lieb soft
TRANSCRIPT
Gestão Privilégios e Custódia de Senhas
Desktops-Issues
ALGUNS SAUDÁVEIS TODOS SAUDÁVEIS
Servers-Issues
? ? ?
? ? ?
PRIVILÉGIOS DESCONHECIDOS PRIVILÉGIOS CONHECIDOS
Conceito SAPM
1. HOW ACCOUNTS
2. HOW GROUPS
3. HOW SERVERS and/or DESKTOPS
4. HOW OFTEN …
USE CASES & BEST PRATICES
1. Stock Exchange Singapure Automatizar processos Manuais e Reduzir Custos.
2. Brazilian Telecom Company Controle dos Desktops (System Center, Anti-virus, Configuração, Local Admin, Grupos)
3. US Datacenter Hosting Services Ambiente Dinâmico, Mudanças Rápidas e tempo para executá-las e identificá-las
4. Germany IT Services Responder ao SLA (forma que é contabilizida)
5. Banco EUA Compliance, Relatórios para Provar (de facto) o Controle
6. Militar Organization Complexidade de Gerenciar 70.000 devices
7. Profitable Education Discovery
8. Many Others…
• Fundada em 1978, com foco em Privileged Identity Management
• Parceiros: Cisco, HP, IBM, Microsoft, Novell, Oracle, Red Hat, RSA, Sybase
• Importantes Clientes no Brasil e Mundo
Lieberman Software
Por que? Privileged Account Password Management
“SAPM tools enable organizations to manage passwords for shared and software accounts more effectively and efficiently than manual processes.”
Market Overview: Shared-Account/Software-Account Password Management Tools
“In any organization, the use of every platform and device ultimately relies on superuser accounts, which are the most powerful in the organization.“
Best Practices for Managing Shared Superuser and Firecall Accounts
“… shared account password management tools will be used by more than 50% of large enterprises by year end 2010 to manage passwords for shared accounts.”
Market Overview: Shared-Account/Software-Account Password Management Tools
Analyst & Media Coverage
“The Enterprise Random Password Manager from Lieberman Software is an extremely powerful tool which automatically discovers, updates, stores and allows secure recovery of every privileged account password throughout the enterprise.“ SC Magazine Group Test: Password Management - August 2009
Contas de Privilégio ElevadoTudo na Empresa
• Servers & Workstations– Todos os hardwares– Todos os S.O.s– Banco de Dados
• Datacenter Appliances– Routers & switches– Aceleradores– Securança
• Aplicações– Line-of-business– Web services– Database & middleware– Backup– Gerenciamento de Identidade e
Acesso– Gerenciamento de Sistemas
• Rollouts de Aplicações• Hardware Deploy• Corporate mergers• Outsourcing• Guest Accounts• Mudanças de Funções
(Employment)• Delegação e Overlap de Funções
• Mudança Pessoas• Falhas de defaults• Falta de Expiração• Complexidade• Ataques Sociais • Ataques de “Nomes”
– Serv1, Serv2, Serv3
Mudanças Planejadas Mudanças não-Planejadas
Contas de Privilégio ElevadoOnde Aplicar ?
1. Identifica e documenta todos os ativos de TI, privileged accounts e interdependências.
2. Delega apenas os acessos de privileged accounts de forma temporal (time basis), usando mínimo de privilege, com propósito de documentação.
3. Fortalece regras de tamanho, unicidade e frequência de mudanças, sincronizando as mudanças e dependências.
4. Monitora e alerta, além de documentar todos os acessos: usuais e não.
Contas de Privilégio ElevadoComo Resolver?
