access control-tech-brief-us

TECHNOLOGY BRIEF: CA ACCESS CONTROL

Protecting ServerResources withCA Access Control

Copyright © 2008 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “As Is” without warranty of any kind, including, without limitation, any implied warranties of merchantability or fitness for a particular purpose, or noninfringement. In no event will CA beliable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages.

Table of Contents

Executive Summary

SECTION 1: CHALLENGE 2Managing the Complexity of Today’s DataCenter

The Regulators Are Watching

Sensitive Data Is on Your Servers

More IT Complexity, Not Less

SECTION 2: OPPORTUNITY 4Protecting Server Resources Across theExtended Enterprise

Cross-platform, Fine-grained Access Control

Supporting Organizations Large and Small

Cross-platform Server Protection

Assisting in the Compliance Process

Enterprise Scale Access Control Management

Sophisticated, Secure Auditing Capabilities

An Essential Part of the Larger Identity andAccess Management Solution

SECTION 3: BENEFITS 15Protecting Data on Your Most Critical Servers

Regulates and Audits Server Access

Enforces Server-based Compliance andReporting

Reduces Administrative Costs and Complexity

SECTION 4: CONCLUSIONS 16CA Access Control Protects Server Resourcesand Enforces Security Compliance

TECHNOLOGY BRIEF: CA ACCESS CONTROL 1

Executive SummaryChallenge

You are not alone in your worry about the growing challenges of protecting the sensitivedata and applications residing on your servers. The increasing value of data, progressivelymore stringent regulations, and the number of people that need access to critical servers,all make it more difficult to protect sensitive information and intellectual property. This isforcing you to work much harder to manage security policies across large, complex anddiverse environments. All the while, your IT organization must remain responsive tobusiness requirements, which at times requires you to make local exceptions whilemaintaining security and accountability. You may be relying on the native securitycapabilities within your operating systems, but this alternative presents security concernsregarding separation of duties, as well as manageability and auditing.

Opportunity

You need a central, independent security system to protect server resources across theextended enterprise, providing a flexible and accountable means to contain superuseraccounts by delegating necessary privileges to authorized administrators. CA AccessControl operates at the system level to ensure efficient and consistent enforcement acrossall systems — including Windows, UNIX, Linux and virtualized environments. By distributingserver security policies to endpoint devices via an advanced policy management capability,you can support large, global enterprise deployments. Moreover, you can securelysupport auditing of each policy change and enforcement action in order to comply withglobal regulations.

Benefits

CA Access Control allows you to create, deploy, and manage complex, fine-grained accesscontrol policies to ensure only authorized users are getting at your most sensitive data andapplications. With multi-platform support and integration with the rest of the CA Identityand Access Management product family, CA Access Control:

• Regulates and audits access to your critical servers consistently across platforms

• Enforces your internal and regulatory compliance requirements by creating and reportingon server access policies

• Reduces administrative costs by centrally managing security across your globallydistributed enterprise

Servers: A Source of Complexity In Today’s Data CenterFor years, IT excellence was used to gain a competitive advantage, bringing new products tomarket faster and streamlining internal operations. Server resources have been deployedwidely to automate key internal and collaborative business processes, which have createdstress on the existing data center infrastructure. With new access and scalability requirements,as well as exciting new technologies like virtualization to improve efficiency, the data centercontinues to attract attention.

Yet managing security policies across large environments remains a challenge, especially giventhe importance of being responsive to business requirements, which includes providing theflexibility to make local exceptions. Today’s data center requires extensive visibility across anever-expanding set of server resources, while ensuring accountability of changes andprotecting the sensitive data that resides there.

Failure to manage server resources has been directly responsible for high profile data breaches.Maintaining data integrity is one of the most important jobs of the IT professional. It is a criticalmistake to embrace all of these new data center scalability and flexibility technologies withoutweighing the security and data protection requirements related to these new technologies.

The Regulators Are WatchingAccording to the Privacy Rights Clearinghouse, since 2005 over 226,000,000 distinct identitieshave been compromised — resulting in significant costs in compliance fines, to monitor thevictim’s credit, reissue credit and bank cards and repair damaged brand reputation. Theseconstant breaches have resulted in government organizations around the world mandatingbetter practices for data protection and information security. Regulations like HIPAA and GLBAand Sarbanes-Oxley, the EU Data Privacy Directive, PIPEDA, Basel II are focused on addressingthese issues.

