delegation

Simplifique com Inteligência

Soluções Comuns

• Integrar Unix, Linux, Mac & Java com AD• Application SSO com AD• Single sign-on via AD• Authenticação Forte

• Delegar Atividades• Menos Priviégios • Segregação de Função• Autorizar Quando Precisa

• Provisionamento de Recursos: • UNIX, LINUX, WINDOWS• Terminal Server e VDI• Delegação da Administração• Elevar Privilégios

• Relatório de Conformidade• Elevar Privilégio quando necessário• Unificar o login via Diretório AD• Unificar atividades via Diretório AD

Provisionamento de Recursos

Fortalecimetno da Política: Normalizando campos, nomes, conteúdos a serem preenchidos

Controle da Administração: Poucas pessoas com acesso administrativo direto no AD, com melhor gerenciamento de privilégios.

Automação: Permite criar regras para automatizar provisionamento de recursos: Exchange, Mobile, Usuários e outros recursos do AD.

Delegação: Delegar tarefas para não-Administradores baseados em Regras: Active Role Server - Windows ePrivilege Manager – Linux e Unix

Privilege Manager: Linux e Unix

Active Role Server - Windows

Provisionar Recursos

Enterprise Single Sign On

Simplificar Controle e Acesso:

Unix, Linux, and Mac no ADVintela Authentication Services

Applications no AD-based single sign-on/reduced sign-on environment (SAP, Siebel, Oracle, DB2, others)Vintela Authentication ServicesVintela Single Sign-on for Java

A2A e A2DB

Enterprise Single Sign OnSolution Ramification

Synchronization (same sign-on)

• Many IDs• Many directories• Many logins• One password (same for each login)• Lots of management• More infrastructure (connectors, agents, etc.)

ESSO (login automation)

• Many IDs• Many directories• One login (others automated)• One password (others automated)• Not quite as much management• Maintain infrastructure (client-based)

Integration (Holy Grail)

• One ID• One directory• One login• One password• One point of ID management• Consolidate directories/infrastructure

SAPM

Elevar Privilégio,Quando Necessário

“SAPM tools enable organizations to manage passwords for shared and software accounts more effectively and efficiently than manual processes.”

Market Overview: Shared-Account/Software-Account Password Management Tools

“… shared account password management tools will be used by more than 50% of large enterprises by year end 2010 to manage passwords for shared accounts.”


Simplificar com Inteligência

AutorizarRegrasPolíticasAcessoSenhas

Por que? Privileged Account Password Management

“SAPM tools enable organizations to manage passwords for shared and software accounts more effectively and efficiently than manual processes.”


“In any organization, the use of every platform and device ultimately relies on superuser accounts, which are the most powerful in the organization.“

Best Practices for Managing Shared Superuser and Firecall Accounts

“… shared account password management tools will be used by more than 50% of large enterprises by year end 2010 to manage passwords for shared accounts.”


Analyst & Media Coverage

“The Enterprise Random Password Manager from Lieberman Software is an extremely powerful tool which automatically discovers, updates, stores and allows secure recovery of every privileged account password throughout the enterprise.“ SC Magazine Group Test: Password Management - August 2009

Contas de Privilégio ElevadoTudo na Empresa

• Servers & Workstations– Todos os hardwares– Todos os S.O.s– Banco de Dados

• Datacenter Appliances– Routers & switches– Aceleradores– Securança

• Aplicações– Line-of-business– Web services– Database & middleware– Backup– Gerenciamento de Identidade e

Acesso– Gerenciamento de Sistemas

• Rollouts de Aplicações• Hardware Deploy• Corporate mergers• Outsourcing• Guest Accounts• Mudanças de Funções

(Employment)• Delegação e Overlap de Funções

• Mudança Pessoas• Falhas de defaults• Falta de Expiração• Complexidade• Ataques Sociais • Ataques de “Nomes”

– Serv1, Serv2, Serv3

Mudanças Planejadas Mudanças não-Planejadas

Contas de Privilégio ElevadoOnde Aplicar ?

1. Identifica e documenta todos os ativos de TI, privileged accounts e interdependências.

2. Delega apenas os acessos de privileged accounts de forma temporal (time basis), usando mínimo de privilege, com propósito de documentação.

3. Fortalece regras de tamanho, unicidade e frequência de mudanças, sincronizando as mudanças e dependências.

4. Monitora e alerta, além de documentar todos os acessos: usuais e não.

Contas de Privilégio ElevadoComo Resolver?

