Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits



Similar documents
The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect and respond to privileged accounts

Securing Remote Vendor Access with Privileged Account Security

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The CyberArk Privileged Account Security Solution. A complete solution to protect, monitor, detect, alert and respond to privileged accounts

CyberArk Privileged Threat Analytics. Solution Brief

The 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller

Privileged Session Management Suite: Solution Overview

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Pass-the-Hash. Solution Brief

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Next Generation Jump Servers for Industrial Control Systems

Privilege Gone Wild: The State of Privileged Account Management in 2015

How To Manage A Privileged Account Management

Privilege Gone Wild: The State of Privileged Account Management in 2015

IBM Security Privileged Identity Manager helps prevent insider threats

The Benefits of an Integrated Approach to Security in the Cloud

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

BeyondInsight Version 5.6 New and Updated Features

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Effective End-to-End Cloud Security

privileged identities management best practices

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

How To Manage Security On A Networked Computer System

TRIPWIRE NERC SOLUTION SUITE

PowerBroker for Windows Desktop and Server Use Cases February 2014

Safeguarding the cloud with IBM Dynamic Cloud Security

PowerBroker for Windows

Media Shuttle s Defense-in- Depth Security Strategy

Unified Security, ATP and more

SANS Top 20 Critical Controls for Effective Cyber Defense

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Trust but Verify: Best Practices for Monitoring Privileged Users

How To Protect Your Cloud From Attack

Server Account Management

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Windows Least Privilege Management and Beyond

Drawbacks to Traditional Approaches When Securing Cloud Environments

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Mitigating Risks and Monitoring Activity for Database Security

CloudPassage Halo Technical Overview

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

Trend Micro Cloud Security for Citrix CloudPlatform

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

The Cloud App Visibility Blindspot

Understanding Enterprise Cloud Governance

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

McAfee Server Security

I D C A N A L Y S T C O N N E C T I O N

ISO COMPLIANCE WITH OBSERVEIT

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Learn From the Experts: CyberArk Privileged Account Security. Łukasz Kajdan, Sales Manager Baltic Region Veracomp SA

Trend Micro. Advanced Security Built for the Cloud

PCI Compliance for Cloud Applications

THE BLUENOSE SECURITY FRAMEWORK

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Security Issues in Cloud Computing

Protecting Sensitive Data Reducing Risk with Oracle Database Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

An Overview of Samsung KNOX Active Directory-based Single Sign-On

CloudPassage Halo Technical Overview

Host-based Protection for ATM's

Stay ahead of insiderthreats with predictive,intelligent security

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Leveraging Privileged Identity Governance to Improve Security Posture

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

A BETTER SOLUTION FOR MAINTAINING HEALTHCARE DATA SECURITY IN THE CLOUD

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Solving the Security Puzzle

Google Identity Services for work

Assuring Application Security: Deploying Code that Keeps Data Safe

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

Vulnerability Management

PRIVILEGED IDENTITY MANAGEMENT CASE STUDY. Barak Feldman, Cyber-Ark Software Seth Fogie, Lancaster General Health

SANS Institute First Five Quick Wins

White Paper. Managing Risk to Sensitive Data with SecureSphere

Top 20 Critical Security Controls

End-user Security Analytics Strengthens Protection with ArcSight

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Implementing Software- Defined Security with CloudPassage Halo

without the fixed perimeters of legacy security.

5 Lines of Defense You Need to Secure Your SharePoint Environment SharePoint Security Resource Kit

SECURE, MANAGE & CONTROL PRIVILEGED ACCOUNTS & SESSIONS

Vistara Lifecycle Management

IT Security & Compliance. On Time. On Budget. On Demand.

Transcription:

A Clear View of Challenges, Solutions and Business Benefits

Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide to organizations of all sizes. Whether organizations are using private, public or hybrid cloud environments for infrastructure or software-as-a-service, the common goal is to achieve operational and cost benefits without giving up full control over infrastructure and data. Introducing a real challenge, privileged accounts in cloud environments are at a critical juncture of control and management because once an unauthorized user has access to privileged account credentials, control over the entire infrastructure is in the hands of the attacker. This is where securing privileged accounts plays a critical role in securing cloud environments and meeting audit and compliance requirements. Privileged Accounts in Cloud Environments Privileged accounts in cloud environments must be managed, protected and monitored just like privileged accounts in traditional datacenter environments. These privileged accounts include administrative accounts on virtual machines and management consoles as well as cloud provider APIs, and administrative accounts for software-as-a-service applications including corporate social media accounts. While securing privileged accounts in traditional environments is becoming common practice, there are unique characteristics of privileged users and credentials in cloud environments that introduce new challenges and requirements for protecting these accounts. The flexibility and dynamic nature of cloud environments leads to privileged accounts that are extremely powerful and must be properly secured. Beginning with the management console, an administrator can control thousands of images. Machines can be provisioned or deleted with the click of a button while corresponding administrator accounts are created and deleted at the same rapid pace. APIs expand this problem by provisioning and deleting machines without user interaction. All of this can be done without the added budget approval and purchasing processes that delivers a checks and balances review in a traditional hardware environment. The power of these management console and API credentials combined with the ease with which privileged users can execute actions puts organizations at risk of inadvertent or intentional disruption of the cloud environment or breach of existing security controls and policies. Equally important, this can result in unnecessary and unapproved expenses, defeating the cost savings advantage of cloud computing. Old Way Hack a System New Way Hack a Datacenter Cloud management tools provide a single access point for attackers to reach an entire datacenter. CyberArk Software Ltd. cyberark.com 1

Moving beyond the management consoles to the virtual server environment, privileged credentials grow exponentially in cloud environments because new server instances are commonly deployed by simply cloning an existing template. As a result, new servers are deployed instantaneously with default administrative passwords, which are at high-risk of being compromised because they can be easily guessed or discovered through basic investigation. This explosive use of default passwords in cloud environments poses a critical risk of unauthorized access. In both the management console and server layers, the dynamic nature of cloud environments makes detecting changes and monitoring activity extremely challenging. Beyond the challenges in traditional environments, it is difficult to maintain visibility in a cloud environment because privileged users can make changes to the environment with relative ease, avoiding detection. As a result, monitoring activity to detect changes is a challenge. Required Capabilities for Protecting Privileged Accounts in Cloud Environments Secure privileged credentials Privileged passwords and SSH keys are powerful and therefore should be stored securely. Access and use of privileged credentials should be tightly controlled with workflow approvals required for the most sensitive credentials. Audit logs and individual accountability are necessary for effective forensics investigations. Eliminate default passwords and SSH keys The rapid and seamless creation of machines introduces new privileged credentials to the environment at an alarming rate. For example, every new Linux machine in AWS is provisioned with an SSH key. Therefore, default passwords and SSH keys should be replaced or rotated upon provisioning of a new machine. The new credentials should meet existing policies for complexity and frequency of rotation. Isolate Activity Direct connections to critical systems by third parties can make virtual machines vulnerable to endpoint risks. The use of a jump server segregates an organization s internal network from the cloud and prevents malware from traveling from network machines and those of third parties to the cloud environment. The jump server acts as a single access control point, allowing organizations to enforce strict firewall rules, further enhancing security. Eliminate credentials in scripts and applications Passwords and SSH keys used to authenticate scripts and applications introduce a back door for attackers and should be removed and replaced with dynamic credentials stored in a secure environment. The rotation and retrieval of these credentials should be automated for maximum reliability and security. Monitor and record sessions The dynamic nature of cloud environments makes visibility into privileged credential access and use a real challenge. Monitoring and recording privileged user and session activity is required to identify malicious or unintentional changes to the environment. Tamper-proof audit logs and video recordings that can be viewed later are valuable for compliance and forensics purposes. Enforce least privileges Users with excess privileges can lead to accidental and intentional damage to the network. Reducing administrative privileges and enabling centrally managed privilege escalation minimizes the risk of credential misuse with no impact on user productivity. Detect anomalous activity For maximum security, organizations need a strategy for uncovering attacks already inside the cloud environment. In order to detect and disrupt malicious activity on privileged accounts, all activity should be collected and analyzed to detect anomalous activity. Once alerted to suspicious activity, organizations can stop in-progress attacks and reduce the window of opportunity for attackers. Cloud environments have privileged credentials in two different layers at the management console layer and at the virtual server layer. Therefore, it is important for organizations to employ a layered approach to protecting privileged credentials in both virtual servers as well as the tools used to manage the environment. Management tools that require protection include hypervisors, APIs and web management consoles provided by cloud service providers. This double-layer of privileged account security will mitigate the risk of unauthorized access to cloud environments. CyberArk Software Ltd. cyberark.com 2

