pas fun - aim overview17趣味目标概述

ApplicationIdentityManagerCyberArkPrivilegedAccountSecuritySolutionOverviewWhat,Where&WhyofPrivilegedAccountsScopeUsedbyUsedforElevatedPersonalCloudprovidersPersonalaccountsw/elevatedpermissionsITstaffAnyemployeePrivilegedoperationsAccesstosensitiveinformationWebsitesSharedPrivilegedAccountsAdministratorUNIXrootCiscoEnableOracleSYSLocalAdministratorsERPadminITstaffSysadmins/NetadminsDBAsHelpdeskDevelopersSocialmediamgrsLegacyapplicationsEmergencyFire-callDisasterrecoveryPrivilegedoperationsAccesstosensitiveinformationApplicationAccounts(App2App)Hardcoded/embeddedAppIDsServiceAccountsApplications/scriptsWindowsServicesScheduledTasksBatchjobs,etcDevelopersOnlinedatabaseaccessBatchprocessingApp-2-AppcommunicationAllPowerfulDifficulttoControl,Manage&Monitor

PoseDevastatingRiskifMisusedCyberArk’sSolutionforPrivilegedAccountSecurityGranularPrivilegedAccessControlsPrivilegedUser

AccessControlsProtecting&IsolatingSensitiveAssetsPrivilegedActivityMonitoringApplicationIdentityControlsExternalVendorsITPersonnelDevelopers&DBAsAuditorsIdentityManagementTicketingSystemsMonitoring&SIEMApplicationsEnterpriseDirectoryandMoreAnyDevice,AnyDatacenter–