The Payment Card Industry Data Security Standard (PCI DSS) took many of these regulatoryframeworks to the next level. Specifying a series of twelve requirements that must be in placeto protect cardholder data, PCI has forced another level of accountability on the IT organization.

In order to comply with these regulations, you must be able to prove server access iscontrolled, tracked and logged. Furthermore, Sarbanes-Oxley has firm requirements relativeto segregation of duties, ensuring that the responsibility for complex business processes aredistributed amongst many resources to provide checks and balances on these functions.

Thus, sophisticated server resource protection must be implemented to ensure theserequirements are met. You are also required to provide granular audit records and reports tosubstantiate controls, policy status and server access logs for each audit. These regulationsrequire fine-grained controls and cross-platform consistency to ensure the separation of duties,especially in mixed operating system environments. Additionally, in the event of a compromise,the ability to research the incident forensically is also required.

SECTION 1: CHALLENGE

2 TECHNOLOGY BRIEF: CA ACCESS CONTROL

Sensitive Data Is on Your ServersThe type of adversary we face is evolving, as it is no longer valid to assume attackers are “outthere” as nameless, faceless hackers. Today, the attacker is just as likely to be a disgruntledemployee, saboteur, business partner with questionable ethics and loyalties. Thus, you need toprotect your server resources from both the external attacker (who are still out there) andinternal personnel — especially superusers, whom have access to all the sensitive data residingon every server they can access.

The complexity of protecting servers and ensuring accountability amongst these superusers issignificant. A common technique used by server administrators is to share superuser accountsand use generic logins like “administrator” or “root.” This is problematic for a number of reasons:

AUDIT ISSUES Sharing user accounts prevents audit logs from really identifying whichadministrator made which changes on the servers, undermining the accountability that isso critical to meeting regulatory requirements.

DATA ACCESS These shared accounts typically result in providing over-privileged users withaccess to critical systems and data, predominately because it’s too hard to manage a policyacross thousands of servers with granular access rules.

The combination of over privileged access with administrator carelessness can often impactbusiness continuity. Meanwhile, the lack of accountability makes it almost impossible to traceback to the specific administrator who committed the errors, resulting in both security andaccountability issues.

More IT Complexity, Not LessInnovative business processes bring significant increases in complexity to the data centerenvironment. Chances are you’ve got servers of all flavors and sizes, running a variety ofoperating systems, application protocols and the like — putting a premium on being able tohandle heterogeneity.

In this diverse world, it’s all about enforcing a consistent policy and enabling consolidatedlogging across servers. Auditors don’t want to hear about the complexities or limitations ofnative server operating systems, they want to know that your private information andintellectual property are protected — regardless of the application, server platform or usercommunity accessing the data.

A literal explosion in the number of servers being managed has compounded these issues.Virtualization has certainly increased the utilization of our physical assets, but is alsodramatically increasing the number of new virtual machines that need to be managed. Virtualmachine sprawl means there are many more servers to manage, and since the hypervisorsdon’t care which operating system is a guest, this exacerbates the heterogeneity problem.Yet, maintaining the security of this expanded, virtualized data center is largely overlooked.

Virtualization also creates a new class of “hypervisor superusers” that can create, copy, moveor otherwise manage these guest operating systems, further stressing the need for adequateseparation of duties to ensure the data and applications running in these guests both auditedand protected from compromise.1 Computer Society Institute, Computer Crime and Security Survey 2007


For the first time in 2007,according to the ComputerSecurity Institute, insiderattacks are now the mostcommon cause of securityincidents, with 60 percentof the respondents reportingan insider-related event.1


It’s easy to see why ensuring these increasingly complex data center environments areprovisioned effectively and managed securely has become a critical imperative for allIT organizations.

Protecting Server Resources Across the Extended EnterpriseToday’s data center environment is required to provide unprecedented scalability, flexibilityand performance to meet the needs of both new and old applications being consumed byemployees, business partners and customers.

From a management standpoint, the old model of a system administrator responsible for acertain number of servers running a specific application is no longer sufficient. Administratorsare now being increasingly specialized to deal with the inherent complexity of more distributedand complicated applications. Whether they focus on database, email, backup or any otherarea, the skills of these administrators are not as readily transferrable.

The decoupling of the server hardware, operating systems and applications using virtualizationtechnology complicates this specialization. Now an email server and a database can run on thesame physical server, dramatically increasing the complexity of the environment.

Thus, these administrators need to have different levels of access to their applications,operating systems and hypervisors. Using the example above, you’d want the emailadministrator to only manage the email system, and not have access to other systemresources, such as the database.