SSL

Clients

• Password Check Out• Management Reporting• User Rights Delegation

Web ApplicationIIS 6.0 or greater

Secure Data StoreSQL Server or Oracle 11g

Management ConsoleWindows Server

OleDB

OleDB

• Setup and Configuration• Job Scheduling• Advanced Reporting

Security Information and Event Management (SIEM)BMC Remedy, IBM Tivoli , MS SCOM, …• Alerting

• Workflows• Ticket Management

SDK, Web Services, Middleware

Solução ERPMArquitetura

Management Console

Windows ComputersWindows Server 2008, 2003, 2000, NT4, Windows 7, Vista, XP

Linux, UNIX, and MainframeSun Solaris, HP-UX, IBM AIX, Red Hat Linux, IBM AS/400, OS/390, … Network DevicesCisco IOS devices and other routers, switches, firewalls, …

ApplicationsIIS, ASP.NET, SharePoint, scripts, configuration files, …

DirectoriesMS Active Directory, Oracle Internet Directory and all LDAP-compliant directories

DatabasesMS SQL Server, Oracle, MySQL, Sybase ASE, IBM DB2OleDB

SMB

SSH

SSH

LDAP

SMB, SSH, …

Continuous Auto-Discovery Safeguards New and Changed Targets

Password Change Synchronization Prevents Lockouts and Service Disruptions

Solução ERPMArquitetura

IdentificarContinuous Auto-Discovery

Databases

WebServers

AplicaçõesDesktopsServers

Backup

Hdw

Appliances

ERPM

DelegarSecure Password Recovery

Console Web

ERPM

1. Role Based

2. Time Based

3. Auditoria e Alerta

4. Dupla Custótia

5. Mudanças Comitadas & Propagadas

FortalecerPolítica de Senhas

• Segregação (SoD)• Fortalecimento• High Availability

ERPM• Mudança Contínua• Auto Discovery (contínuo)• Previne Panes

MonitorarPolítica de Senhas & Integração

• Histórico Detalhado• Configuração de Alertas• Integração com SCOM e SIEM

ERPM

“PCI DSS Ready”PCI DSS Requirement

2.1 "Always change vendor-supplied passwords before installing a system on the network…“

6.3.6 “Removal of custom application accounts, user IDs, and passwords before applications become active…"

7.7.1 "Restriction of access rights to privileged user IDs to least privileges…"

7.2.1 "Coverage of all system components."

8.5.4 "Immediately revoke access for all terminated users."

8.5.5 "Remove/disable inactive user accounts at least every 90 days."

8.5.6 "Enable accounts used by vendors for remote maintenance only during the time periods needed."

8.5.8 "Do not use group, shared, or generic accounts or passwords."

8.5.9 "Change user passwords at least every 90 days."

10.2 "Implement automated audit trails for all system components…"

“LiebSoft PCI DSS Ready”2.1 ü

Auto-discover and change all privileged account passwords on all hardware and software

6.3.6 üContinuously identify undocumented service accounts and back doors on packaged and custom applications

7.7.1 ü Enforce role-based control of access to all privileged identities

7.2.1 üDiscover and manage all privileged accounts on all IT assets – not just the documented ones

8.5.4 üRandomize credentials upon check-out to prevent access by terminated users.

8.5.5 ü Audit, flag, and disable inactive accounts

8.5.6 ü Enforce time-based vendor access

8.5.8 ü Auto-detect and segregate shared privileged accounts

8.5.9 üEnforce password change frequency requirements on all privileged accounts

10.2 üAudit privileged account access requests on servers, network appliances, desktops, and applications

Executive Management• Controle dos Ativos Corporativos• Requerimentos Regulatórios• Melhorar a Agilidade, sem correr riscos

Diretor de TI• Aumentar Eficiência• Alinar Processos de TI com Política• Controle das Mudanças: Planejadas e Não

Administrador• Automatiza tarefas tediosas e propensa a erros• Controle com Discovery Contínuo• Eliminar a conformidade “incerta”

Ajuda a Colaboradores

Use Cases & Demo

Lieberman & Microsoft Product Development Relationship

• Recognized innovator and leader in Privileged Password Protection and Random Password Management

• “Managed” Gold Certified Partner since 1999• System Center Strategic Alliance Partner • Most Microsoft Windows Product Certifications of

Any Management Vendor– Six certified products with nearly 20 Windows 7, Server

2008, Hyper-V, Vista, XP & 2000 certifications• Industry Focus

– Public Sector– Financial Services – Healthcare

Lieberman & VendorsJoint Marketing Relationship

delegation

Documents