Spotlight on Social Media Software-as-a-Service applications including corporate social media accounts on Facebook, Twitter and LinkedIn etc. are cloud applications that require protection. These accounts are often overlooked because they contain public-facing content, which is not sensitive or in need of protection from unauthorized access. However, if an unauthorized insider or external attacker gains access to the administrative credentials of the account, they could do serious damage to the business. Unapproved postings to social media accounts have led to significant brand damage, loss of customers and negative press in several high-profile cases. With a complete Privileged Account Security Solution, these powerful credentials can also be managed, protected and monitored to ensure social media postings are in the control of the enterprise at all times. Business Benefits of Securing Privileged Accounts in the Cloud Maximized Investment in Security Solutions Extending privileged accounts security solutions to cloud-based environments allows organizations to maintain a consistent security posture for privileged accounts across all servers, network devices and applications whether on-premises or in hybrid and public cloud environments. Organizations that invest in a comprehensive Privileged Account Security Solution will receive maximum value from a single solution that can manage all credentials and accounts regardless of location. Streamlined Management The use of one solution for all privileged accounts and credentials streamlines administration and management of solutions by providing a single management interface for all features of the solution as well as environments. In addition, DevOps teams can integrate the solution directly into existing cloud management tools including Chef, Puppet and Powershell for maximum productivity. This streamlined management makes IT, DevOps and security teams more efficient with day-to-day tasks and increases capacity to take on new strategic initiatives. Complete, Efficient, Auditing Process Full visibility, monitoring and recording of privileged account activity in cloud environments provides auditors with a complete view of activity and streamlines audit procedures. In addition, integrated reports on cloud-based and on-premises privileged activity increases efficiency and confidence that audit reports are complete and accurate. Conclusion Privileged accounts are a preferred attack vector for advanced external and internal attacks because they provide a pathway directly into the heart of the enterprise. In order for organizations to achieve a complete privileged account security layer, all cloud-based and on-premises privileged accounts must be secured. With CyberArk Privileged Account Security, organizations can deploy a layered security strategy for proactive protection and detection of all privileged accounts regardless of where they reside. This approach delivers a critical security layer designed to disrupt advanced external and internal attacks before they stop business. CyberArk Software Ltd. cyberark.com 3

1. Appendix: The CyberArk Privileged Account Security Solution The CyberArk Privileged Account Security Solution provides a single solution for protecting all privileged accounts whether on-premises or in the cloud. The integrated set of products built on a common platform delivers the required features for protecting privileged accounts regardless of where they live. Specific to cloud environments, the CyberArk Privileged Account Security Solution includes: Shared Technology Platform The CyberArk Privileged Account Security Solution is built on a common platform, The CyberArk Shared Technology Platform. The consolidated platform delivers a single management interface, centralized policy creation and management, and a secure Digital Vault. The platform is design to centralize management of all privileged credentials for both on-premises and cloud environments to reduce costs and minimize resources required for securing privileged accounts across the organization. Enterprise Password Vault securely stores privileged passwords and provides access for authorized users across a broad range of cloud applications. Management features include automated password rotation based on existing policies. This automated process reduces the time-consuming and error-prone task of manually tracking and updating privileged credentials to easily meet requirements for securing cloud environments. SSH Key Manager securely stores private SSH keys, commonly used to authenticate to cloud environments and UNIX images. Once securely stored, the solution enables automatic rotation of key pairs and provides detailed audit logs on the use of SSH keys by users and applications. Application Identity Manager eliminates hard-coded credentials including passwords and encryption keys from cloud management scripts and applications. CyberArk s Application Identity Manager meets enterprise requirements for availability and business continuity and eliminates embedded application credentials often without requiring code changes and with zero impact on performance. Privileged Session Manager isolates, controls, records and monitors privileged user access and activities to virtual machines, cloud management consoles, websites and SaaS applications. The solution acts as a jump server, providing a single-access control point and secure connection to the cloud provider. This results in true network segregation with full monitoring and auditing capabilities. On-Demand Privileges Manager allows privileged users to use administrative commands from their native session on guest machines while eliminating unneeded root access or admin rights. This secure and enterprise ready sudo-like solution provides unified and correlated logging of all super-user activity linking it to a personal username while providing the freedom needed to manage machines in cloud environments. Privileged Threat Analytics uses behavioral-based analytics to establish a baseline profile of all users and account activity to then compare real-time data and detect anomalous activity. Alerts on anomalous activity indicate an in-progress attack and enable organizations to shut down attacks and minimize business impact. CyberArk Software Ltd. cyberark.com 4

All rights reserved. This document contains information and ideas, which are proprietary to CyberArk Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of CyberArk Software Ltd. Copyright 2000-2014 by CyberArk Software Ltd. All rights reserved. cyberark.com CyberArk Software Ltd. cyberark.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information