Providing all of these administrators with superuser capabilities is a serious security risk.Privileged accounts (Administrator in Windows, Root in UNIX) can run any program, modifyany file, and/or stop any process. The inability to restrict these superusers, so that they canonly perform tasks within their job responsibilities and to tie a specific administrative actionsto a specific person clearly results in a security and accountability gap and violates the keyrequirements of today's security regulations.

Effective host access control management provides the ability to contain these privilegedaccounts by delegating necessary privileges to the appropriate personnel only when they needthem. The administrators can do their jobs without exposing sensitive data or business criticalresources. Additionally, such an approach ensures that there is an audit trail and enforcementof accountability over administrators and their actions.

Cross-platform, Fine-grained Access Control CA Access Control satisfies internal policies and external compliance regulations by controllingand monitoring access to a diverse set of server-based resources. Enabling cross-platformcreation, deployment and management of complex, fine-grained access control policies, CAAccess Control surpasses the basic controls available to the native operating systems andmeets the needs of the most stringent corporate policies and regulations.

SECTION 2: OPPORTUNITY

ENDPOINTSThe core elements of CA Access Control are the secure, hardened agents that integratenatively with the operating system to enforce and audit the granular policies required to meetcompliance mandates. Endpoint agents are available for all the major operating systems,including all leading Linux, UNIX and Windows versions. The latest list of supported systemscan be found at [http://supportconnectw.ca.com/public/etrust/etrust_ac/infodocs/etrustac-matrix.asp].

CA Access Control offers native package formats for installing and managing CA AccessControl natively on supported operating systems. Native packages let you manage your CAAccess Control installation using native package management tools, as well as the CA softwaredelivery option (SDO) for enterprise software delivery. This facilitates a global enterpriseenvironment with many managed servers to be deployed quickly.

Additionally, CA Access Control provides a user friendly and consistent Web-based interfaceto manage the endpoint policies and devices. CA Access Control natively supports the leadingvirtualization platforms, including VMware ESX, Solaris 10 Zones/LDOM, and Citrix XenServer— ensuring the hypervisor layer and the guest operating systems that run on them areprotected.

In enterprise environments, using a directory for user management and directory-enabledapplication deployment has become common practice. CA Access Control supports enterpriseuser stores; that is, stores for users and groups that are native to the OS. This native integrationallows you to define access rules for your enterprise users and groups without having tosynchronize or import the users and groups into the CA Access Control database.

ADVANCED POLICY ARCHITECTURE*The enterprise-class scalability comes from a distributed, hierarchical model of distributingpolicies to all managed servers. This Advanced Policy Distribution Architecture uses a centralDeployment Map Server (DMS) and Distribution Hosts (DH) to distribute policy deploymentsto endpoints, and send back deployment information from the endpoints to the DMS. Thisinfrastructure is decoupled from the logical assignment of the policies and is easy to set up,extend, and configure for high availability, failover and disaster recovery.

The policy architecture relies on the following server components:

DEPLOYMENT MAP SERVER sits at the core of advanced policy management. The purpose ofthe DMS is to store policy management data. You manage a single DMS database, which thensends events to distribution hosts. The policy management and policy reporting is donecentrally against the DMS.

DISTRIBUTION HOST is responsible for distributing policy deployments, made on the DMS, toendpoints, and for receiving deployment status from endpoints to send to the DMS.

On the endpoint side, CA Access Control endpoint agents check regularly for new deploymentson the DH, and download and apply these as necessary. Execution results are then sent back tothe DH, which sends them to the DMS for centralized auditing. Also, the DMS (through a DH)constantly checks with each endpoint agent to ensure the protection is operational and thehost is running.


http://supportconnectw.ca.com/public/etrust/etrust_ac/infodocs/etrustac-matrix.asp

http://supportconnectw.ca.com/public/etrust/etrust_ac/infodocs/etrustac-matrix.asp

CA ACCESS CONTROL POLICY MANAGEMENT ARCHITECTURE*

Supporting Organizations Large and SmallCross-platform Server ProtectionMany organizations deploy a diverse server infrastructure including Windows, Linux and UNIXsystems. CA Access Control enables consistent, integrated management and enforcement ofaccess security policies across all of these environments. The Advanced Policy Architectureprovides a single interface through which policies can be administered and distributed toWindows and UNIX subscribers at the same time. Consolidated management of Linux, UNIXand Windows servers decreases the amount of administrative work required and improves thesystem administrator efficiency, saving significant management cost.