SSL
Clients
• Password Check Out• Management Reporting• User Rights Delegation
Web ApplicationIIS 6.0 or greater
Secure Data StoreSQL Server or Oracle 11g
Management ConsoleWindows Server
OleDB
OleDB
• Setup and Configuration• Job Scheduling• Advanced Reporting
Security Information and Event Management (SIEM)BMC Remedy, IBM Tivoli , MS SCOM, …• Alerting
• Workflows• Ticket Management
SDK, Web Services, Middleware
Solução ERPMArquitetura
Management Console
Windows ComputersWindows Server 2008, 2003, 2000, NT4, Windows 7, Vista, XP
Linux, UNIX, and MainframeSun Solaris, HP-UX, IBM AIX, Red Hat Linux, IBM AS/400, OS/390, … Network DevicesCisco IOS devices and other routers, switches, firewalls, …
ApplicationsIIS, ASP.NET, SharePoint, scripts, configuration files, …
DirectoriesMS Active Directory, Oracle Internet Directory and all LDAP-compliant directories
DatabasesMS SQL Server, Oracle, MySQL, Sybase ASE, IBM DB2OleDB
SMB
SSH
SSH
LDAP
SMB, SSH, …
Continuous Auto-Discovery Safeguards New and Changed Targets
Password Change Synchronization Prevents Lockouts and Service Disruptions
Solução ERPMArquitetura
IdentificarContinuous Auto-Discovery
Databases
WebServers
AplicaçõesDesktopsServers
Backup
Hdw
Appliances
ERPM
DelegarSecure Password Recovery
Console Web
ERPM
1. Role Based
2. Time Based
3. Auditoria e Alerta
4. Dupla Custótia
5. Mudanças Comitadas & Propagadas
FortalecerPolítica de Senhas
• Segregação (SoD)• Fortalecimento• High Availability
ERPM• Mudança Contínua• Auto Discovery (contínuo)• Previne Panes
MonitorarPolítica de Senhas & Integração
• Histórico Detalhado• Configuração de Alertas• Integração com SCOM e SIEM
ERPM
“PCI DSS Ready”PCI DSS Requirement
2.1 "Always change vendor-supplied passwords before installing a system on the network…“
6.3.6 “Removal of custom application accounts, user IDs, and passwords before applications become active…"
7.7.1 "Restriction of access rights to privileged user IDs to least privileges…"
7.2.1 "Coverage of all system components."
8.5.4 "Immediately revoke access for all terminated users."
8.5.5 "Remove/disable inactive user accounts at least every 90 days."
8.5.6 "Enable accounts used by vendors for remote maintenance only during the time periods needed."
8.5.8 "Do not use group, shared, or generic accounts or passwords."
8.5.9 "Change user passwords at least every 90 days."
10.2 "Implement automated audit trails for all system components…"
“LiebSoft PCI DSS Ready”2.1 ü
Auto-discover and change all privileged account passwords on all hardware and software
6.3.6 üContinuously identify undocumented service accounts and back doors on packaged and custom applications
7.7.1 ü Enforce role-based control of access to all privileged identities
7.2.1 üDiscover and manage all privileged accounts on all IT assets – not just the documented ones
8.5.4 üRandomize credentials upon check-out to prevent access by terminated users.
8.5.5 ü Audit, flag, and disable inactive accounts
8.5.6 ü Enforce time-based vendor access
8.5.8 ü Auto-detect and segregate shared privileged accounts
8.5.9 üEnforce password change frequency requirements on all privileged accounts
10.2 üAudit privileged account access requests on servers, network appliances, desktops, and applications
Executive Management• Controle dos Ativos Corporativos• Requerimentos Regulatórios• Melhorar a Agilidade, sem correr riscos
Diretor de TI• Aumentar Eficiência• Alinar Processos de TI com Política• Controle das Mudanças: Planejadas e Não
Administrador• Automatiza tarefas tediosas e propensa a erros• Controle com Discovery Contínuo• Eliminar a conformidade “incerta”
Ajuda a Colaboradores
Use Cases & Demo
Lieberman & Microsoft Product Development Relationship
• Recognized innovator and leader in Privileged Password Protection and Random Password Management
• “Managed” Gold Certified Partner since 1999• System Center Strategic Alliance Partner • Most Microsoft Windows Product Certifications of
Any Management Vendor– Six certified products with nearly 20 Windows 7, Server
2008, Hyper-V, Vista, XP & 2000 certifications• Industry Focus
– Public Sector– Financial Services – Healthcare
Lieberman & VendorsJoint Marketing Relationship