delegation
TRANSCRIPT
Simplifique com Inteligência
Soluções Comuns
• Integrar Unix, Linux, Mac & Java com AD• Application SSO com AD• Single sign-on via AD• Authenticação Forte
• Delegar Atividades• Menos Priviégios • Segregação de Função• Autorizar Quando Precisa
• Provisionamento de Recursos: • UNIX, LINUX, WINDOWS• Terminal Server e VDI• Delegação da Administração• Elevar Privilégios
• Relatório de Conformidade• Elevar Privilégio quando necessário• Unificar o login via Diretório AD• Unificar atividades via Diretório AD
Provisionamento de Recursos
Fortalecimetno da Política: Normalizando campos, nomes, conteúdos a serem preenchidos
Controle da Administração: Poucas pessoas com acesso administrativo direto no AD, com melhor gerenciamento de privilégios.
Automação: Permite criar regras para automatizar provisionamento de recursos: Exchange, Mobile, Usuários e outros recursos do AD.
Delegação: Delegar tarefas para não-Administradores baseados em Regras: Active Role Server - Windows ePrivilege Manager – Linux e Unix
Privilege Manager: Linux e Unix
Active Role Server - Windows
Provisionar Recursos
Enterprise Single Sign On
Simplificar Controle e Acesso:
Unix, Linux, and Mac no ADVintela Authentication Services
Applications no AD-based single sign-on/reduced sign-on environment (SAP, Siebel, Oracle, DB2, others)Vintela Authentication ServicesVintela Single Sign-on for Java
A2A e A2DB
Enterprise Single Sign OnSolution Ramification
Synchronization (same sign-on)
• Many IDs• Many directories• Many logins• One password (same for each login)• Lots of management• More infrastructure (connectors, agents, etc.)
ESSO (login automation)
• Many IDs• Many directories• One login (others automated)• One password (others automated)• Not quite as much management• Maintain infrastructure (client-based)
Integration (Holy Grail)
• One ID• One directory• One login• One password• One point of ID management• Consolidate directories/infrastructure
SAPM
Elevar Privilégio,Quando Necessário
“SAPM tools enable organizations to manage passwords for shared and software accounts more effectively and efficiently than manual processes.”
Market Overview: Shared-Account/Software-Account Password Management Tools
“… shared account password management tools will be used by more than 50% of large enterprises by year end 2010 to manage passwords for shared accounts.”
Market Overview: Shared-Account/Software-Account Password Management Tools
SAPM
SAPM
Simplificar com Inteligência
AutorizarRegrasPolíticasAcessoSenhas
Por que? Privileged Account Password Management
“SAPM tools enable organizations to manage passwords for shared and software accounts more effectively and efficiently than manual processes.”
Market Overview: Shared-Account/Software-Account Password Management Tools
“In any organization, the use of every platform and device ultimately relies on superuser accounts, which are the most powerful in the organization.“
Best Practices for Managing Shared Superuser and Firecall Accounts
“… shared account password management tools will be used by more than 50% of large enterprises by year end 2010 to manage passwords for shared accounts.”
Market Overview: Shared-Account/Software-Account Password Management Tools
Analyst & Media Coverage
“The Enterprise Random Password Manager from Lieberman Software is an extremely powerful tool which automatically discovers, updates, stores and allows secure recovery of every privileged account password throughout the enterprise.“ SC Magazine Group Test: Password Management - August 2009
Contas de Privilégio ElevadoTudo na Empresa
• Servers & Workstations– Todos os hardwares– Todos os S.O.s– Banco de Dados
• Datacenter Appliances– Routers & switches– Aceleradores– Securança
• Aplicações– Line-of-business– Web services– Database & middleware– Backup– Gerenciamento de Identidade e
Acesso– Gerenciamento de Sistemas
• Rollouts de Aplicações• Hardware Deploy• Corporate mergers• Outsourcing• Guest Accounts• Mudanças de Funções
(Employment)• Delegação e Overlap de Funções
• Mudança Pessoas• Falhas de defaults• Falta de Expiração• Complexidade• Ataques Sociais • Ataques de “Nomes”
– Serv1, Serv2, Serv3
Mudanças Planejadas Mudanças não-Planejadas
Contas de Privilégio ElevadoOnde Aplicar ?
1. Identifica e documenta todos os ativos de TI, privileged accounts e interdependências.
2. Delega apenas os acessos de privileged accounts de forma temporal (time basis), usando mínimo de privilege, com propósito de documentação.
3. Fortalece regras de tamanho, unicidade e frequência de mudanças, sincronizando as mudanças e dependências.
4. Monitora e alerta, além de documentar todos os acessos: usuais e não.
Contas de Privilégio ElevadoComo Resolver?