FINE-GRAINED ACCESS CONTROLCA Access Control is an independent security enforcement solution, which means it does notrely on the underlying operating system to enforce server access control policies. By operatingat the system level, CA Access Control monitors and regulates all access to system resources,including those originating from domain or local system administrators. These fine-grainedaccess enforcement capabilities act to regulate, delegate and contain domain administrators orany other account in the IT environment and provide:


FIGURE A

The endpoints subscribe to theirspecific Host Group’s policies and pullthem from the Distribution Host. Thisallows a simple setup for achievinghigh availability and scalability.

Policy

Policy Deployment StatusPush

FailoverPull

Deployment MapServer (DMS)

DistributionHost (DH)

End-Point End-Point

Highly Scalable

DistributionHost (DH)

EnterpriseManagement

Web UI

Pull

IMPERSONATION CONTROL CA Access Control controls surrogate user delegation capabilitiesto reduce the exposure of unauthorized users running applications with enhanced privilegesand achieve accountability of shared account activity. For example, an administrator couldsurrogate to another person’s profile to change a file’s access control list (ACL) attributeswithout any accountability for their actions. CA Access Control protects on multiple levels byfirst limiting those who use Run-As and the UNIX “su” command and preserving the originaluser ID even after surrogate actions, ensuring user access records in audit logs show theoriginal account. This allows users to login using their own ID and safely surrogate to theprivileged accounts without loss of accountability.

SUPERUSER (ADMINISTRATOR/ROOT) CONTAINMENT The root account is a significant source ofvulnerability because it allows applications or users to assume a more powerful level ofprivilege than needed. CA Access Control inspects all relevant incoming requests at the systemlevel, and enforces authorization based on the defined rules and policies. Not even theprivileged root account can bypass this level of control. Thus, all privileged users becomemanaged users and are accountable for their activities on the system.

ROLE-BASED ACCESS CONTROL Best practice dictates that each administrator has sufficientprivileges to perform his/her job functions and no more. By providing a sophisticated roles-based access control environment, administrators are unable to share a superuser passwordand potentially take advantage of its associated privileges. By default, CA Access Controlprovides popular administrative and auditing roles that can be customized and expanded tomeet the needs of your IT organization. These roles include:

• Auditor User can assign audit attributes and display user and user group characteristics

• Operator User can display user and user group characteristics

• Password Manager User can change the passwords of other users

This enables CA Access Control to define administrative privileges on specific classes ofadministrators, for example those that can define FILE access or PROCESS control and managethose resources.

FINE-GRAINED ENFORCEMENT Native operating systems (Linux, UNIX, Windows) offer limitedcapabilities to granularly and effectively delegate certain system administration rights to lesspowerful user accounts. CA Access Control provides fine-grained enforcement and regulatesaccess based on many criteria including network attributes, time of day, calendar or accessprogram. Features include:

• Additional granular controls which offer specific privileges for file, services and other O/Slevel (rename, copy, stop, start) functions can be assigned to a specific administrator or anadministration group.

• Different levels of enforcement CA Access Control Warning Mode is commonly used byorganizations to determine if proposed security policies are too strict or too lenient so theycan be modified accordingly. Additionally, CA Access Control provides the ability to instantlyvalidate the effects of a security policy without enforcing the restriction through theValidation Mode setting. After selecting a user and resource, the validation check commanddetermines if the user has permission to access the resource given the security policy.


• Enhanced ACLs CA Access Control provides many enhanced ACL capabilities to enhancethe security administrator’s ability to properly assign access rights to authorized users. Theseadditional settings include: Conditional Access Control Lists (CACL) enforces user accessbased on the various criteria such as default access mode or time and date. Program AccessControl Lists (PACL) removes access rights to certain data files, such as configuration files orpassword files, except using approved programs. Negative Access Control Lists (NACL)specifies access rights that should be denied to a system resource. Generic resourcedefinition allows you to define access to resource based on the pattern of the file name,host name, registry path, etc.

• Network-based Access Control Today’s open environments require strong control overuser access and information flowing over the network. Network-based access control addsanother layer of protection to regulate access to the network. CA Access Control canmanage access to network ports or network access programs and network security policiescan manage bi-directional access by terminal ID, hostname, network address, segments orother attributes.

LOGIN CONTROL CA Access Control can enhance login security by limiting user login byoriginating IP address, terminal ID, type of login program or time of the day. CA Access Controlcan also limit the concurrent login sessions of a user to enforce stringent user access to aserver. Users can be automatically suspended after too many failed login attempts, protectingsystems against brute force attacks. Additionally, CA Access Control provides securesuspension and revocation of user accounts in distributed environments.

