paper V Balasubramanian ZOHO Corp. Disclaimer: This document is not intended to be a complete guide or legal
More informationIBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems
IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems Proactively address regulatory compliance requirements and protect sensitive data in real time Highlights Monitor and audit data activity
More informationFORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY
FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationThe Challenges of Administering Active Directory
The Challenges of Administering Active Directory As Active Directory s role in the enterprise has drastically increased, so has the need to secure the data it stores and to which it enables access. The
More informationPowerBroker for Windows Desktop and Server Use Cases February 2014
Whitepaper PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 4 Sample Regulatory
More informationSafeNet DataSecure vs. Native Oracle Encryption
SafeNet vs. Native Encryption Executive Summary Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an enterprise. Consequently, as enterprises
More informationBest Practices for Database Security
Database Security Databases contain a large amount of highly sensitive data, making database protection extremely important. But what about the security challenges that can pose a problem when it comes
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationVormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard
Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationSecuring Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationGovernance and Control of Privileged Identities to Reduce Risk
WHITE PAPER SEPTEMBER 2014 Governance and Control of Privileged Identities to Reduce Risk Merritt Maxim CA Security Management 2 WHITE PAPER: PRIVILEGED IDENTITY GOVERNANCE Table of Contents Executive
More informationProtect the data that drives our customers business. Data Security. Imperva s mission is simple:
The Imperva Story Who We Are Imperva is the global leader in data security. Thousands of the world s leading businesses, government organizations, and service providers rely on Imperva solutions to prevent
More informationAddressing PCI Compliance
WHITE PAPER DECEMBER 2015 Addressing PCI Compliance Through Privileged Access Management 2 WHITE PAPER: ADDRESSING PCI COMPLIANCE Executive Summary Challenge Organizations handling transactions involving
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationBoosting enterprise security with integrated log management
IBM Software Thought Leadership White Paper May 2013 Boosting enterprise security with integrated log management Reduce security risks and improve compliance across diverse IT environments 2 Boosting enterprise
More informationPCI Compliance in Multi-Site Retail Environments
TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help
More informationAchieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER
Achieving and Maintaining PCI DSS Compliance with Centralized, Automated Application and Middleware Change Control TECHNICAL WHITE PAPER Table of Contents Executive Summary... 3 PCI DSS Breaches. Huge
More information10 Steps to Establishing an Effective Email Retention Policy
WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION
More informationWhat IT Auditors Need to Know About Secure Shell. SSH Communications Security
What IT Auditors Need to Know About Secure Shell SSH Communications Security Agenda Secure Shell Basics Security Risks Compliance Requirements Methods, Tools, Resources What is Secure Shell? A cryptographic
More informationHow to Lock Down Data Privacy at the IT Worker Level
About this research note: Management & Staffing notes offer guidance on effectively managing people within an IT operation and dealing with associated leadership, staffing, and project management issues.
More informationManaging Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform
Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World
More informationTake Control of Identities & Data Loss. Vipul Kumra
Take Control of Identities & Data Loss Vipul Kumra Security Risks - Results Whom you should fear the most when it comes to securing your environment? 4. 3. 2. 1. Hackers / script kiddies Insiders Ex-employees
More informationHow can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?
SOLUTION BRIEF Content Aware Identity and Access Management May 2010 How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward? we can CA Content
More informationAuditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation
Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: info@xypro.com Telephone: + 1 805-583-2874
More informationManaged Hosting & Datacentre PCI DSS v2.0 Obligations
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationThe PCI Dilemma. COPYRIGHT 2009. TecForte
The PCI Dilemma Today, all service providers and retailers that process, store or transmit cardholder data have a legislated responsibility to protect that data. As such, they must comply with a diverse
More informationRESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT
Document K23 RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT THE BOTTOM LINE Managing privileged accounts requires balancing accessibility and control while ensuring audit capabilities. Cyber-Ark
More informationPCI Compliance: Protection Against Data Breaches
Protection Against Data Breaches Get Started Now: 877.611.6342 to learn more. www.megapath.com The Growing Impact of Data Breaches Since 2005, there have been 4,579 data breaches (disclosed through 2013)
More informationKey Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
More informationRSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief
RSA SecurID Authentication in Action: Securing Privileged User Access RSA SecurID solutions not only protect enterprises against access by outsiders, but also secure resources from internal threats The
More informationSOLUTION BRIEF CA CONTROLMINDER. Privileged Identity Management with CA ControlMinder
SOLUTION BRIEF CA CONTROLMINDER Privileged Identity Management with CA ControlMinder CA ControlMinder is a comprehensive solution for privileged identity management that enables you to manage shared account
More informationEXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report
KuppingerCole Report EXECUTIVE VIEW by Alexei Balaganski March 2015 is a comprehensive Privileged Identity Management solution for physical and virtual environments with a very broad range of supported
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationSecure network guest access with the Avaya Identity Engines portfolio
Secure network guest access with the Avaya Identity Engines portfolio Table of Contents Executive summary... 1 Overview... 1 The solution... 2 Key solution features... 2 Guest Access Administration...
More informationDemonstrating Regulatory Compliance
White Paper Demonstrating Regulatory Compliance Simplifying Security Management November 2006 Executive Summary Increasingly, organizations throughout Europe are expected to comply (and to demonstrate
More informationSWOT Assessment: BeyondTrust Privileged Identity Management Portfolio
SWOT Assessment: BeyondTrust Privileged Identity Management Portfolio Analyzing the strengths, weaknesses, opportunities, and threats Publication Date: 11 Jun 2015 Product code: IT0022-000387 Andrew Kellett
More informationWebsense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration
Websense Data Security Suite and Cyber-Ark Inter-Business Vault The Power of Integration Websense Data Security Suite Websense Data Security Suite is a leading solution to prevent information leaks; be
More informationBest Practices for Information Security and IT Governance. A Management Perspective
Best Practices for Information Security and IT Governance A Management Perspective Best Practices for Information Security and IT Governance Strengthen Your Security Posture The leading information security
More information8 Best Practices for IT Security Compliance
ROADMAP TO COMPLIANCE ON THE IBM SYSTEM i WHITE PAPER APRIL 2009 Table of Contents Prepare an IT security policy... 4 How are users accessing the system?... 5 How many powerful users are on the system?...
More information