SSL
Clients
• Password Check Out• Management Reporting• User Rights Delegation
Web ApplicationIIS 6.0 or greater
Secure Data StoreSQL Server or Oracle 11g
Management ConsoleWindows Server
OleDB
OleDB
• Setup and Configuration• Job Scheduling• Advanced Reporting
Security Information and Event Management (SIEM)BMC Remedy, IBM Tivoli , MS SCOM, …• Alerting
• Workflows• Ticket Management
SDK, Web Services, Middleware
Solução ERPMArquitetura
Management Console
Windows ComputersWindows Server 2008, 2003, 2000, NT4, Windows 7, Vista, XP
Linux, UNIX, and MainframeSun Solaris, HP-UX, IBM AIX, Red Hat Linux, IBM AS/400, OS/390, … Network DevicesCisco IOS devices and other routers, switches, firewalls, …
ApplicationsIIS, ASP.NET, SharePoint, scripts, configuration files, …
DirectoriesMS Active Directory, Oracle Internet Directory and all LDAP-compliant directories
DatabasesMS SQL Server, Oracle, MySQL, Sybase ASE, IBM DB2OleDB
SMB
SSH
SSH
LDAP
SMB, SSH, …
Continuous Auto-Discovery Safeguards New and Changed Targets
Password Change Synchronization Prevents Lockouts and Service Disruptions
Solução ERPMArquitetura
IdentificarContinuous Auto-Discovery
Databases
WebServers
AplicaçõesDesktopsServers
Backup
Hdw
Appliances
ERPM
DelegarSecure Password Recovery
Console Web
ERPM
1. Role Based
2. Time Based
3. Auditoria e Alerta
4. Dupla Custótia
5. Mudanças Comitadas & Propagadas
FortalecerPolítica de Senhas
• Segregação (SoD)• Fortalecimento• High Availability
ERPM• Mudança Contínua• Auto Discovery (contínuo)• Previne Panes
MonitorarPolítica de Senhas & Integração
• Histórico Detalhado• Configuração de Alertas• Integração com SCOM e SIEM
ERPM
“PCI DSS Ready”PCI DSS Requirement
2.1 "Always change vendor-supplied passwords before installing a system on the network…“
6.3.6 “Removal of custom application accounts, user IDs, and passwords before applications become active…"
7.7.1 "Restriction of access rights to privileged user IDs to least privileges…"
7.2.1 "Coverage of all system components."
8.5.4 "Immediately revoke access for all terminated users."
8.5.5 "Remove/disable inactive user accounts at least every 90 days."
8.5.6 "Enable accounts used by vendors for remote maintenance only during the time periods needed."
8.5.8 "Do not use group, shared, or generic accounts or passwords."
8.5.9 "Change user passwords at least every 90 days."
10.2 "Implement automated audit trails for all system components…"
“LiebSoft PCI DSS Ready”2.1 ü
Auto-discover and change all privileged account passwords on all hardware and software
6.3.6 üContinuously identify undocumented service accounts and back doors on packaged and custom applications
7.7.1 ü Enforce role-based control of access to all privileged identities
7.2.1 üDiscover and manage all privileged accounts on all IT assets – not just the documented ones
8.5.4 üRandomize credentials upon check-out to prevent access by terminated users.
8.5.5 ü Audit, flag, and disable inactive accounts
8.5.6 ü Enforce time-based vendor access
8.5.8 ü Auto-detect and segregate shared privileged accounts
8.5.9 üEnforce password change frequency requirements on all privileged accounts
10.2 üAudit privileged account access requests on servers, network appliances, desktops, and applications
Executive Management• Controle dos Ativos Corporativos• Requerimentos Regulatórios• Melhorar a Agilidade, sem correr riscos
Diretor de TI• Aumentar Eficiência• Alinar Processos de TI com Política• Controle das Mudanças: Planejadas e Não
Administrador• Automatiza tarefas tediosas e propensa a erros• Controle com Discovery Contínuo• Eliminar a conformidade “incerta”
Ajuda a Colaboradores
Use Cases & Demo
Lieberman & Microsoft Product Development Relationship
• Recognized innovator and leader in Privileged Password Protection and Random Password Management
• “Managed” Gold Certified Partner since 1999• System Center Strategic Alliance Partner • Most Microsoft Windows Product Certifications of
Any Management Vendor– Six certified products with nearly 20 Windows 7, Server
2008, Hyper-V, Vista, XP & 2000 certifications• Industry Focus
– Public Sector– Financial Services – Healthcare
Lieberman & VendorsJoint Marketing Relationship