MANAGING ACCESS TO VIRTUAL ENVIRONMENTSVirtualization consolidates multiple server instances on a single physical machine, deliveringlower total cost of ownership and improved machine utilization. Unfortunately, virtualizationcreates a new class of “hypervisor superusers” that can create, copy, move or otherwisemanage these guest operating systems. This produces an additional need for adequateseparation of duties and consolidated server resource protection to ensure all of the data andall of the applications running in these guests are both audited and protected from compromise.

Using CA Access Control, these Hypervisor Administrators can be controlled and properseparation of duties can be implemented.

This capability provides a critical layer of protection to mitigate virtualization risks. The endpointagents support a long list of OS versions running as guests, as well as various OS virtualizationhosts, including VMware ESX Server, Solaris 10 Zones, Linux Xen and Windows Virtual Server.

OPERATING SYSTEM HARDENINGA critical layer to the defense-in-depth strategy is protecting the OS against unauthorizedexternal access or penetration. CA Access Control offers several external security measuresto add an additional layer of security for your servers.

• Trusted program execution To prevent the operating environment from being tainted bymalware, particularly Trojans, CA Access Control provides first-line trusted programprotection. Sensitive resources can be marked as trusted and these files and programs willthen be monitored and CA Access Control will block execution should the program bemodified by malware. Changes to trusted resources can be limited to specific users or usergroups to further reduce the likelihood of unexpected change.


• Stack Overflow Protection External threats that compromise critical services or damage theintegrity of executables are a high risk factor in protecting production servers. CA AccessControl carefully monitors and safeguards applications, such as mail servers, by guardingmemory space and program tracking information, so that even in the event of memoryoverflow or Trojan attack, malicious code cannot be activated by the system.

• Registry Protection The Windows registry is a clear target for hackers and malicious usersbecause the centralized database contains operating system parameters, including thosethat control device drivers, configuration details and hardware, environment and securitysettings. CA Access Control provides registry protection through the support of rules thatcan block administrators from changing or tampering with the registry settings.

• Application Jailing CA Access Control allows accepted actions to be defined for high-riskapplications. Any behavior that exceeds these bounds will be restricted by an applicationjailing function. For example, an ACL can be built based on a logical ID which owns Oracleprocesses and services so its jailed behavior prohibits it from any actions besides startingOracle DBMS services.

Assisting in the Compliance ProcessCompliance means that you have the correct policies in place, and that those policies aredeployed, but most importantly, that you can provide proof of being compliant with bothcorporate policies and regulatory standards, while accounting for any deviations from the policy.

In order to prove compliance, server resource protection solutions must generate reports tosubstantiate password policies, entitlement levels and segregation of duties. CA AccessControl reporting service lets you view the security status of users, groups and resources bygathering data from each endpoint across the enterprise, aggregating it into a central location,analyzing the results against the corporate policy and then finally generating a report.

The reporting service works independently to collect the policies in effect on each endpoint ona scheduled basis. Resilience is built into the system, as endpoint status is reported without theneed for manual intervention and whether the collection server is up or down. Additionally, thereporting service components are external to the CA Access Control enforcement system anddo not require the endpoint enforcement functions to be disrupted when reconfiguring orcustomizing any reports.

The reporting service is structured to allow reporting of the status of the policies that areenforced by each endpoint. You can build custom reports for a variety of purposes, or use theexisting reports that CA Access Control provides out-of-the-box. The reporting service alsofacilitates centralized report storage and management and provides secure access throughSSL to these reports. The functionality is architected for large environments, leveraging reportagents (which take snapshots of policy databases), a report server (which collects theendpoint reports), and a central database (which aggregates the policy data from the extendedorganization). Once there is data available in the central database, you use the Report Portal —a CA version of the BusinessObjects InfoView portal, and bundled with the ready-madeCA Access Control reports — to generate reports and interrogate the stored data.


POLICY COMPLIANCE AND ENTITLEMENTS REPORTS*It is no longer sufficient to produce event-based reports about actions that have happened inthe past for compliance reporting purposes. Instead, achieving compliance today also requiresproactive reports that can highlight policy status at any point in time. To help, CA Access Controlprovides proactive reporting on user access privileges and proof of existing access controls.

