Anda di halaman 1dari 14

Privileged Identity Management

Enterprise Password Vault

Privileged Password
Management
Agenda
Privileged Users 101
What are privileged Users

The Challenge
Common Practices and the Risks Involved
Drivers: Regulations and Internal Breaches
Business and Technical Requirements
Cyber-Ark Enterprise Password Vault

Technology
Architecture
Benefits
Demonstration

Q&A

Identity Management
Individual Users Component
- Directories

LDAP/Identity
Management
Partners
The Password Vault and can be integrated with any LDAP
or Identity management solution, Cyber-Ark has strategic
partnerships with the companies below.
Together an organization will be able to manage both
users and shared privileged accounts

PIM - White Space


for Major IAM
Players

What Are Privileged


Accounts?

Administrative
Administrative
Accounts
Accounts

Shared Predefined:
UNIX root
Cisco enable
DBA accounts
Windows
domain
Etc.

Application
Application
Accounts
Accounts

Hard-coded, embedded:
Resource (DB) IDs
Generic IDs
Batch jobs
Testing Scripts
Application IDs

Personal
Personal
Computer
Computer
Accounts
Accounts

Shared:
Help Desk
Fire-call
Operations
Emergency
Legacy
applications
Developer
accounts

Windows Local administrator:


Desktops
Laptops

Owned by the system:


Not owned by any
person or
identity

Service Accounts:
Windows Service Accounts
Scheduled Tasks

Privileged Accounts
Today
Common practices:
Storage: Excel spreadsheets, physical safes, sticky notes, locked
drawers, memorizing, hard coded in applications and services
Resets: Handled by a designated IT members, call centers,
mostly manual
Known to: IT staff, network operations, help desk, desktop
support, developers

Common problems:

Widely known, no accountability


Unchanged passwords
Lost passwords
Same password across multiple systems
Simplistic passwords easy to remember
Passwords not available when needed

Key Business Drivers

Regulatory Compliance (Sarbanes Oxley, PCI, BS7799


etc.)
Auditing and Reporting
Control
Segregation of Duties

Proactive Improvement of Information Security


Practices
Lost and Risk prevention
Return on Investment
Administrative Password Management

Internal Breach
Return On Investment
Efficiency and Productivity

Mission Statement

Vault Safes

(V
is
ua
l
ng
iti

Au
d

Fi
le

En

cr
yp
ti o

(Local Drive or SAN)

Se
eo
cu
gr Ma
rit
ap n
y)
u
hi a
ca l &
lS
Ac
ec
ce
ur
ity
ss
C
on
tro
Au
l
th
en
ti c
at
io
n
Fi
re
wa
ll
S
En es
cr sio
yp n
tio
n

Cyber-Ark Software is an Information Security


company that develops and markets digital vaults
for securing and managing highly-sensitive
information within and across global enterprise
networks.

Cyber-Ark
Vault Server
LAN, WAN,
INTERNET

Password Vault
Architecture
Central Password Manager

1
Unix Servers

2
Password
Vault

Windows
Servers

3
Networking Devices

Directory Server

4
The Administrator is
now ready to login to
its target application
or server

Privileged Users are defined to the


Central Password Manager and a copy of
their passwords is stored within the Vault
Central Password Manager is periodically
regenerating new passwords for all
managed accounts on all relevant systems
and/or Directory Servers and then stores a
copy of the new passwords within the Vault
An Administrator needs to perform an
administrative task on any system or
device. After authenticating to the Vault,
and passing relevant security checks the
specific password of the target account
on the target system is retrieved.

WAN

Desktops

Disaster
Recovery Site
Main Frame

Application
Passwords
Scripts
Shell, Perl, Bat, Sqlplus
Applications
Custom developed C/C++, COM, Java, .NET code
Application Servers (WebSphere, WebLogic)
Products
IT Management
ETL tools (Informatica, etc)

Hard-Coded
Password
Embedded in Code
.
.
UserName = app
Password = asdf
Host = 10.10.3.56
ConnectDatabase(Host, UserName, Password)
.
Work with database
.

source1.vbs

.
.
UserName = app
Password = PVToolKit(Vault.ini,User.ini,Safe,Root\Password)
Host = 10.10.3.56
ConnectDatabase(Host, UserName, Password)
.
Work with database
.

source1-new.vbs

Requirements for
Privileged Accounts
Management
Solution

Exceptionally secure solution for the keys of the


kingdom
Supreme performance, availability and disaster
recovery due to its mission-critical nature
Flexible distributed architecture to fit the
enterprise complex network topology
Single standard solution for a multi-facet problem
Intuitive and robust interfaces

Thank You

David Adamczyk
Channel Sales Manager
Cyber-Ark Software
david.adamczyk@cyber-ark.com