OnPremise,HostedorInTheCloudPIMPortal/WebAccessMasterPolicySecureDigitalVault™EnterprisePasswordVault®PrivilegedSessionManager®ApplicationIdentityManager™On-DemandPrivilegesManager™CyberArk’sPrivilegedAccountSecurityPlatformWhatistherisk?SystemUserPassUnixrootOracleSYSWindowsAdministratorz/OSDB2ADMINCiscoenableITVaultEnterpriseITEnvironmentMasterPolicy/CentralPolicyManagerMaster/exceptionpolicydefinitionInitialload&resetAutomaticDetection,Bulkupload,ManualRequestworkflowDualcontrol,Integrationwithticketingsystems,One-timepasswords,exclusivity,groupsDirectconnectiontodeviceAuditoraccessSecurity/RiskManagementAuditorsEnterprisePasswordVaultOverviewEPVPolicyRequesttoviewReportsRequestaccesstoWindowsAdministratorOnprod.dom.ustops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3ttops3cr3tlm7yT5wX5$aq+pTojsd$5fhy7qeF$1gviNa9%Oiue^$fgWPolicyHard-codedCredentialsRegulations6.3.1Removalofcustomapplicationaccounts,userID's,andpasswordsbeforeapplicationseactiveorarereleasedtocustomers.8.5.16Authenticateallaccesstoanydatabasecontainingcardholderdata.Thisincludesaccessbyapplications,administrators,andallotherusers..6.2.4"….reviewtoidentifyerrantcodingpracticesandsystemsvulnerabilitiesthatcouldleadtosecurityproblems,violationsandincidents…”6.2.4a"Sensitiveinformationsuchcryptographickeys,accountandpassworddetails,systemconfigurationanddatabaseconnectionstringsshouldnotbedisclosed“CoBIT4.1“ITGeneralControls&ApplicationControls:Beforepassingtransactiondatabetweeninternalapplicationsandbusiness/operationalfunctions(inoroutsidetheenterprise),checkitforproperaddressing,authenticityoforiginandintegrityofcontent.InternetBanking&TechnologyRiskManagement(IBTRM)StandardHard-codedCredentialsTheApplicationneedstobeabletologintotheDatabasetorunIfthepasswordhasbeenchangedontheApplicationServerbutNOTontheDatabasetheapplicationwillfailTochangetheApplicationpassword,youwouldhavetoknowalllocationswherethatpasswordisusedCouldbeusedbymultiplescriptsorapplicationsWhydon’twemanageit?InfrequentreplacementduetofearofprolongeddowntimeNooneknowswheretheyareusedSystemsprovided&supportedbyexternalvendorsLackofknowledgeontheinternalworkingofsystemsandpossibleconsequencesAIMProviderAgent-Credentialsretrievedfromthevault-HighLevelAIMProviderAgentTheapplicationismodifiedsothatwhentheapplicationneedstoaccessthedatabaseitlookstotheAgentforthepassword.TheAgentretrievesthepasswordfromthevault.StoredinaCacheTheCPMchangesthepasswordonthedatabaseandupdatestheVaultAIMTechnicalOverviewOverviewTwonewuserswillbecreatedintheVaultProviderUserApplicationUserOneperapplicationApplicationattributesareusedinsteadofacredfileCacheInordertomaketheprocessmoreefficient,passwordsarestoredinacacheontheProvider.WhenthepasswordischangedontheVault,amessageissenttotheProvidertogetthenewpassword.CachetypesPersistent–memorycacheandlocalpersistentcacheondiskHavingthepasswordsstoredondiskmeansthatifwehavetore-boot,wedon’thavetogototheVaulttorefreshthecacheMemory–inmemorycacheofpasswordsNone–everyrequestaccessestheVaultCachedataPasswordscontentandpropertiesApplicationdetailsAccesscontroldataDataisencryptedwithAES256BackgroundRefreshProcessAutomaticbackgroundrefreshDoneperiodicallybytheprovidertoseeiftherehavebeenanychangesDefaultisevery3minUsercanforcerefreshondemandAccessControlApplicationDetailsAccountDetailsSDKAIMAPIforinitiatingpasswordrequestsLanguages:Java,CLI,C/C++,.Net,COMSimpleandlightweightDoesnotkeepany“state”DoesnothaveconfigurationofitsownTheSDKhasgeneralinterfaceSDKInputOutputAppIDQueryRequiredPropsAccessReasonPasswordPropertiesApplicationAsingleProvidercansupportmultipleapplicationsWhatisanapplication?AprogramthatrequirescredentialsforitsongoingoperationIdentifiedbyApplicationIDMayhavemultipleaccountsforasingleapplicationAuthenticationStrongauthenticationofapplicationstothedigitalvaultisperformedbasedonapplicationcharacteristics,includingIP/hostname,operatingsystemuser,thepaththeapplicationrunsfrom,anditshash(signature).PasswordChangeStep-by-StepPasswordObjectUser:DBUser1Password:123409:00CPMdecidesthatitwillchangethepasswordat10:00ChangeNotificationPeriod=360010:00CPMmarksthetimefromwhichthepasswordchangewilltakeplaceBackgroundprocessintheProviderfindsthechangeindicationandupdatesitinthecache09:1010:01PasswordrequestsalwaysaccesstheVaultnow10:0210:0310:04PasswordObjectUser:DBUser1Password:asdf10:05NextpasswordrequestaccessestheVaultandupdatesthecachewiththenewpasswordandthefactthatthepasswordisnolongerpendingchangePasswordObjectUser:DBUser1Password:1234StartChangeNotBefore10:00VaultCPMCPMcanstartthepasswordchangeCPMchangedthepasswordandclearsthechangeindicationApplicationSDKProviderBackgroundRefreshProcessCacheApplicationPasswordSDKUsedbyapplicationstorequestcredentials(usernameandpassword)fromtheproviderCannotworkwithouttheprovider!Supportedenvironments:C/C++,Java,CLI,COMSupportedPlatformsWindowsUNIXApplicationPasswordSDKCalltoSDKCommandIdentifywithappIDRequestedPasswordObjectDesiredoutputSampleSampleFTPScriptonWindowsEliminatinghardcodedcredentialsusingtheCLIStrongscriptauthenticationbasedonitssignatureAutomaticandtransparentpasswordchangeHighavailabilityevenwhenVaultisdownAIMInActionPush-WhatToDoWhenCodeChangesAreNotPossible?VaultStaycompliantwithautomaticpasswordchangesNocodechangesarerequiredUsefulasanimmediateremediationDatabaseCentralPolicyManager3rdPartyVendorProductsIntegratingwith3rdpartyproductstoprotectITresourcesPrivilegedcredentialsaresecurelyprotectedandperiodicallychangedbasedonenterprisepolicyEnhances3rdpartyproductcapabilitiesOverall,companydataisbetterprotectedProvisioningApplicationsViaPVWAManuallyApplicationUploadUtilityInitialAIMImplementationProcessIdentify&CategorizeApplicationsPrioritizeBusinessObjectivesIdentifyStakeholdersDefinePolicies&StandardizeTrain&PerformCodeChangesTest&DeployStartwithaPilotItWorks!WhatNext?Takeaphasedapproach,basedonapplicationpriorityAttheendofeachstage,conclude,learnanditerateDeterminewhetheranewpolicyprocedureisneededPushModePushMode–NoProviderRequiredVaultApplications/ProductsusingembeddedcredentialsCentralPolicyManagerSystemUserPassOracleappId1DB