Out-of-the-box, the CA Access Control reporting service comes with standard reports detailinginformation on entitlements and the current status of (and deviation from) deployed policies aspart of the default product installation. They provide immediate value by complementingexisting event-based auditing to monitor compliance requirements and highlight existingdiscrepancies. The standard reports include:

POLICY MANAGEMENT REPORTS Allowing you to view the status of policy deployment anddeviations from the standard policies.

ENTITLEMENTS REPORTS That allow you to view the entitlement users and groups have oversystem resources or the other way around — show who can access specific resources. Acommon use would be to see who has root access to the systems.

USER MANAGEMENT REPORTS Providing you the ability to view inactive accounts, user andgroup membership and administrative accounts, and manage segregation of duties.

PASSWORD MANAGEMENT REPORTS Delivering information on password aging, passwordpolicy compliance, etc.

The open policy reporting provided by CA Access Control relies on a standard RDBMS.Interoperability with external systems allows administrators to run policy reports through thereporting tool of their choice and customize report layouts to meet internal standards orauditor requests.

POLICY DEPLOYMENT SCORECARD


FIGURE B

A sample report that shows a point intime snapshot of the hosts that arecompliant with a specific policy.

Enterprise Scale Access Control ManagementGiven the complexity and scalability required of today’s server resources, it’s critical to be ableto implement and enforce a centralized policy for access control across the global, extendedenterprise, while adjusting to local exceptions and business needs. CA Access Control has anumber of sophisticated features to facilitate and streamline the management of access andallow exceptions in an accountable and visible manner.

LOGICAL HOST GROUPING*You can group your endpoints into logical host groups and then assign policies based on thishost group membership, regardless of how your endpoints are physically organized. Hosts canbe members of a number of logical host groups depending on their properties and policy demands.For example, if you have hosts running a Red Hat operating system and Oracle, these can bemembers of a Red Hat logical host group to get the baseline Red Hat access control policies,and also members of the Oracle logical host group to get the Oracle access control policies.

Logical host groups decouple policy assignment from policy distribution. This simplifies policymanagement as it does not require you to change your hierarchy to fit policy assignment require-ments and lets you manage smaller, more specific policies, and more focused host groups. Theresult is an 80% reduction in the time and cost to securely provision a new server resource.

LOGICAL HOST GROUPS


LinuxPoliciesPolicy

Management

PolicyReports

LinuxGroup

SecurityAdministrator

Linux

Web

WebPolicies

WebGroup

Linux

DB

DBPolicies

DBGroup

Windows

Web

WindowsPolicies

WindowsGroup

Windows

DB

Logical Host Groups and Policies

FIGURE C

The security administrator can definelogical host groups, assign policies tothem and have full visibility into thecompliance of these hosts with thepolicies.

POLICY VERSION CONTROL*CA Access Control lets you track policy changes by representing each policy as a single entitywith multiple versions. When you create a new version of a policy, the last version remainsstored and includes information on policy version deployment and un-deployment rules,who created the version (for auditing and accountability purposes) and when it was created.Additionally, an upgrade process lets you upgrade policy deployment on all assigned hoststo the latest policy version.

ENTERPRISE MANAGEMENT WEB USER INTERFACE* The enterprise management Web-based interface is simple, intuitive and allows you to performadvanced policy management, while providing an integrated view of your entire CA AccessControl environment of servers. The Web-based interface also helps you manage individualendpoints or Policy Models and enables you to:

• Create hosts

• Assign hosts to host groups

• Create and update policies

• Assign and remove policies to hosts or host groups

• Directly deploy and remove policies from hosts or host groups

• Upgrade assigned policies to their latest version

• Audit policy deployment in the enterprise

• Browse the enterprise by host, host group or policy

• Manage discrete endpoints via End Point Management

The user interface is consistent across all CA Identity & Access Management offerings utilizingthe common CA framework for look and feel and administrative scoping and task delegation.

CA ACCESS CONTROL R12 ENTERPRISE MANAGEMENT CONSOLE


FIGURE D

The Enterprise Management WorldView provides a view of theenvironment from an endpointperspective, a host group perspective,or a policy perspective — allowing youto brows the hierarchy down to the endpoint management level if needed.

Sophisticated, Secure Auditing CapabilitiesWhile proactive access control is a necessary measure for securing host systems, it is alsoimportant to be able to resolve access incidents after they occur. Compliance often requirescritical user actions within the system to be controlled and provable through an audit trail. Inorder to efficiently address regular compliance audits, this data should also be centrallycollected and securely managed. CA Access Control provides independent audit logs thatcannot be modified by unauthorized users, including domain or system administrators.

Native operating systems do not consistently track a user’s actions at the granular level asrequired by most regulatory standards and cannot trace shared account usage. A keyrequirement for most regulations is to consistently be able to hold superusers accountable forthe changes they make in the systems. Without a consistent, cross-platform capability tomonitor and control server resources, damage to a system might be impossible to detect orunable to connect back to an actual user.

CA Access Control generates secure and reliable audit logs which associate true user IDs toall protected resource actions (even after surrogate operations). Any action attempted bythe user relating to an access policy can be recorded, including whether or not the user wasallowed to successfully complete this request. If the need for an investigation arises, thiscomplete, detailed and accurate audit data can greatly expedite the identification process ofthe attack source and activities.

COMPREHENSIVE AUDIT MODESCA Access Control offers the following three auditing settings:

• Success generates an event anytime an audited resource is successfully accessed

• Failure, which tracks and records any and all access denials

• Warning, which generates an audit record anytime an access policy is violated, althoughCA Access Control does not deny access

You can define the auditing mode or combination of modes that should be enforced for eachuser, group or resource. For example, the auditing for the security administrators group andgeneral audit level for files may be set to Failure, but specifically for the system configurationfiles, auditing events will be generated for both Success and Failure.

LOG ROUTING*Routing all relevant access events to a single, secure location is a key requirement for efficientlymanaging compliance. CA Access Control helps to provide the ability to route and centralize allaccess control logs. This has the benefit of not only log consolidation, but also ensures theavailability and integrity of these logs in case of network breach or system compromise.

REAL-TIME NOTIFICATION CA Access Control supports immediate notification about security events which can berouted to pagers or external consoles for quick problem resolution or other security informationmanagement systems. When delivered to CA Audit or CA Security Command Center, CA AccessControl security events can be collected, filtered and consolidated for reporting and analysis.


SELF-PROTECTIONAuditing daemons and logs themselves need protection from potential attacks, shutdowns ortampering. CA Access Control auditing services and logs are self-protected and cannot beshutdown or modified. This ensures the log integrity and complete information available forany future investigation.

CA AUDIT INTEGRATION CA Access Control is integrated with CA Audit, and CA Access Control Premium Edition whichincludes a license of CA Audit for the purpose of collecting access control events. Thus, eventsin CA Access Control are sent to CA Audit for further handling, enabling aggregation of log files,correlation with other events across the enterprise IT environment and creation of policy specificreports. This facilitates the audit process and supports detailed investigations and verificationof key compliance auditing and monitoring metrics. Features of CA Audit also include:

CROSS-PLATFORM DATA COLLECTION Aggregates event data from an extensive variety ofsources, including: operating systems, business applications, network devices, security devices,mainframes, access control systems and Web services

REAL-TIME TOOLS FOR COLLECTION, VIEWING AND REPORTING Provides customizable viewsand reports relative to specific users roles

ALERT MANAGEMENT Filters and monitors critical events and execute alerts and other actionsbased on established policies

CENTRAL SECURITY DATA REPOSITORY Stores audit data in a central repository, built arounda scalable relational database for easy access, and provides reporting for historical analysis

An Essential Part of the Larger Identity and Access Management SolutionCA Access Control can be installed independently and provide full server access protectionwithout dependencies on other CA or third-party products. However, all products in the CAIdentity & Access Management solution share common approaches and components for Webuser interface, administration concepts, delegation of responsibilities and reporting to ensurea consistent administrative experience.

Given that operating system access protection may be a single component of a defense-in-depth strategy, CA Access Control provides integration with CA security products including:

CA IDENTITY MANAGER As a provisioning target for CA Identity Manager, the CA Access Controluser base can be managed from and automatically kept in sync with CA Identity Manager

CA SECURITY COMMAND CENTER CA Access Control security events can be collected by orautomatically routed to any remote server defined by CA Security Command Center

CA ACF2™ SECURITY AND CA TOP SECRET® SECURITY CA Access Control can leverage themainframe user store provided by CA ACF2 Security or CA Top Secret Security as a trustedrepository or user passwords can be synchronized with those mainframe user stores. Thisassists organizations seeking to manage access to critical mainframe resources, privileges andutilities in the same way that CA Access Control provides protection for Windows and UNIX.


Protecting Data on Your Most Critical ServersThere is no end in sight to the complexity of deploying and supporting global, distributedapplications in a virtualized, multi-platform environment. Without an independent securitylayer to enforce and audit corporate and regulatory policies for server resources, you will beforced to duplicate efforts and will still struggle to address the security and accountability gapsthat come from administrators sharing accounts.

CA Access Control provides this extra security layer, helping you protect server resourcesacross the extended organization with a flexible and accountable means to contain superuseraccounts by delegating necessary privileges to authorized administrators. CA Access Controloperates at the system level to ensure efficient and consistent enforcement across all systems— including Windows, UNIX, Linux and virtualized environments. By distributing serversecurity policies to endpoint devices via an advanced policy management capability, you cansupport large, multi-location enterprise deployments. Moreover, CA Access Control providesthe foundation for secure audit of each policy change and enforcement action to help complywith global regulations.

More importantly, CA Access Control addresses your concerns about ensuring the availabilityof applications, databases and servers by enforcing authorized access, while delivering theflexibility to support local exceptions in an auditable and accountable manner. CA AccessControl helps you:

• Regulate and audit server access

• Enforce server-based compliance and reporting

• Reduce administration cost and complexity

Regulates and Audits Server Access CA Access Control secures critical servers (both physical and virtual) by implementing fine-grained access policies that align with the user’s role in the organization, protecting against theloss of sensitive data. This ensures each administrator has access to the right server resources,at the right time; and that they have authorization to do only what their job requires (and nomore), thus eliminating the practice of sharing administrator accounts. All administrativeactivities are tracked back to the specific user to ensure true separation of duties at thesystems level and to provide accountability via an audit trail.

CA Audit provides a robust mechanism for collecting audit events from CA Access Control andproviding comprehensive reports to provide the visibility demanded by global regulations.

Enforces Server-based Compliance and Reporting CA Access Control helps you secure critical servers with the ability to create and deployspecific access policies that match your organizations internal and regulatory compliancerequirements across the entire enterprise. Out-of-the-box reports cover key complianceelements, such as segregation of duties, entitlements and password policies, and alloworganizations to proactively report on the status of key compliance policies. This providesvisibility and accountability of the compliance and security polices while delivering flexibilityto IT management.

SECTION 3: BENEFITS


Reduces Administrative Costs and ComplexityCentrally administered server access policies, user accounts and passwords ease the burdenof managing security across global, distributed, multi-platform enterprises — which isespecially emphasized in a virtual data center. CA Access Control provides an Advanced PolicyManagement capability to set the policies once and push them out to your servers anywhere inthe world with the push of a button. Resources can also be placed into logical host groups tostreamline the significant task of managing thousands of servers, while providing the flexibilityto allow exceptions while maintaining accountability for each administrator’s actions.

CA Access Control Protects Server Resources and EnforcesSecurity ComplianceCA Access Control provides a superior level of server resource protection and eases theadministrative burden of managing security across diverse systems distributed throughout aglobal enterprise. You no longer need to define and manage access permissions user-by-userand server-by-server. With advanced policy management, logical host grouping, and acentralized point-and-click interface to deploy corporate policies, you (and your auditors) canbe confident each user only has the rights to the data and systems necessary for his orher job function.

You can enforce consistent security policies across diverse server environments by enablinguser accounts, passwords and security policies to be shared across all managed servers.Location also becomes a non-issue by controlling cross-network access management from asingle Web-based administrative console using an advanced policy management architecture todistribute the policies to all of your endpoints. You achieve unmatched flexibility by empoweringadministrators to specify protection at the individual system level, whole infrastructure or inbetween. To supplement this, CA Audit ensures secure, scalable and reliable audit informationis gathered to document interactions each user has with specific systems.

By providing the broadest set of supported platforms, enterprise scalability, highly availablearchitecture, and a flexible policy management environment, organizations can be assured thatCA Access Control will support their compliance and server protection needs both now andwell into the future.

To learn more about the CA Access Control architecture and technical approach, visitca.com/security/ac.

* Some features listed are only available in CA Access Control Premium Edition

SECTION 4: CONCLUSIONS


http://www.ca.com/security/ac

CA (NSD: CA), one of the world's leading independent,enterprise management software companies, unifies andsimplifies complex information technology (IT) managementacross the enterprise for greater business results. With ourEnterprise IT Management vision, solutions and expertise,we help customers effectively govern, manage and secure IT.

MP331450908

Learn more about how CA can help you transform your business at ca.com

access control-tech-brief-us

Documents

new access

protecting data

audits access

lost data

watchingsensitive data

data integrity

data centercontinues

benefitsca access control